back to article Crimelords: Stolen credit cards... keep 'em. It's all about banking logins now

Stolen bank login information attracts an even higher price than credit card numbers on underground cybercrime bazaars, and EU logins are worth more than American ones, according to research by McAfee. The Intel-owned security division's Cybercrime Exposed paper highlights trends in the thriving digital underground, including …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    They are welcome to my maxxxxxxxxed out over draught.

    1. Smudger 1
      Pint

      Over draught?

      Is that like when the foam on the top of your beer runs down the side of the glass?

      1. Ole Juul

        Over drought

        No, it's like when the glass has run dry.

        1. Destroy All Monsters Silver badge
          Big Brother

          Re: Over drought

          Then fill it with a governmental credit card!

  2. zaax

    Anyone who keeps money in a bank is a fool. Romans knew how to keep money safe - were still finding it 2000 years later

    1. Evil Auditor Silver badge

      Is that safe?

      Romans knew how to keep money safe - we're still finding it 2000 years later

      Safe as in squirrel hiding hazelnut?

      1. Destroy All Monsters Silver badge
  3. jacasta

    Lazy users, lazy politicians

    This whole security scam is 90% enabled by the continued use of never-ABLE-to-be-secure home computer operating systems. 90% of ALL cyber crime could be eradicated by using commercial-grade OS - ie FREE open-source UX systems. That is a fact that has NOTHING to do with with the lower use of UX but is due to the INHERENTsecurity in UX. Lazy users can't be bothered so they deserve the problems they get. Lazy politicians are so tech illiterate that they put National Security at risk through their ignorance, indolence and hand-in-the-till cow-towing to US manufactured spyware masquerading as an operating system.

    1. frank ly

      Re: Lazy users, lazy politicians

      If 'jacasta' is an anagram, then it's a freaky, cryptic anagram by someone who enjoys punishment. Ah, .......

    2. weebs

      Re: Lazy users, lazy politicians

      You think if the tables were flipped, and Unix had a 95% market share that everything would be hunky dory and clouds rain lemonade and muggers give you sweets instead of stabbing you? This has to be one of the most random comments I've seen on El Reg.

      You sir, are a buffoon. All the exploits mentioned were cross platform, unless you think that FireFox was coded by Billy Gates himself? Proportionally, the amount of retarded Unix users equal Windows, and you are a shining example of one. Your comments just enabled 100,000 retarded Windows users to get their credit card and bank details stolen. Why would you do such a thing?

    3. Anonymous Coward
      Anonymous Coward

      Re: Lazy users, lazy politicians

      @Eadon - You know you've been banned, right?

      1. Anonymous Coward
        Anonymous Coward

        Re: Lazy users, lazy politicians

        Why was he banned? Just generally being a twat, or did he post something particularly offensive?

        1. Great Bu

          Eadon !

          http://3.bp.blogspot.com/-zDUkaAn2eAY/UF6Ew9SvbAI/AAAAAAAAAFE/nuuDqy1Pc9A/s320/Bender.+I%27m+Back+Baby!.jpg

    4. Intractable Potsherd
      Trollface

      Re: Lazy users, lazy politicians

      jacasta: five posts at the time of writing, account started on 16th June. When was Eadon nuked by the mods?

  4. jacasta

    Lazy users,Lazy politicians

    This whole security scam is 90% enabled by the continued use of never-ABLE-to-be-secure home computer operating systems. 90% of ALL cyber crime could be eradicated by using commercial-grade OS - ie FREE open-source UX systems. That is a fact that has NOTHING to do with with the lower use of UX but is due to the INHERENTsecurity in UX. Lazy users can't be bothered so they deserve the problems they get. Lazy politicians are so tech illiterate that they put National Security at risk through their ignorance, indolence and hand-in-the-till cow-towing to US manufactured spyware masquerading as an operating system.

    1. Tom 38
      Headmaster

      Re: Lazy users,Lazy politicians

      90% of ALL cyber crime could be eradicated by using commercial-grade OS - ie FREE open-source UX systems. That is a fact that has NOTHING to do with with the lower use of UX but is due to the INHERENT security in UX.

      Open source user experience?

      Lazy users can't be bothered…

      …to put the "NI" in "UNIX"?

    2. Crisp

      Re: Lazy users,Lazy politicians

      Random capitals, rabid foaming at the mouth zeal for open source unix systems....

      It's hauntingly familiar.

    3. Tom_
      Happy

      Re: Lazy users,Lazy politicians

      It's rare that you get chance to downvote stupid comments twice.

      1. Ole Juul

        Re: Lazy users,Lazy politicians

        It's rare that you get chance to downvote stupid comments twice.

        It's an open source comment and he decided to fork it.

    4. Velv
      FAIL

      Re: Lazy users,Lazy politicians

      As soon as UX has a 90% market share it will become viewed as the risky OS. It's the users who are the problem.

      Security by obscurity - there's no target for UX at the moment, not enough users to make it worthwhile targeting.

