bbc.co.uk Navigation

Rory Cellan-Jones

A forum for fraudsters

  • Rory Cellan-Jones
  • 28 Aug 08, 17:03 GMT

In the last few days, I've entered a whole new web world. It's a place where people speak of getting "dumps... sniffed from ATMs" or using "blinds to cash out" or getting data through "rj 45 taps." The language belongs to a criminal community - the people who make a living out of credit card fraud.

Credit cardsThey gather to swap tips and appeal for information on a number of web forums, and the one we've been looking at features some quite astonishingly brazen messages. The one which really caught our attention was about an attempt to use thousands of stolen US credit card details in British supermarkets. You can read the whole of it here.

The discussion on the crooks' forum is a bit of a wake-up call for all those who think that the introduction of chip-and-pin in the UK has wiped out card fraud. It has certainly made it harder - but the fact that the United States has yet to adopt the system gives the crooks a big opportunity in a crime which the internet has helped turn into a globalised business. So, as in this case, British fraudsters can buy stolen credit card details from the US and use them here because retailers still have to allow the "swipe and sign" option for overseas cards without a chip. Equally, card details stolen from UK consumers can be sold overseas for use in countries without chip-and-pin.

The author of the message appealing for information on where to use his cards - and offering "a ps3, 10 bottle of vodka or jd for weekend" in return - also has another post on the forum, generously offering advice on how to steal credit card details from cash machines. His guide to an "ATM skimmer" features photographs and technical details of a machine which is apparently attached to an ATM and then sends data to a mobile phone. Let's hope the police and the banks are studying this website too, and working out how to foil the fraudsters.

But a policeman I contacted admitted that it's a huge struggle to keep track of what's happening on these fraud forums - and virtually impossible to act against sites that are usually based abroad.

The fraudster describes his "interests" in his profile on the forum as: "Get rich... or Die Trying :)". By the sound of it, getting rich is still far too easy.

I suppose all of this is more proof that the internet is a brilliant way of organising people around the world with common interests. How sad that, all too often, those interest are criminal.


Here is the full text from the forum.

"Okies guys i need some first hand info from all of you who live in uk smile.gif

Very soon and I mean like in day or 2 i will start getting us dumps from one of my sources in us. They are skimmed from atms and are 101 dumps. I can get both track 1 and 2 but no pin. They are sending these dumps over to me for cash out. Now i have a bit of situation.

As these dumps are sniffed from atms in us, using rj45 taps they can see balance and track info. For dumps with gud balance i have whole network ready of mearchants who do not have any problem to cash them out on thier pos but for dumps below certain balance i know mearchants will not be really keen to swipe. Lets say below average balance is any thing between 350 $ - 1500 $. arnd 250 £ - 1000 £

Now to cash out these dumps i have to set blinds which off course i have pre arranged. My only problem is places to cash out. I know currys pc world etc let u swipe but not every time u have enuff to buy a lap top.

Where i live in mid west region tesco let u swipe on tills but not on self check outs and asda does not let u swipe at all.

How ever i went to wales yesterday to meet a friend and was surprised to see that , there asda have self checkouts with swipe option available. How ever on till u cant swipe.

so this means looking at some specific trends all these super marts have enabled swipe in certain places and blocked in other.

I will be more than happy if you guy can post over here what ever is available in ur asda / tesco and other super markets. I do not need exact city info but sumthing like county name and store name and options will be really help full.I will be specially interested to get feed back from frnds in scotland and ireland if any.

I can say one thing if ur info helps me out in any way ... I can assure you a ps3 , 10 bottle of vodka or jd for weekend , or if u need smokes lol 5 10 boxes of ciggies can be easly dropped at ur desired location as gift from my end.

Its shopping spree guys help me out and I will take care of you.

Just for those who are interested ...at moment i am getting arnd 2300 dumps 101 ( 85 % debit ) which i have to clear in next month or so b4 next lot form another atm will be ready to use.

Any one who can provide any kind of help will be really appreciated.

one more thing : with in a week or so i can expect loads of electronic gadgets with me etc ...so keep an eye on topic coz i will be posting regualr items that will be going on 60 % - 70 % of market price !!!!

