The hottest gaming for the last decade was for deep outlaws: Speaking Misha Glenny, author, Darkmarket: Cyberthieves, Cybercops and You, re the global trade in plifered credit card account PINs and passwords, a frantic whodunit that covers from the US to the EU to the Russian Federation and South Asia. The foundation for "carders" looks to be about 1999-2003, when Internet transactions climbed exponentially and hackers turned from virus-spreading pranks to cracking into banking files to access tens of thousands of credit cards. An early foundational site was called CarderPlanet.com (the names are not much original or artful), which attracted thieves and hangers-on. The sites are forums for carders to share information and to trade. No one does everything in the transaction, from hacking, phishing, and skimming to obtain the card number, PIN and password to cashing out at an ATM or other venue. The forum is to sell what part of the chain is your specialty for a piece of the whole. The forum works as a way to sort out the trusted from the thieves who prey on thieves, the "rippers."
Cybercops.
CarderPlanet.com eventually attracted law enforcement that rolled up the operators (administrators) and took down the site with tricks and double agents. The carders moved on to new sites, such as Shadowcrew.com, theftservices.com, darknet.com, thegrifters.com, scandanaviacards.com. Shadowcrew.com reigned for a while, permitting sharp-eyed carders to plunder millions in a short time. What is striking is that the strength of the carder business started in Eastern Europe. The Soviet state could not compete with Silicon Valley, and after the Soviets failed, the fledgling cyberpunks turned to crime. The grand bargain was that if you didn't attack Russian properties, the FSB (new name of the KGB) left you alone. Law enforcement in the West grew more sophisticated along with the carders. Competing cybercops include the US Postal Inspection Services, the US Secret Service, the FBI National Cyber Forensics Training Alliance (N C F T A) in Pittsburgh at Carnegie Mellon -- and then there the UK SOCA (Serious Organized Crime Agency) and the French OCLCITC (Central Office for the Fight Against Crime Linked to Information Technology and Communication). It is a matrix of hunted and hunter. The carders hunt each other, too, because there is always suspicion that a carder on the site is a rate or undercover cop. Glenny's tale turns on the cyberwar between 2005-2008 between two masterpieces of card sites, CardersMarket.com vs Darkmarket.com. This is major-league gaming. The thrill for the carders is the chase, the score, the bragging rights. The money is not how they judge each other. The nom de guerre's reputation as a carder site administrator (thankless job of doubting, judging, challenging) is the payoff. The profiles of the carders in Glenny's investigation describe alienated males 18-35, evidencing Asperger's or other aspects of anti-social dysfunction, many with compulsive drug and alcohol patterns; also, they are routinely quick learners who apply the same energy to carding that once upon a time they might have used with pickpocketing. When they are caught, they become passive, listless, depressed, harmless without their community of fellow carders. The chase and the action are much of why they keep coming back until they fall.
Lessons Learned.
Change your passwords regularly. Cover up the keypad when you punch in your password at the ATM. Major Russian hackers have quit the Anglophone world of carding because it is too much grief to deal with the cybercops; they focus on the rest of the planet in many languages. No one state or country has the resources to defeat carders; all they can do is take down the flashier sites and ops.
What Costs?
Trusted vendors on
DarkMarket offered a smorgasbord of personal data, viruses, and card-cloning
kits at knockdown prices. Going rates were:
Dumps Data from magnetic stripes on batches of 10 cards.
Standard cards: $50. Gold/platinum: $80. Corporate: $180.
Card
verification values Information
needed for online transactions. $3-$10 depending on quality.
Full
information/change of billing Information needed for opening or taking over account details.
$150 for account with $10,000 balance. $300 for one with $20,000 balance.
Skimmer Device to read card data. Up to $7,000.
Bank logins 2% of available balance.
Hire of
botnet Software robots
used in spam attacks. $50 a day.
Credit card
images Both sides of
card. $30 each.
Embossed
card blanks $50 each.
Holograms $5 per 100.
JB, I would add to the recommendation of using a combination of upper and lower case characters, numbers and symbols (!@#$%) in your passphrase. Using these exponentially increases the difficulty of cracking your passphrase.