      Most of the vulnerabilities come from apps these days, not the OS, and while it could be argued MS is still playing catch up with security, once mainstream coders start writing apps for UX there will be just as many security breaches viewed as being the fault of UX

      1. a_milan

        Re: Lazy users,Lazy politicians

        Microsoft almost single-handedly created market for third-grade developers with Visual toolbox that promotes learning lists of functions by heart (remember MFC? or .Net?) instead of understanding the underlying issues.

        Unfortunately nowadays majority of commercial software is written by underpaid people who just can't be expected to be concerned with anything but delivering the minimal required functionality with absolute minimum of effort. Yay IT industry!

      2. Crisp
        Alert

        Re: It's the users who are the problem.

        Yeah, but you try telling them that!

    5. NumptyScrub
      Trollface

      Re: Lazy users,Lazy politicians

      quote: "90% of ALL cyber crime could be eradicated by using commercial-grade OS - ie FREE open-source UX systems. That is a fact that has NOTHING to do with with the lower use of UX but is due to the INHERENTsecurity in UX."

      I did like that bit. You obviously missed the part in the article where they place a high value on exploits for browsers, like Firefox, which is available for install in various POSIX-compliant (or mostly POSIX compliant) operating systems.

      From the article: "Browser exploits are second only to iOS pwnage tricks, according to figures cited by McAfee, commanding a fee of $60,000 to $150,000 for Firefox or Safari zero-days and perhaps higher for Chrome or Internet Explorer malfeasance."

      Possibly 90% of all cybercrime could be eliminated by properly educating users, however that's the only way I can see it happening. Android is built on a "UX" (what does that term even mean by the way?) platform but users will still happily install malware themselves if it promises to be a free version of the latest craze (angry birds, gambling apps, that confectionary app I see advertised on the TV). Until users stop infecting themselves, the platform is irrelevant.

  5. Senior Ugli

    I have always wondered and I hope someone can answer in a non sarcastic way. If I was to purchase some of these stolen details, with a pin for example, Surely at some point my action will be traceable back to me right?

    Cashpoint - location and time logged, and possible cctv looking over the cashpoint too

    online - location and ip etc plus if I was getting something delivered where would I get it delivered to, so not to be traceable?

    Surely if these issues are sorted then that would be less appealing to get the CC data rather than trying to teach millions of people that an email from nigeria, or your Natw3st.ru statement email is not legit?

    1. itzman
      Holmes

      "Cashpoint - location and time logged, and possible cctv looking over the cashpoint too"

      Use the busiest one in London's main shopping area and wear a hoodie.

      "online - location and ip etc plus if I was getting something delivered where would I get it delivered to, so not to be traceable?"

      Use a wifi hotspot, a stolen laptop and buy downloadable stuff. Or collect at venue stuff like airline tickets, theatre tickets etc.

      Then make you own card up, ad use that for instore purchases

    2. Tom Wood

      Might be traceable, but the police have to be arsed to do the tracing

      Yes, techincally you might get caught, but I believe in practice the chances are slim.

      I once had a PC from Comet charged to my credit card (I believe they must have got the details from a dodgy employee of a place I legitimately purchased online).

      The CC company spotted it before I even saw the statement, and a few days later I received a paper VAT invoice through the post from Comet, listing my address as the billing address and the delivery address somewhere in Coventry.

      I passed the info to the CC company, but I never heard any more - I doubt it ever got as far as a police investigation even if they could have just knocked on the door in Coventry for a start.

    3. Anonymous Coward
      Meh

      Yes, you're very traceable if you buy this information online. The sellers of this information, on the other hand, will be hiding behind (though not necessarily themselves in) dodgy countries with banking infrastructure that can't or won't trace transactions, and kleptocratic governments who won't intervene. From the point of view of the sellers of this information, they're taking their margin with little risk of being caught, but the low rent buyers are taking all the risk of being caught, because the realisation of the theft/fraud will mostly be in well governed countries with traceability both for the original purchase of information, and for the subsequent illegal transactions. So you in theory buy card details (with no recourse or come back if you've paid for made up numbers) you try and use them, and you have a good chance of getting caught and prosecuted. Try and trace your purchase, and it'll be channeled through (guessing) Kazakstan then to Bulgaria to Ukraine or some such.

      If you order goods with stolen details, then you are highly traceable, by the IP you order from (assuming you can change the delivery address without arousing suspicion), and probably by the transaction you've undertaken to buy the card details. Your biggest protection is merely the laziness or incompetence of the local police - not something I'd want to rely on as my best chance of staying out of jail. The buyersof this information are like drug mules - the fall guys, the idiots, the weak minded, lazy people who think that they won't get caught. Some don't get caught, many do. And as we now know, all of our online transactions are being collected and stored, so not being caught today doesn't mean never being caught.

      I suspect the answer to this would be to pressure the global payments processors to remove the mechant status and confiscate the balance of suspected criminals - and this could be extended to stamping on the financial knackers of counterfeiters and spammers around the world. There's no obligation for Visa and Mastercard to continue to support worldwide crime, but they choose to overlook the extent to which they process payments for criminals, as far as I can see. But they have a very nice corporate social responsibility programme, so that's OK then.