Also With in reasonable budget i can full fill demands too. This option is only for Uk users as i will be busy with other stuff and cant be bothered with postage etc. Leme know by pm if u are interested in any specific thing from any super market. If u have to request make sure u put model number of item along with current retail price and in last how much u willing to pay if i get u that .And pls no gift vouchers etc lol they ask too many qs when u buy them.

I will come back to u asap.

p.s
Admins smile.gif u can treat ur self too i guess shipping to holland and lithuania does not cost that much wink.gif

Regards"

Comments

  • Comment number 1.

    Rory, I take it you've informed the authorities of what you've found. It's no good trumpeting this kind of information, then later bemoaning the fact the police can't do anything about it.

  • Comment number 2.

    I still can't believe the powers that be can't take these websites down. Let's face it, if countries like China can stop websites they don't want the populace to see then why can't we?

    I hope there are a few people browsing these forums who feed these scumbags misinformation; it would be good to know that some of them get what they deserve.

  • Comment number 3.

    So what exactly was the point of chip-and-pin? Since its introduction I've had my card used fraudulently on three different occasions, and the card has never been out of my possession. So if these rat-bags are able to clone cards and bypass whatever security the chip-and-pin system was supposed to provide in the first place, why did the banks bother with it?

  • Comment number 4.

    In response to the first comment, yes, of course we have contacted the police, the supermarkets and the organisation representing the card issuers.

  • Comment number 5.

    I have to say I'm not totally surprised. What does put the internet into an even worse light on the internet as a tool for criminal activity is that it is more than likely sites such as EBay are used as easy clearing sites for the stolen merchandise.

  • Comment number 6.

    Chip and Pin?

    It's just a marketing success.

    Any benefit in the Chip on the cards, and been undermined by the retention of the Magnetic strip on the reverse that leaves them vulnerable to 'swiping' and then being cloned.

    It's the banks that are defrauded. Who pays for that? Us or the banks?

    I really think the banks have indulged in a bit of miss selling, the way they hyped Chip and Pin as a silver bullet. Er.....what about that strip on the reverse?

    In the 90s as a student in France I had a Eurocheque Card and Euro Cheque book.

    Surely a more secure system would have been 2 cards? 1 Chip and Pin card without the magentic strip on the reverse for domestic UK use, and another with the strip for use abroad where they don't have Chip and Pin.

    Wouldn't having two distinct cards for domestic and international use also hamper the 'cashing out' mentioned above?

    I don't often go abroad and the main benefactors of the magnetic strip on the reverse of my Credit Cards would seem to be those that may try to swipe and clone my cards.

    I am not sure where the BBC are going with claiming that Credit Cards are less secure in the US because they've not gone to Chip and Pin yet, while our supposedly superior Chip and Pin cards retain the magnetic strip that facilitates cloning.

    The banks are really careful with their money aren't they!

  • Comment number 7.

    "In response to the first comment, yes, of course we have contacted the police, the supermarkets and the organisation representing the card issuers."

    Bully for you. Did you give the authorities time to investigate, follow up and prosecute? Or did you publish and dump at the same time? Assuming the latter (or thereabouts), I can only shake my head in despair that an opportunity to catch these people has been wasted for the sake of a fairly trivial (compared to the desireable outcome) news story.

    If, however, your report precedes another detailing the arrest of said criminals, you will have my full and wholehearted apology. Until then, I'd point people in the direction of the three terror suspects arrested today as an example of how it should be done.

  • Comment number 8.

    Omn1vorous, this sort of fraud happens.

    The banks don't want us to know about it and want us to live under the illusion that they are safe and look after our money, and that their vulnerable Chip and Pin cards are without fault.

    Haven't banks also changed their terms and conditions to make their customers liable for losses that happen from online banking when such systems are from completely secure?

    'rj45 taps'?

    As soon as you connect a PC or an ATM service till to a network they are vulnerable. The banks would like us to believe that their systems are bulletproof.

    There is no such thing as total, 100% security. Just shades of insecurity.

    When the banks try to convince us that Chip and Pin cards are greatest thing since sliced bread despite the magnetic strips that makes them vulnerable to swiping and cloning why should we believe that their other systems, or the infrastructure between the places we use plastic and the banks servers are impervious?

  • Comment number 9.

