“Our research team at UCSD needs a large number of bogus credit cards in order to buy illegal products from international criminals,” was the message that Stefan Savage, Ph.D. shared with a group of Chancellor’s Associates at the Faculty Club in June. That may seem like a strange study program for a group of undergraduates.
Actually, Savage was discussing what cybercrime hackers do with all the personal identity they have extracted from major retail chain stores and various government agencies. His talk was not about the technicalities of hacking, or what can be done to prevent it, but how the stolen information can be used as an economic benefit using Internet sales.
The research project at the University of California San Diego is organized to track the ultimate use of the dummy credit cards that have been seized by international organizations that use only stolen credit card information where there is a very big financial reward.
That does not mean the hacker buys merchandise or services with the stolen card identification; it is much more profitable to sell that information to foreign syndicates that generate most of the spam invading your personal computer or smartphone.
The speaker revealed that from 20 percent to 40 percent of computer users open spam files, which subjects them to persistent window advertisements for products and services (think Viagra). The most common items are pharmaceuticals and counterfeit computer software. The product is delivered to the buyer, but the legitimate manufacturer isn’t benefiting from the sale.
Many Internet providers do a poor job of screening spam. To avoid getting on the hit list of these international vendors, just don’t open any email when you don’t know the sender; you may not be able to unsubscribe persistent spam.
So how does the UC San Diego research team find the source of the spam intrusion into your computer system, and where does the money go when purchases are made on line?
The bogus credit cards obtained by team members show charges by vendor source and can be traced to the banking institution used to launder the transaction. These credit card charges are moved around the world in several channels to conceal the real source of the sale. China, Russia and many obscure African or Asian sites are the channels for the proceeds to reach the syndicates that purchased the identity from the hackers.
Savage demonstrated charts showing the credit card charge flowing back and forth around the world on several channels before finally settling in one of the three banks that launder 95 percent the credit card payments.
These banks are not generally known to the public. They are AGBank in Azerbaijan, a Muslim republic in the Caucasus; a bank in St. Kitts-Nevis in the Caribbean; DnB NORD in Copenhagen doing business in Estonia, Latvia, Lithuania and Poland. Not your friendly neighborhood corner banks.
The technical reference to the cybercrime product sales is “original equipment manufacturer” or OEM, which refers to the resale of another company’s product under their own name and branding. The term is really misleading because OEMs are not the original manufacturer, but a customized rebrand stolen from the rightful manufacturer.
During the Q&A session, most questions centered on the source of hacking. “The Chinese own us, left and right,” the speaker responded. However U.S. security agencies do the same and are actually better at it, Savage quipped.
The best technical shield against having your credit card data hacked is to use the new credit cards with chips now being distributed by U.S. banks. The system has been in use in foreign countries with better protection from hacking.
The problem for the chip conversion in America is the cost of a card-reading device that is an expensive purchase for the small vendor. It also requires the use of a PIN when the card is swiped.
Obviously, there is much to be done for cybersecurity as the hacking process becomes more invasive. The public appears to be the innocent victim of a criminal system that is very difficult to control.