Lecture72011

Report
Computer Vulnerabilities
& Criminal Activity
Identity Theft & Credit Card Fraud
7.2
October 24, 2011
Definition of Identity Theft
A person commits the crime of identity theft if, without
the authorization, consent, or permission of the victim,
and with the intent to defraud for his or her own benefit
or the benefit of a third person, he or she does any of the
following:
1. Obtains, records, or accesses identifying information that
would assist in accessing financial resources, obtaining
identification documents, or obtaining benefits of the victim.
2. Obtains goods or services through the use of identifying
information of the victim.
3. Obtains identification documents in the victim's name.
US Legal Definitions
Identity Theft and Assumption
Deterrence Act
18 U.S.C § 1028
Makes it a federal crime to:
“knowingly transfers or uses, without lawful authority, a
means of identification of another person with the intent to
commit, or to aid or abet, any unlawful activity that
constitutes a violation of Federal law, or that constitutes a
felony under any applicable State or local law”
Connecticut Criminal Law
- Identity Theft
http://law.justia.com/connecticut/codes/title53a/sec53a
-129a.html
Protected Information
Name
Date of birth
Personal identification
numbers (PIN)
Social Security number
Electronic identification
codes
Driver's license number
Automated or electronic
signatures
Financial services account
numbers, including checking
and savings accounts
Biometric data
Credit or debit card
numbers
Passwords
Fingerprints
Parent's legal surname prior
to marriage
States with Mandatory ID
Theft Investigation
California
Louisiana
Minnesota
Motivation for Identity Theft
Financial Desires
Greed
Strain Theory
Individuals Committing Identity Theft
Individuals
May have some relationship to the victim
Often have no prior criminal record
Illegal Immigrants
Methamphetamine Users
Career Criminals
Gangs
Hells Angels
MS-13
Foreign Organized Crime Groups
Asia
Eastern Europe
Victims of Identity Theft
Higher education / higher income
Age 22 - 59
Married
Basically, individuals most likely to have a good credit
rating / credit history
Methods of Obtaining Identity
Information
Dumpster Diving
Skimming
Phishing
Change of Address
Theft of Personal Property
Pretexting / Social Engineering
How the Internet is used for
ID Theft
Hackers
Interception of transmissions - retailer to credit card
processor
Firewall penetration - data search
Access to underlying applications
Social Engineering / Phishing / Pretexting
Malware / Spyware / Keystroke Loggers
Crimes Following Identity Theft
Credit Card Fraud
Phone/Utility Fraud
Bank/Finance Fraud
Government Document Fraud
Employment Fraud
Medical Fraud
Misrepresentation during arrest
Problem with Identity Theft Investigation
Lapse of time between crime and the time the crime is
reported
Monetary amount
Jurisdiction
Anonymity
Identity Theft Investigation
http://www.ftc.gov/bcp/edu/microsites/idthef
t/law-enforcement/investigations.html
Identity Theft Data Clearing House
Identity Theft Transaction Records
Subpoena or victim’s permission
Request for documents
Must be in writing
Authorized by the victim
Be sent address specified by the business
Allow the business 30 days to respond
Credit Card Fraud
“Wide-ranging term for theft and fraud committed using a credit
card or any similar payment mechanism as a fraudulent source
of funds in a transaction.”
Wikipedia
“Carding”
“The unauthorized use of credit
and debit card account information to fraudulently purchase goods and
services.”
DATA BREACHES:WHAT THE UNDERGROUND
WORLD OF “CARDING” REVEALS - US DOJ
Carding Terminology
Dumps - information electronically copied from
the magnetic stripe on the back of credit and
debit cards.
Track 1 is alpha-numeric and contains the
customer’s name and account number
Track 2 is numeric and contains the account
number, expiration date, the secure code (known as
the CVV),and discretionary institution data.
PIN - Personal Information Number
BIN - Bank Information Number
Carding Terminology cont.
Full Info” or “Fulls” - a package of data about a victim,
including for example address, phone number, social
security number, credit or debit account numbers and
PINs, credit history report, mother’s maiden name,
and other personal identifying information
How Credit Card Information
Obtained Online
In bulk from hackers who have compromised
large databases
http://www.privacyrights.org/ar/ChronDataBreac
hes.htm
Phishing
Malware
Types of Carding
Carding Online
Using stolen credit cards to purchase goods & services
online
Carding to a drop - having goods sent to another physical
address
Cobs - changing billing address with credit card company
Types of Carding cont.
In-Store Carding
Presenting a counterfeit credit card that had been
encoded with stolen account information to a cashier at
a physical retail store location
More risky
Higher level of sophistication
Types of Carding cont.
Cashing
The act of obtaining money, rather than retail goods
and services, with the unauthorized use of stolen
financial information
Pin Cashing - Using dump information to encode a
strip on a card to use at ATMs
Types of Carding cont.
Gift Card Vending
Purchasing gift cards from retail merchants at their
physical stores using counterfeit credit cards and
reselling such cards for a percentage of their actual value
Sales maybe online or face-to-face
Carding Forums Online
Tutorials on different types of carding-related activities
Private and public message posting enabling members
to buy and sell blocks of stolen account information
and other goods and services
Hyperlinks for hacking tools and downloadable
computer code to assist in network intrusions;
Other exploits such as source code for phishing
webpages
Lists of proxies
Areas designated for naming and banning individuals
who steal from other members
Carding Websites (all disabled)
www.shadowcrew.com
www.carderplanet.com
www.CCpowerForums.com
www.theftservices.com
www.cardersmarket.com
Sample Carding Web Sites

similar documents