    I've always known that it was only a matter of time before the chip and pin would be exposed. The retention of the magnetic strip is the greatest weakness not to mention the way criminals will always find a way to catch up.
    The worst I have seen though is Denmark. Until about 3 or 4 years ago they had a swipe and pin system. I don't really know any stats but that would have been open season if there were some evil people around.
    I also cannot believe that this was posted on the BBC site. The good thing about forums like this is not too many people know about them. This article could possible give access to many more people who would have never known about it and may now use the information.

  • Comment number 10.

    I've never read a set of blog comments I'd rather comment on than a blog it's self, so (so long as this gets accepted, despite missing the point) lets see whether I can have a good go at this:

    @nowaytheyareallgone:
    Depends on where the website is based, probably useless, but the BBC tends to do this as a matter of principle.

    @Tell-it-like-it-is:
    Two things, one; read up on what a website is, two, freedom of press, censorship, freedom of speech, personal responsibility, personal choice. God, I could name things such a naive point of view goes against... Love The Great Firewall of China, and its been so well received too...

    @hang_the_dj_sunset:
    Then stop using a stupid pin number. Please read up on encipher/decipher algorithms, side channel attacks, brute force attacking and then compare that with the ease of social engineering. Yes, your Date of Birth may be easier to remember than anything, but you don't actually use it...

    @Akyan:
    Total failure there, if i get the gist of your message; 'TeH InternETS izzz BAD!', right? Your homework? Read up on eBay, and then on 'Who Owns/Polices the Internet'- 500word essay... Give it a go.

    @BoiledBunny:
    I've never read such rot, marketing? Yep, thats why I _bought_ my card... uh-huh. Two cards you say? Yep, ah.. great. I see the humour with reference to misspelling, but come on, don't misspell 'misspell'... Thats poor, that.

    @Omn1vorous:
    Time to investigate? hmm... lets try this:
    $ whois [website]
    oh look, the location, owner, etc. Maybe we assume they're fake and go to the registrar? 3minutes top and you have enough for an arrest. You should read up on the internet too, heck- do some of you people even think about the dancing your fingers make on the keyboard?

    @BoiledBunny:
    Ah, another insightful comment. Please read up on what you're commenting on, please, for the sake of the children. Lets explore: "and that their vulnerable Chip and Pin cards are without fault" - sure, if you know the 1024bit key to decipher the chip data, but most leaks are from the shops themselves, remember TJX?
    "Haven't banks also changed their terms and conditions to make their customers liable for losses that happen from online banking when such systems are from completely secure?" The websites _are_ secure, home computers aren't. The leak is... where? Oh look, spyware at home... uh-huh.
    "'rj45 taps'? " And you're having issues with that statement... why?
    "As soon as you connect a PC or an ATM service till to a network they are vulnerable. The banks would like us to believe that their systems are bulletproof." Idiot... If every box on such a system is _owned_ by the bank, then of course they are safe and secure, the only risk being rogue sysadmins, please read up on networking. Please.
    "There is no such thing as total, 100% security. Just shades of insecurity." Wow, almost deep... The saying _actually_ goes 'Security is a journey, not a destination', but you're a glass half empty kinda person.
    "When the banks try to convince us that Chip and Pin cards are greatest thing since sliced bread despite the magnetic strips that makes them vulnerable to swiping and cloning why should we believe that their other systems, or the infrastructure between the places we use plastic and the banks servers are impervious?" _we_? No, those of us who understand what we're commenting on, we trust. You who read a few laymen fiction books on 'hackers', you can have all the paranoia you want.

    In fact, you're all welcome to it. I, however, am impressed with how far in the correspondant was able to get into such a forum. Very good.

  • Comment number 11.

    girls girls girls. Calm down. I like Omn1vorous' attack on the author... yeah, he probably did go or the scoop, but that's why we call these guys hacks! Everyone's just trying to get ahead.

    As for the banks, it's a business. Same as our loser fraud friend. And a pretty homogenous business at that, like soap powder. So they operate in a world where scales of economy win and so they're always dealing in millions and billions. Banks write off fraud so long as it's less than the cost of fighting it. Makes perfect sense. Why the UK and not anywhere else? Cos people are different. It's PR. It's scare tactics. blah blah blah.

    Don't worry about Mr 'get rich or die trying', he sounds like your average drug dealer. Usually living with their mothers, getting the occasional rush when someone presses a few hundred bucks in their hand for no work at all. But running more risk than they realise and going nowhere fast hurting a few nobodies along the way.