I work in the InfoSec Industry. Credit Card companies in USA have been very lax about switching over to "Chip and Pin" credit cards. Perception is USA is full of old fuddy-duddies who still cannot understand the Metric System let alone a smart-card that asks for a PIN code.
Magstripe Credit cards are 1970's technology. Go into your Best Buy/Fry's and you can buy a credit card strip reader for 30 bucks or less. Anyone you hand over your CC to (waiter, Gas station, etc) can read your CC into their smart phone and have it sent around the world in a matter of minutes.
When was the last time you saw a magstripe card used for building entry? RFID is more secure and less likely to be copied if implemented correctly.
The real lazy people are the Merchant services and card issuing banks, their refusal to update their systems is the true scandal.
Stratfor hack is puzzling, did Stratfor do their own card preocessing? Most rely on third parties to process cards. Stratfor has been exceedingly critical of Russia and China, and the hack may have been government sponsored.
"Anonymous" may have been a cover to put Stratfor out of business, scare away their paying customers.
This will be a terrific, informative thread with practical, invaluable insights and tips for all of us who are daily, hourly, integrally dependent on cyberspace. Pardon this way off topic post ... huge thanks to BillR for his response in a recent, now archived JBS thread [ http://johnbatchelorshow.com/jb/2011/12/the-long-game-view-is/ ] regarding a NYC music drama event based on ThJefferson and Mary Cosway in Paris. Dittos further to CorlyssD who flagged this NYC event on the JBS website. Dittos finally to the JBS that, through book reviews spanning many diverse topics, recently reviewed a James Madison book that touched on the lifelong friendship of founding fathers TJ & JMadison. Cheers.
Where I am living now, I have to renew my password on my account every 160 days. If I forget to do this, I get blocked out, plus if I I attempt to use an older password - it gets rejected.
Re: Sapientia's very helpful comments
As a recent "almost" victim of the Stratfor hack, I would add that you should use a password manager program. There are good ones out there for free. The one I use even syncs my encrypted password database with my iPhone via Dropbox. They let you make sure you don't use the same password for multiple accounts, which makes it easier for your other online accounts to be cracked once one of them has been cracked.
A pet peeve of mine is the large number of sites that require you to use an email address as your user ID. If a thief gets your email address they can then try major sites that use your email as a user ID - think online shopping sites that store your credit card info. for easy ordering. You should use a unique, and not easily guessed, user ID whenever possible. This is another reason to use a good password manager program. If you must use an email address as your user ID, give consideration to setting up multiple email accounts for just this purpose with gmail or Yahoo mail.
One final thought. For you non-Mac users, DO NOT use IE Explorer. I use Firefox with the NoScript add-in. It blocks all Javascript execution by default. Javascript is a great way to drop malware infections on PCs. My wife's computer picked up a rootkit virus after my daughter visited a shopping site of an Italian company. Foxnews had Javascript ads infected with malware for a time. NoScript is inconvenient, but it does provide a higher level of safety.
Unfortunately the bottom line is, as the Infosec folks like to say, "the only perfectly safe computer system is one that nobody can access."
I recommend a program called "Clear All History", or CAH, in addition to your recommendation to use Firefox. CAH deletes all the internet browsing history, windows history, all the index.dat files, recent files, everything, and it "shreds" the memory space that those files were stored on, all in a matter of seconds. I click it after each use of the internet. Highly recommend it.
"Metric System"
LOL. We understand the metric system and don't want it. Having said that, we'd have the hated system, which nobody likes but many pretend to because that's what Brussels mandated and, as we all know, resistence to the Brussels-bord is futile, if one issue could have been resolved: who was going to pay for the conversion of all the tools to metric? Industry wanted the government to pay for it if the government was going to mandate its adoption; government wanted anyone else, including the unions, to pay for it because Congress adores unfunded mandates. Since no Daddy Warbucks signed up to donate the funds, it was never adopted except in principle.
Thanks for the extremely useful info. I've been trying to sign up for that protection Strafor is offering to make amends. So far unsuccessful.
