Computer Vulnerabilities & Criminal Activity

Identity Theft & Credit Card Fraud

6.1March 1, 2010

Definition of Identity Theft

A person commits the crime of identity theft if, without the authorization, consent, or permission of the victim, and with the intent to defraud for his or her own benefit or the benefit of a third person, he or she does any of the following:

1. Obtains, records, or accesses identifying information that would assist in accessing financial resources, obtaining identification documents, or obtaining benefits of the victim.2. Obtains goods or services through the use of identifying information of the victim.3. Obtains identification documents in the victim's name.

US Legal Definitions

Identity Theft and Assumption Deterrence

Act18 U.S.C § 1028

Makes it a federal crime to:“knowingly transfers or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law”

Connecticut Criminal Law - Identity Theft

http://law.justia.com/connecticut/codes/title53a/sec53a-129a.html

Protected Information Name Date of birth Social Security number Driver's license number Financial services

account numbers, including checking and savings accounts

Credit or debit card numbers

Personal identification numbers (PIN)

Electronic identification codes

Automated or electronic signatures

Biometric data Fingerprints Passwords Parent's legal surname

prior to marriage

States with Mandatory ID Theft Investigation

California Louisiana Minnesota

Motivation for Identity Theft

Financial DesiresGreed

Strain Theory

Individuals Committing Identity Theft

Individuals May have some relationship to the victim Often have no prior criminal record

Illegal Immigrants Methamphetamine Users Career Criminals Gangs

Hells Angels MS-13

Foreign Organized Crime Groups Asia Eastern Europe

Victims of Identity Theft Higher education / higher income Age 22 - 59 Married Basically, individuals most likely to

have a good credit rating / credit history

Methods of Obtaining Identity Information

Dumpster Diving Skimming Phishing Change of Address Theft of Personal Property Pretexting / Social Engineering

How the Internet is used for ID Theft

Hackers Interception of transmissions - retailer to

credit card processor Firewall penetration - data search Access to underlying applications

Social Engineering / Phishing / Pretexting

Malware / Spyware / Keystroke Loggers

Crimes Following Identity Theft

Credit Card Fraud Phone/Utility Fraud Bank/Finance Fraud Government Document Fraud Employment Fraud Medical Fraud Misrepresentation during arrest

Problem with Identity Theft Investigation

Lapse of time between crime and the time the crime is reported

Monetary amount Jurisdiction Anonymity

Identity Theft Investigation

http://www.ftc.gov/bcp/edu/microsites/idtheft/law-enforcement/investigations.html

Identity Theft Data Clearing House Identity Theft Transaction Records

Subpoena or victim’s permission Request for documents

Must be in writing Authorized by the victim Be sent address specified by the business Allow the business 30 days to respond

Credit Card Fraud

“Wide-ranging term for theft and fraud committed using a

credit card or any similar payment mechanism as a

fraudulent source of funds in a transaction.”

Wikipedia

“Carding”“The unauthorized use of

creditand debit card account

information to fraudulently purchase goods and

services.”DATA BREACHES:WHAT THE UNDERGROUND WORLD OF “CARDING” REVEALS - US DOJ

Carding Terminology Dumps - information electronically

copied from the magnetic stripe on the back of credit and debit cards. Track 1 is alpha-numeric and contains the

customer’s name and account number Track 2 is numeric and contains the account

number, expiration date, the secure code (known as the CVV),and discretionary institution data.

PIN - Personal Information Number BIN - Bank Information Number

Carding Terminology cont.

Full Info” or “Fulls” - a package of data about a victim, including for example address, phone number, social security number, credit or debit account numbers and PINs, credit history report, mother’s maiden name, and other personal identifying information

How Credit Card Information Obtained

Online In bulk from hackers who have

compromised large databases http://www.privacyrights.org/ar/ChronData

Breaches.htm Phishing Malware

Types of Carding Carding Online

Using stolen credit cards to purchase goods & services online

Carding to a drop - having goods sent to another physical address

Cobs - changing billing address with credit card company

Types of Carding cont. In-Store Carding

Presenting a counterfeit credit card that had been encoded with stolen account information to a cashier at a physical retail store location

More risky Higher level of sophistication

Types of Carding cont. Cashing

The act of obtaining money, rather than retail goods and services, with the unauthorized use of stolen financial information

Pin Cashing - Using dump information to encode a strip on a card to use at ATMs

Types of Carding cont. Gift Card Vending

Purchasing gift cards from retail merchants at their physical stores using counterfeit credit cards and reselling such cards for a percentage of their actual value

Sales maybe online or face-to-face

Carding Forums Online Tutorials on different types of carding-related

activities Private and public message posting enabling

members to buy and sell blocks of stolen account information and other goods and services

Hyperlinks for hacking tools and downloadable computer code to assist in network intrusions;

Other exploits such as source code for phishing webpages

Lists of proxies Areas designated for naming and banning

individuals who steal from other members

Carding Websites (all disabled)

www.shadowcrew.com www.carderplanet.com www.CCpowerForums.com www.theftservices.com www.cardersmarket.com

Sample Carding Web Sites