      1. Tom 13

        @Ledswinger

        Generally correct except you've usually got the word order wrong. For example it should be: Many don't get caught some do.

        I've had some direct experience with this running a large convention. One time we caught vandals red-handed tearing down and attempting to steal a sign at the convention. Called the police turned over the perps and requested to press charges. We were never called for a court date. Elsewhere we had a bunch of people doing security type work trying to prevent shoplifting in the dealers room. We'd catch dozens of people a day. Best we could usually manage was to ban them from the convention (fat chance of actually keeping them out afterward). The dealers generally didn't want to even try to press charges because they'd already learned it was a colossal waste of time. It was all petty ante stuff. Pretty much like most identity theft. Too much work and too many culprits. So instead we factor in the cost of the expected losses in the prices of our goods and services.

        That said, I wouldn't be keen on taking the 1 in 10,000 chance of getting caught. Cue Hee-Haw song:

        Oh, if it weren't for bad luck I'd have no luck at all.

        ...

    4. James Micallef Silver badge

      A lot of the actual work (and risk-taking) is done by 'mules'. Kingpin buys details of 100 cards, then farms out the dirty work of physically withdrawing cash to underlings who retain a small percentage. I guess would be done through intermediaries / blind drops so the mules don't even know who they're working for.

      Even if 20%, 30%, 50%, whatever of the mules get caught, most of it would be after the fact (kingpin already has his* money). Most probably operated in a gang-type environment where the mules wouldn't / couldn't simply take all the money and run.

      *her?

    5. Anonymous Coward
      Anonymous Coward

      Launder it through Bitcoins?

    6. AlexF

      Yes, its very likely possible to track you down unless but this is a cost/benefit trade-off for multiple parties. We'll presume for the moment they've paid for the details in an anonymous fashion (or at least, one beyond the wit of current law enforcement such as bitcoin so they need to get the person after the details are used).

      First, if you wipe out someone's account for £300 a time at an ATM then then its frankly not worth the bank doing anything about it in terms of improving security or adding inconvenience to people (e.g. adding RSA-fob like displays on cards, or texting people a code they must enter when they make a withdrawal over £50 etc.).

      Also, its the police who should investigate and pursue these crimes but they are not encouraged or rewarded for doing so. Why should they trawl through CCTV an try doing some real detective work when they can park a car or two on the overpass of a dual carriageway and catch - and solve - tens if not hundreds of crimes a day while bagging the treasury £60+ a pop each time?

      If the criminal has taken some basic steps - gloves, a hoody, doing it a night, not speaking when they use the ATM and whacking a sticker over the ATM camera while approaching it from the side, whatever... then the odds of them getting caught are probably remarkably low. Partly because its not in the banks interest to chase them down (more expensive to do than fraud costs - which customers ultimately pay for anyway) and the police, frankly, have other priorities such as finding chavvy teenagers who have run away from home for the umpteenth time, breaking up a brawls outside nightclubs and giving fines to people going a tad over the legal limit on beautiful spring and summer days.

    7. david 12 Silver badge

      >traceable back to me

      I had an acquaintance who went to jail for cashing stolen cheques. They traced it back to him no problems. He was a druggy and did desperate things like that.

      He bought the stolen cheques from a supplier. Even if he gave up his supplier, there was no evidence. Even if he was stupid enough to give evidence in open court, it was his word (a desperate druggy) against the other.

      The supplier sold the stolen cheques at a fraction of face value. He wasn't stupid or desperate enough to get caught. The druggies took all the risk. When one went to jail, another took his place.

  6. Anonymous Coward
    Anonymous Coward

    Isn't this sort of thing more-or-less what two-factor is for?

    A certain worldwide local bank uses it. And it's handy because even if the user is thick enough to respond to a phish, it's only valid for about a minute.

    I know some other bank uses a usb card reader, that sounds all sorts of wrong.

  7. Robert Helpmann??

    No Ones' Left Behind

    ...where a crooks is also offering to sell a PIN number.

    Sorry. It just hurt to much to leave alone. Interesting story in need of some good editing....

    1. Anonymous Coward
      Anonymous Coward

      Re: No Ones' Left Behind

      too ?

      1. Anonymous Coward
        Anonymous Coward

        Re: No Ones' Left Behind

        Ones' ?

      2. Benny Mac

        Re: No Ones' Left Behind

        Ones' ?

  8. Anonymous Coward
    Anonymous Coward

    Apple and Adobe exploits ..

    How are these credit cards and PINs harvested?

    Who is going to save us from all these Apple Adobe exploits?

  9. David Ireland

    "Such underground platforms are implementing stronger mechanisms to ensure that participants are who they purport to be (or at the very least are not law enforcement officials). Ironically, while the platforms that facilitate the services marketplace for illegal activities are going deeper underground, the trade in zero-day vulnerabilities is more transparent than ever before," Samani and Paget report.

    I would have though criminals would prefer other criminals didn't know who they were, so the above seems implausible, if I'm being generous. The markets are designed so that it doesn't matter if the police can participate, and that you don't know who you are dealing with.

This topic is closed for new posts.