I loved Sam Waterston's reading of the excerpt from the heart-mind letter in Burns' documentary on Jefferson back in the 90s. It's heart-breakingly human for an FF.
I hope you don't mind my copying and reposting your entire post in the older thread because others might be interested in the links you provided. I certainly was.
_____________________________________________________________________________
From Hayek:
Many, many thanks, Mr. BillR. My latest web search for any TJ-Cosway review led me, not to this grand review you linked, but back to this now bumped, archived JBS thread with your recent response. Karma for a truly excellent New Year perhaps.
No, living below Mason Dixon line I was not in NYC for the concert but wanted very much to attend. The review you link makes this music play sound serious and SPECTACULAR in scope, content and execution. That previewer's snarky JFK-MM remark captures fully my initial concerns about overarching content integrity and respect. Having studied TJ for 4+ decades and the Cosway affair and heart-mind letter more recently, I feared that the stage product might dishonor or butcher the history and literary content, or demean the music. Clearly the opposite occurred. Bravi. This kind of serious salon/chamber music play merits performance consideration for the University of Virginia Rotunda, or its Greek Amphitheater, or the Ashlawn outdoor summer opera festival in Charlottesville, or on a patio pavilion at Monticello. Thanks again, Mr. BillR.
For TJ-Cosway buffs, some Cosway music is here:
http://www.youtube.com/watch?feature=player_embedded&v=glG13Rbpgpg
Jefferson's "heart-mind" dialogue letter is here:
http://www.pbs.org/jefferson/archives/documents/ih195811.htm
-> plus if I I attempt to use an older password - it gets rejected.
This is in and of itself a meaningful security risk. What better way to attack a system than with a dictionary of previously used passwords? Because all passwords all get re-used sooner or later.
I commute daily to Philadelphia to work for a company that provides communications infrastructure and security for many of the banks and futures clearing merchants in the US and Europe. I can assure you that what we do has layers upon layers of security. We pass our PCI audit every year. An important part of PCI, the standard the credit card companies use, is an absolute prohibition against storing any information about credit cards, account numbers, CVVs, one second longer than is necessary to complete a transaction. Why Stratfor was hanging onto credit card numbers I have no idea. Their site certainly wasn't set up for it.
"A pet peeve of mine is the large number of sites that require you to use an email address as your user ID."
I think iTunes requires your e-mail address. Boy, do I hope it's secure.
However, a pet peeve of mine is insurance companies that use your SS# as their membership #s. I am crazed by this. Who wants to call an insurer and give out all this private info just to ask a question? And drug stores that ask for your name and then DOB for an Rx, while mobs of people are standing around waiting for their Rx, makes me practically bleed from my ears.
When I found out that India and Saudi Arabia wanted the codes for Blackberrys because they couldn't listen in, I got a Blackberry -- even though the iPhone had so much more positive press -- and got rid of my expensive house phone, which may not be a private as you think. The one thing iPhones don't have is the security of Blackberrys.
Ooooo. Maybe Apple should buy Blackberry's IP for that protection.
"We understand the metric system and don't want it."
Yes. I learned in HS -- a very, very long time ago -- that the reason our Founding Fathers choose the system we now have is because they wanted a clear separation from Europe. I bet that isn't being taught, anymore.
"I've been trying to sign up for that protection Strafor is offering to make amends."
I've been trying to figure out how to cancel my free Stratfor newsletter -- w/o contacting Stratfor, who I want absolutely nothing to do with.
"Maybe Apple should buy Blackberry's IP for that protection."
Even though the stock of Research in Motion [RIMM], the maker of Blackberrys, has dropped some 70% in the last year, the wags at Fast Money on CNBC said w/in the last two week that it's still too expensive for anyone to buy the company. I really hope it stays in business.
"[RIMM is] still too expensive for anyone to buy the company."
Of course, w/ $80-$100 billion in cash, Apple can buy whatever it wants.
PCI DSS is a good start. But the media it is based on, Magstripe cards, is really flawed technology. PCI has tried to get the American Banking System to switch to Chip and Pin technology. EU and Canada has done so, US is resistant.