  • Comment number 12.

    james condom,

    respect. You said it all so much more eloquently than I !

  • Comment number 13.

    The correspondent says that the ringleader has offered goods at a discount price... i wonder if they take cards? ;-)

  • Comment number 14.

    My company, Digital Frames Direct, get fraudulent transactions on a regular basis. I have phoned the police to advise them of these frauds and where they could pick up the person committing these crimes and they are just not interested. The Police say that these frauds are so common that they have stopped taking any action and advised the banks that it is their problem and not something they will ever act upon.
    This is a disgrace and when the person who has been defrauded complains the money is taken from my bank account and I can do nothing about it.
    So the problem has been passed by the Police to the Banks and the Banks have passed the problem onto the retailer. None of this is any deterrent to the fraudsters so we can expect this to continue until something happens to stop it.

  • Comment number 15.

    The basic problem here is around security and the incentives to create security.

    It is inevitable - absolutely inevitable - that criminals will be able to create meeting places on the internet. Rory's discovery is a fairly blatant one, but it is not difficult to create a genuinely secure, invitation only forum where criminals can gather to discuss and swap this kind of information. There isn't really any point going after these sites as all you do is drive them to take the kind of measures that paedophiles, etc, have to take to hide their activities. It isn't difficult and can be done by anyone with a reasonable understanding of the workings of the internet and of computers in general.

    So if we can't create security by going down the road of catching the criminals, we need to build it into the system to begin with. This is where the problem begins. Who pays for it?

    Security generally has two factors that work against it. The first is that security is a trade off between some other factor, generally money and annoyance, and the level of security you get. Flying is generally pretty safe, but ensuring no terrorists sneak on board is expensive and annoying for everyone who has to throw away their nail scissors and battery packs and mushroom soup. The second is that a common feature of security is that those who are harmed by a failure in security are not those responsible for that security. In the 1980s, ATMs were held to be 100% secure provided the customer followed the correct procedures. Criminals discovered how to exploit the system and withdraw cash from customer's accounts, who then bore the cost of the security failure - even though it was the bank's fault. Conversely, in America, the legal onus was always on the bank to prove that the customer had made the withdrawal, and therefore the necessary security was implemented and phantom withdrawals remained a British phenomenon.

    So, when it comes to card fraud, who is bearing the costs? The consumer. Yes, the banks do generally repay the sums taken, but they do not repay the time and inconvenience it costs you when your card is cloned. They do not repay you for having your credit record besmirched. They do not repay you for the flight you missed, the social embarrassment of having your card declined, or having your eBay account de-activated for fraudulent activity. Unless banks were made to shoulder these costs, the incentives to create truly secure systems simply will not exist.

    The first point also holds. In order for cards to work everywhere in the world, they must be able to go through every payment mechanism out there. Swipe and PIN is still a current system in several European countries, despite its obvious faults. Approximately 1% of chips fail every year, so banks want to retain the magnetic stripe to reduce customer complaints. Many companies continue to accept swipe transactions for the same reason. Even the old voucher impression system is still available to any retailer who wants to use it.

    I don't want to get into blog slugfest, but James, you're really attacking the problem from the wrong angle. Saying that something is secure because it has a 1024 bit key, or because it is on a separate network, or because the user has chosen a good PIN, is completely missing the bigger picture. Mechanics of security are obviously vital, but unless the people in the position to create a secure environment have the incentives to actually create a secure system, then you can pretty much guarantee that viable attacks will exist and that they will be used. There are plenty of easy attacks out there against the current cards system, and I am sure the criminal fraternity knows more than I do. This article is just the tip of the iceberg, and will continue to be until the incentives are finally given to those responsible for user's security.

  • Comment number 16.

    http://www.vnunet.com/vnunet/news/2224776/best-western-downplays-hack


    jamescondron, my reference to 'hackers' was a dig at Michael Wills MP (Swindon North) on Any Questions in December saying we need the ID Card to protect us from 'hackers'.

    I think laying into this article for sensationalism when the government use it as part of their campaign to keep us frightened in our beds, along with terrorists and global warming is a bit much.

    People are the weakest link.

    Didn't the BBC do a hidden camera piece in bank call centres last year?

