Psst... wanna buy some credit cards?  
Posted by Gunter Ollmann on November 12, 2007 at 9:26 AM EDT.

Of the millions of credit cards electronically stolen each year, have you ever thought about where they go and what happens to them once they reach their final destination?

Data leakage in the form of ‘lost’ credit cards and the supporting identity information needed to successfully use the cards fraudulently, is big business – and by ‘business’ I mean highly organized and run by professionals.

But, if you’re curious like me, have you ever wondered how this underground criminal economy actually works?  For example, not a day has gone by the last 3 months that there isn’t yet another news story about TJX’s loss of 45.7 million customer records – the question is, if you wanted to get your hands on a million of those customer records, what would you need to do?

Looking for gold (cards)

For the last twelve months I’ve had a couple of slides in my assortment of threat presentation decks (I get pulled in to doing lots of presentations for customers, partners and conferences – so I tend to recycle some of the most interesting threat slides) that show the sites and forums that sell this kind of identity information, and what it retails for.

It should be no surprise that there are plenty of web sites that buy and sell identity information – most of them focused on credit cards – and any quick Google searches will likely reveal many of the more popular sites.  The ‘better’ sites tend to stay below any of the search-engine radars, and it’ll take a little digging to find them (not much though).  If you embark on your own investigative path, you’d better brush up on your IRC etiquette and find a good Russian-to-English translator program.

What’s a credit card worth?

The first thing to know when navigating these murky waters is ‘think big’ – you don’t buy individual identities and credit cards, you buy them in batches of hundreds or thousands, or hundreds of thousands if you want the best rates!

Most sites will conveniently ‘batch’ up the stolen credit card details based upon cards issued from the same bank and of the same card type.  This is mostly done by creating batches based upon cards having the same first four or six numbers.  For example, “556951” is National Westminster Bank (London), while “510199” is UBS AG (Zurich).

The number of actual cards and supporting identity information within each batch can be variable.  Some batches may only have a handful of card details, while others may have tens-of-thousands.  The price of the batch will depend on the total number of cards you’re buying (e.g. you may want to buy several batches, making up a total of 2,500 cards).

So, what’s a typical rate?  If you buy a batch that contains the card number, expiration date, address, city, ZIP code, holder name, and CVV2 code number, you’re likely to get the following rates:

 $1 each  - 1-200 cards
 $0.9 each - 201-500 cards
 $0.85 each - 501-999 cards
 $0.8 each - 1000-2000 cards
 $0.7 each - 2001+ cards

For 1,000,000+ cards (if you find the right supplier) this rate can drop down to $0.01-$0.1 per card.  The rate depends upon how 'fresh' the cards are and how much work the seller had to go through to get hold of them.

However, the more identity information associated with the card and the card holder, the more valuable it becomes.  For example, if you have all the information listed earlier, but also bundle in Social Security Numbers, date of birth, card PIN number and mother’s maiden name, you’re likely looking at a rate of $20-30 per card (minimum purchase size requirements of 200 etc.).

Trust amongst thieves

Let’s say that you’ve selected a number of batches of cards and identities, you’ve negotiated a ‘fair’ price, and you’re ready for purchase.  How do you know the cards are real and still work?  After all, the cards may have expired, may have been flagged as stolen, could have been canceled or may just have really low limits.

In general, once you have “placed your order”, the seller will pop out to a store somewhere and try several of the cards out – ‘purchasing’ several high value items (e.g. a few thousand dollars on each card).  He’ll cancel/void the transaction, and keep the voided receipts.  Next he’ll scan in the receipts and send them to you.  The purpose being that you’ll see that the cards are real, that they still work and that they have high credit limits – all verified by the date on the receipts.

If you’re satisfied with the results, you’ll arrange transfer in to their accounts. Payment will be made in something like FetHard, WebMoney, Epassporte, E-gold, Western Union, etc. – but there may be some fee’s – e.g. 5% fee for Epassporte and E-Gold.

If all goes to plan, you’ll be given a URL and password to download you batch of stolen credit cards.

From file to crime

The batches of credit cards are typically formatted in CSV format, ready to be loaded in to your favorite card programming software (the site that sells the card details probably has free software to help you here) and downloaded to your magstripe re-programer so you can produce a physical credit card for use at the store.

Then of course there are also all the sites that specialize in the equipment needed to print your own credit cards – but I’ll leave that step for a future blog entry

    Copyright 2001-2007 © Gunter Ollmann