There has been a rise in the number of private anti-fraud companies acting as digital security investigators against cyberthieves. One is called Cardcops and is based in Malibu, California.
WIRED ON FRIDAY: It privately polices the Web looking for users of stolen credit card numbers and sets traps to catch these thieves known as carders.
In May, Cardcops set up a site called Laptops4now.com after it identified internet chat rooms it said were forums for credit card thieves. Members of Cardcops logged onto the chat rooms and spread word that Laptops4now had lax credit card verification procedures.
"After telling specific underground carder chat rooms that Laptops4now loosely shipped anywhere, we received 16 orders using stolen credit cards totalling over $27,000 in a 12-hour period," said Mr Dan Clements, chief executive officer of Cardcops.com. The site's design was purposely amateurish and the security shoddy. Members of a ring suspected of internet credit card theft ordered goods from Laptops4now. Those who placed the orders lived outside the US but had US shipping addresses. Instead of receiving what they ordered, five bogus orders were shipped to them and included old John Grisham paperback novels and other items.
"This sting has yielded a tremendous amount of information on how fast carders can attack reputable merchants with fraudulent orders," said Mr Keath Nupuf of Secure Net Labs, the firm hired to do the tracking. "Foreign internet providers, e-mail addresses, drop addresses and site scan origins, were all captured as part of the project," he added.
The orders and all the fraudulent data gathered by Cardcops were given to the FBI, the US Secret Service, the US Postal Inspector's office and the Los Angeles district attorney's office. FBI director Mr Robert Mueller created a cybercrime unit in December and the Bush administration has added 50 federal prosecutors to address the problem nationwide.
Cardcops was set up in 2000 and is financed by fees from credit card issuers and online merchants. The company's business model aims to teach online merchants to protect themselves from fraud and to understand shopping cart vulnerabilities. It offers a subscription-based service to merchants. Last month, it began a credit card check on its website at www.cardcops.com for consumers to see if their account numbers had been stolen online. The site already has data on about 100,000 stolen numbers. If a card number comes back positive, cardholders are advised to contact their financial institution.
"Consumers usually get their statements two months or three months after it [the card] is compromised," Mr Clements said. "During those 60 to 90 days, that card has floated around the internet. They're the ones who are out on a limb."
Cards that thieves use have been validated in public areas on the internet. This means someone checked to see if the card was valid by using a program that connects with a credit card processor. This is done by posting the number and expiration date into the public room, where an automated program charges a small sum to the card to see if it is valid.
The program is built and maintained by other thieves. The sum charged is not likely to tip off cardholders, according to Mr Clements. And the charge comes from an unrelated merchant not privy to the scam. If the card was found in a search engine or reported to Cardcops via a merchant vulnerability then it would show up in Cardcops' database.
Gartner Group estimates that fraud cost internet retailers $700 million in lost merchandise last year. A Gartner study also shows that 5.2 per cent of online shoppers have been victimised by credit card fraud and 1.9 per cent by identity theft.
An online music firm like CDUniverse.com estimates about 5-8 per cent of its orders come from people with stolen credit cards. Two years ago, a hacker broke into the CDUniverse site and stole 350,000 card numbers which he posted on a website.
Another firm that provides anti-fraud protection is Internet Security Systems of Atlanta. "We don't necessarily track stolen credit cards," a spokesman said. "But we do have products that protect applications." One is called BlackICE and it protects data on any desktop or mobile PC with a personal firewall.
The Emergency Response Services and forensic teams at Internet Security Systems recorded the same number of incidents in the first and second quarters of 2002 as in all of last year. A recent study asked a group of Internet users what features would persuade them to buy online. Eighty-eight per cent said guaranteed credit card security.