  • Comment number 17.

    Home computers are the weakest link?

    Can't ISPs do more to stop viruses and spyware?

    Home computers are the weakest link?

    What about poisoned DNS servers? Silly me, I have no idea of what I speak.

  • Comment number 18.

    jamescondron, So none of your mates that work for a well known Credit Card company have had their Credit Cards swiped and cloned then?

    So despite those that work for the Credit Card companies themselves getting done, they still put the onus on their customers?

    And there wasn't a scam at one of the Japanese Banks in the City of London a couple of years that involved keyloggers?

  • Comment number 19.

    This is sloppy journalism.. any fool can cut and paste from a website. wheres the beef? What have you actually done about finding out who this perosn actually is. Has the spiit of Watergate some how passed you by?

  • Comment number 20.

    jamescondron, I didn't realise that the magnetic strip on the reverse of the Chip and Pin cards had 1024 bit encryption?

  • Comment number 21.

    With the greatest of respect to yourself (Tyke Me Home) and Mr Cellan-Jones, sometimes it's better to let the police do their job. Rory talks about groups of these people on a forum and that tells me two things from experience.

    1) Short of befriending them and getting them to tell you, it's bloody difficult to trace someone from a forum to reality. It takes a lot of time and often doesn't pay off at all. And if the person you're tracing knows what they're doing, it will take them little effort to stay secret.

    2) There's more of them. If you try to do something clever, you could land yourself in a metaphorical pile of shit. Good journalism is one thing. Getting involved in criminal affairs for a good scoop is a different playing field altogether.

    The police have the tools to actually do something. And they have the support. A one-man crusade into a forum of organised criminals isn't going to stop them, and you'll just end up looking like an idiot.

    Are you seriously suggesting this should be a case of "Get scoop... or Die Trying :)" ?

  • Comment number 22.

    This comment was removed because the moderators found it broke the house rules. Explain.

  • Comment number 23.

    Rory Cellan-Jones your a joke
    theres hundreds of these sites
    and you found ours
    its nothing new
    there has been warez sites like this before 1994 when i first went on the net....
    what kind of scoop is this?
    Quoting nev3rong
    you really should concentrate your efforts on proper storys.....instead of a cut and paste job off a website for sensationalism...scared of doing a bit of proper journalism are you? too much work is it?

  • Comment number 24.

  • Comment number 25.

    This comment was removed because the moderators found it broke the house rules. Explain.

  • Comment number 26.

    There is still a very big issue here with the basic competence and attitude of the police towards tech crime: they're very keen to trumpet 'zero tolerance' approaches to littering and the heinous sin of eating a bagel in a traffic jam, but will do absolutely nothing about high-value 'remote' crime. A few years ago we had a couple of burglaries at our offices in Covent Garden, the haul including a few mobile phones. Being a high-tech company, we were able to track these phones, to the level where we were able to give the police the name, address and current location, to the minute, of the thief. The police refused to do anything whatsoever because they couldn't understand how we were able to give them this information. I doubt that much has changed.

    Richard

  • Comment number 27.

    Is anyone else worried that today's fraudsters can't tell the grammatical difference between "your" and "you're"? I remember the good old days when conmen could actually speak their own language. Youth of today and all that...

  • Comment number 28.

    I see your a comedian greg...I think you will find english isnt my first language. Can you speak another language grammatically correct?
    I think not! The point Im making is Rory has gone for an easy story. Blown it all out of proportion scare mongering as if it was a massive big supermarket scam. It was just a question someone asked. No big gangs or £8000 a day scam like he said it was. Just a question by one person on a forum. So he went for sensationalism like the whole supermarket industry was under threat...
    He obviously didnt have a story for the day and thought he would blow something out of proportion to make a story.
    Theres hundreds of sites out there..
    So what some kid buys a pair of jeans on a fake card. You dont take the loss, the credit card companys do. There are no big gangs in it that i am aware of. Its just petty crime thats it. Its just that there are loads of people doing it so it adds up and looks worse than it really is.

  • Comment number 29.

    Chip+PIN is a great thing, and a step in the right direction. But it will only really come into its own when the magnetic strips are finally removed.

