|By Elizabeth Weise, USA TODAY|
The end of the road for the 56 million credit card numbers stolen a month ago from
"We're generally not seeing
The story of how a massive international data breach ended up at a fast food store in
That was when someone inserted malicious software — malware — into point-of-sale machines at
Many in the security community suspect the attackers were in
As many as 56 million cards were compromised, according to
The news broke in September, when someone put a batch of cards for sale on a criminal Internet site that trafficked in stolen financial information.
Banks and credit unions began to see bogus charges appear almost immediately. Despite the far-reaching criminal networks that create these massive computer security breaches, the people who end up buying things with the stolen cards appear to be "just using them for day-to-day living," Miller said.
"Our people travel, many of them are
It was easy to cut off cards whose owners were buying gas in
"The financial institution is going to reimburse the customer for any fraudulent transaction on the account," said
Computer security writer
Mission Federal has dealt with more than
Credit unions are not-for-profit, he said, so "when we take
Another cost financial institutions face is replacing compromised cards. Mission Federal Credit has gotten about 10 lists of compromised cards from
"That's about 15% of the credit cards we issue," Miller said. It costs the credit union about
The trajectory, from a continent away to a few ZIP codes away, isn't any surprise to security experts.
"The thing to remember about this whole process is that it's an industry," said
ILLEGAL SUPPLY CHAIN
Data theft is like any supply chain. First come the manufacturers, then the wholesalers, the middlemen, the retailers and, finally, consumers.
The manufacturers are the organized professionals who plant the malicious software that steal the card information. "They've had a lot of training; they steal huge numbers of credit cards," Webb said. "That's the raw material."
Once these might have been used to buy expensive merchandise online, but credit card companies created sophisticated anti-fraud algorithms that quickly detected anomalous charges on compromised accounts.
The thieves reconfigured.
Now these numbers go to wholesalers, usually still overseas, who break them down in manageable groups of cards, sorting them by area and ZIP code.
These bundles are offered up for sale in bulk on underground websites.
"They'll even send you samples, so you can test the quality. If it's good, you come back and buy more. Some of these guys are so confident that they have money-back guarantees," Webb said.
The middlemen buy up a list of numbers and use them to make cloned credit cards. Machines and blanks cards are readily available online.
"It's going to cost you about
The newly cloned cards are sold to low-level gangs or criminals.
One tactic is to use the cloned cards to buy gift cards. Target is a popular choice because "there they can buy 50 different kinds of gift cards in one place. They're laundering the money because it's very hard to trace those cards," Sileo said.
Cards are sometimes sold on street corners. Sileo's talked to people who were approached in
The dealers are "incredibly entrepreneurial. They're working it out for their little corner of the world, in their ZIP code," he said.
The amounts the final users end up charging are tiny. The average fraud on the fake cards
"We see a lot of McDonald's meals,
The role of the people committing the original crime — stealing the data — is limited, said
The final users are often poor people trying to get by, charging small amounts on cards that last for a week or so until the credit card company cancels them.
The computer criminals half a world away "have taken the risk out of it" for themselves, Kaminsky said. This leaves law enforcement with no one to target.
"What are they going to do," he said, "go bust some guy in
|Copyright:||Copyright 2014 USA TODAY|