There is better technology out there. USA invented it, yet we don't use it.
I was once in a retailer's HQ and they had no clue people were hacking their network and stole My credit card number and my parents as well. Major Retailer you would know. The Hubris and confidence they had in the "security" of their network was laughable. I told my co-workers after the meeting in the parking lot they were being hack and they did not know it. I was right.
I have a Spam ID mail address for logins and anonymity.
"I have a Spam ID mail address for logins and anonymity."
WOW. How do you get a Spam ID? We all need one.
Who steals my purse steals trash; 'tis something, nothing;
'Twas mine, 'tis his, and has been slave to thousands;
But he that filches from me my good name
Robs me of that which not enriches him,
And makes me poor indeed.
Rick Santorum is now ahead in Iowa.
Good for him. I hope he moves to Iowa and runs for governor.
Get a free email account from GMAIL or yahoo and use it exclusively for logging in to any site where you fear it would be sold. Never give out that email to anyone, since they will start using it and then you need to maintain the account.
A chip and pin Smart card has a small cryptographic engine inside and digitally signs the transaction. The chip cannot be duplicated. Magstripe is easily dooped.
http://www.thejewishweek.com/news/brief/saudis_claim_credit_hack_israelis_credit_cards
Saudis steal Israeli Credit Cards.
I would say we can now safely rule out the hypothesis that one of JB's New Years resolutions was to get the schedules up in advance of the show. (Also that Lou didn't resolve to stop being an insufferable smart-ass).
There's a group of self-appointed internet pundits who have taken on the task of digging up dirt (or what they consider dirt) about whomever happens to be the leading GOP candidate at the moment. It's not random; the dirt never comes up about someone who's lagging, always about someone who's leading. This is a stupid strategy. It would be better to keep shooting at the weakest member of the field, like jackals taking down a wounded wildebeast.
You see, I always thought the point of a schedule was that people could know in ADVANCE what was going to happen, thus the phrase ... "I think I can schedule you for such and such a time...". Putting up a schedule after the fact is like finally getting a date with the cutest girl in your high school class when she's already as old as the hills.
Kudos to my alma mater Michigan for their victory in the Sugar Bowl last night, although they got plenty of help from the zebras, it's better than being on the business end of those whistles any day.
"Good for him. I hope he moves to Iowa and runs for governor."
LOL
There's an Apple in your future, just like there was a Coke in your past.
Governments and industry going to Blackberry made them. Governments and industry going to iPhones will undo them. They're doomed.
"[Blackberrys are] doomed."
Call me old-fashioned -- or just call me old -- but there has to be a place for 'security' in our future or we're all doomed. I assume that what drove the Canadian Blackberrys into the American workplace was the absolute security of it.
Clearly, years ago the powers that be at Apple thought they could do cell phones better than what was being done. And, then, they proved it. As a long-time Apple user, I know first hand that what this company has always done is make its current operating system -- and everyone else -- obsolete. Every new system is a new learning curve. But for new users, it's a lot easier. I remember once watching Steve Jobs demonstrating a new iPhone and even he ran into trouble with it up on stage and had to call someone for help -- just like I always have to do.
If I ran the State Dept -- or any corporation -- or anything -- I would make a Blackberry a standard issue and ban anything else that's not as secure. However, since I only run my own life, I will always try to use the most secure phone and internet connection, knowing full well that even this is not enough.
" I assume that what drove the Canadian Blackberrys into the American workplace was the absolute security of it."
That's what made it attractive, certainly. If iPhones continue their track record of having better security than any other brand strong enough to stand tall, year after year, government and industry won't care if they have to call a help desk once in a while. I remember that incident where Jobs had to get help. That was several billion iPhones ago, somewhere around the $200 price range for a share of Apple stock.
JB once had a phone hacker on who explained that in order to hack into the latest phone model all you have to do is be able to hack into the last phone model. Why? Because the latest model is made compatible with the last models, which leaves an opening for the hacker to use.
This is not so hard for Apple to overcome, as it frequently makes its older models obsolete. Let's see if it continues this process now that Steve Jobs is gone.