    I work at a major UK high street retailer and am pleased to see that if you try to swipe a customer's card when it does have a chip in it, it doesn't allow this and says it must be done via chip+pin. But... then sometimes if chip+pin fails (NOT just if the customer puts in wrong PIN) then it does make you swipe it and get a signature.

    I'd like to see signatures and magnetic strips completely removed from cards.... who EVER thought that a signature was a good security feature? C'mon, piece of swish to copy!

    When I lived in Spain I was impressed that whenever using a debit/credit card, you have to show photo ID too.

    We should bring that in in the UK (for UK and foreign cards) and also all new credit/debit cards should come with photo ID printed on the front too.

    It wouldn't be at all difficult to bring in the two measures in the last paragraph, and it would go a long, long way towards protecting consumers.

  • Comment number 30.

    So long as the end result is that the BANK is at a loss, then I am a little less bother than if it's the CONSUMER or RETAILER and this is why...

    1. Foremost, as a CONSUMER, I wouldn't want to lose my money from schemes such as these.

    2. As a RETAILER (certainly in the UK) we know full well that if they lose a significant amount through these scams, we know exactly how they'll recoup the loss ... by jacking up the prices and thereby we, as the CONSUMER pay the price.

    3. The BANK however, this is a different matter, they will "hide" the losses somewhere along the lines and it becomes more transparent to the RETAILER and it not so readily passed down to the CONSUMER.

    4. The primary responsibility for ensuring a fraud proof system must rest with the BANK, so why shouldn't they foot the bill when these systems aren't all that?

    Surely, the technology must be there to make a card secure ... I have a plug in chip in my phone which holds 8Gb of data and is about the size of a finger nail ... this amount of space could EASILY contain a million times more information than any retailer or bank would need in order to verify who I am.

    -- Photographs of me; not just a "passport" one, but how about pictures that show identifying personal features like birthmarks or tattoos?

    -- Digital finger prints

    -- Iris prints

    -- Documented details; address, d.o.b, partner details, etc.,

    -- Location usage details - surely they know that you can't be in two places at once and that you can't reasonably travel a given distance within a short space of time.

    Okay, so every solution will have a flaw, but surely if there's 50 things a cashier/terminal check then the risk of fraud must be reduced.

  • Comment number 31.

    Why do we sign the little strip on the back of the card ... and why isn't the signature saved as an encrypted imaged in the chip or magnetic swipe?

    The organised criminals will have that easily solved when cloning cards, but it would stop the small time criminals who steal a card ... how can they copy a signature when they don't get to see what the original looks like?

  • Comment number 32.

    i personally carry 4 debit/credit cards and not one of them have been signed. I carry my driving licence as back up of ID..signatures? who needs them?

    U.S. credit card users stopped signing them years ago...

  • Comment number 33.

    Chip and Pin undermined by retention of the magnetic strip.

    Surely it's a convenience V security trade off?

    It's a bit like fitting your car with a car alarm and then leaving a window open.

    My assertion that Chip and Pin was mainly a marketing success was tackled:

    http://www.silicon.com/financialservices/0,3800010322,39275146,00.htm?r=1

  • Comment number 34.

    BoiledBunny.

    Neither of those articles are relevent:

    The first is over two years old. Fraudsters have had a long time to work on getting round chip and pin since March 06.

    The second is about people prefering to use cash abroad rather than using their cards. I don't know anyone who doesn't take cash or travellers cheques on holiday. And if you run out and do need to use your cards it's not the security people worry about, its the slap-in-the-face bank charges and exchange rates you get.

    Find some better references please.

  • Comment number 35.

    jamescondron, i think you missed my point somewhat. fyi, i don't have a "stupid" PIN - but what is the point of a PIN when a cloned card can be successfully used/swiped without it?

  • Comment number 36.

    @Paul Freeman-Powell

    "also all new credit/debit cards should come with photo ID printed on the front too."

    Funnily enough enough my bank offers a service to print "your favorite photo" on the card. Maybe I should send in a picture of myself holding a sign saying "Only allow me to use this card!"

    Seriously though it wouldn't be to hard to allow a voluntary photo on the card front scheme, much easier than having to remember to carry seperate photo ID although I suppose it would only stop lost/stolen card use not cloned card use.

  • Comment number 37.

    I wonder if the fraudster accept payment for all these goodies he has bought by card :)

 

The BBC is not responsible for the content of external internet sites

BBC.co.uk