Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
The Almighty Buck Crime Security The Internet

Study: $1.8 Billion In Reshipping Fraud With Stolen Cards Each Year 139

An anonymous reader writes: Researchers from the University of California, Santa Barbara and others studied the economy of how criminals monetize stolen credit cards by operating reshipping scams as means to cash out, KrebsOnSecurity reports: "A time-honored method of extracting cash from stolen credit cards involves "reshipping" scams, which manage the purchase, reshipment and resale of carded consumer goods from America to Eastern Europe — primarily Russia. A new study suggests that some 1.6 million credit and debit cards are used to commit at least $1.8 billion in reshipping fraud each year, and identifies some choke points for disrupting this lucrative money laundering activity. [...] disrupting the reshipping chains of these scams has the potential to cripple the underground economy by affecting a major income stream of cybercriminals. By way of example, the team found that a single criminal-operated reshipping service can earn a yearly revenue of over 7.3 million US dollars, most of which is profit."
This discussion has been archived. No new comments can be posted.

Study: $1.8 Billion In Reshipping Fraud With Stolen Cards Each Year

Comments Filter:
  • LOL ... (Score:4, Funny)

    by gstoddart ( 321705 ) on Monday September 28, 2015 @09:06PM (#50617327) Homepage

    By way of example, the team found that a single criminal-operated reshipping service can earn a yearly revenue of over 7.3 million US dollars, most of which is profit.

    Wow, that sounds even better than the other MLMs, tell me more!!

    • by ruir ( 2709173 )
      Mules...with that word in the summary we would not have to read the article. Though I already suspected it.
  • Here it is in Google cache [googleusercontent.com]

  • by Anonymous Coward on Monday September 28, 2015 @09:19PM (#50617375)

    If we really wanted to stop CC fraud, we could almost eliminate it. It's pretty simple, but we've abandoned this in favor of convenience.

    The new credit cards in the US with chips are good, but why chip and signature? Why not chip and pin like much of the world does? Better yet, why not require two-factor authentication for large and online purchases where the card isn't swiped? If the purchase is large or the card isn't swiped, simply send a verification code to the customer's phone for that transaction that they have to enter. This is used for so many services now that are less sensitive than financial transactions, so why not use it for these as well? Even the "verified by Visa" program that required a password for online CC transactions seems to not be widely used.

    Also, it's a different method of fraud, but a few months ago my CC was used to make a purchase from a fraudulent website. In this scheme, a transaction is made for a small amount of money, often less than $10, to a website that's not legit. In this case, the website is actually in on the scam. It was pretty obvious the website wasn't a legitimate business. The best thing that can be done is to do a chargeback and report the merchant to the CC processor, which in this case was Visa. If there are sufficient numbers of complaints against the merchant, who in this case is part of the fraud, they will be penalized and probably not allowed to make any more transactions. I provided my bank plenty of evidence that the merchant was fraudulent and asked them to do a chargeback, but they said they didn't want to bother and claimed it was simpler to collect insurance from the FDIC. It seems like merchants ought to be penalized when they're part of the fraud. It also seems like merchants that use poor security practices ought to be liable.

    I'm convinced that there really isn't an interest in ending fraud, because the technology exists to make it far more difficult. We just don't implement it, which is frustrating.

    • by Arkh89 ( 2870391 )

      Better yet, why not require two-factor authentication for large and online purchases where the card isn't swiped? If the purchase is large or the card isn't swiped, simply send a verification code to the customer's phone for that transaction that they have to enter.

      This is already implemented in Europe for online purchases (some banks at least). It took more than 25 years to get the chips in the US, I guess we'll have to wait another 15 years or so...

    • by PopeRatzo ( 965947 ) on Monday September 28, 2015 @09:32PM (#50617411) Journal

      The new credit cards in the US with chips are good, but why chip and signature? Why not chip and pin like much of the world does?

      Because every American would set his PIN to "4444".

      And, it might take a millisecond longer to buy a Big Gulp and bag of chips and if there's one thing you never want to do, it's make an American wait an extra millisecond for his Big Gulp and bag of chips.

      • I find it faster to type in a PIN than to write my signature on a piece of paper.
        • I find it faster to type in a PIN than to write my signature on a piece of paper.

          Most everywhere in the US doesn't require a signature for anything less than $50. Just swipe your card and you're off.

      • Simpler to tap your phone. Link to a prepaid card, low balance, manage refills offline.

      • by msobkow ( 48369 )

        My card in Canada has the best of both worlds. Chip and pin for anything over $20, NFC for less than $20.

      • You're joking, but you're actually close to the reason. There have been a lot of studies done on how easy it is to lose sales by making life inconvenient for purchasers. Amazon, in particular, is very much aware of exactly how many lost sales each extra click needs. There's pressure from a lot of big shops on this, because the cost of fraud is less than the cost of lost sales from people deciding that spending a lot of money in a secure way is too much faff. If you're asking someone for a lot of money,
      • by antdude ( 79039 )

        Yeah, no Chinese would use that unlucky number. ;)

    • by ruir ( 2709173 )
      I second you there is no interest. The solution is more costly than providing compensation, and plus compensation allows for tax breaks and setting money aside in fraudulent schemes I suspect. But it is all entirely speculation in my head.
      • by lucm ( 889690 )

        You are correct. They implemented chips on debit and credit cards in Canada and this did not make a dent on fraud, but it proved expensive as hell. Guess who ended up paying more for their banking fees? (hint: not the bankers and not the criminals)

    • If the purchase is large or the card isn't swiped, simply send a verification code to the customer's phone for that transaction that they have to enter.

      So in order to complete the purchase I have to drive home, get the verification code, and drive back to the store?

      No thanks.

      • by lucm ( 889690 ) on Monday September 28, 2015 @09:58PM (#50617517)

        If the purchase is large or the card isn't swiped, simply send a verification code to the customer's phone for that transaction that they have to enter.

        So in order to complete the purchase I have to drive home, get the verification code, and drive back to the store?

        No thanks.

        it probably wouldn't work for you anyways, these things require touch-tone.

      • by ruir ( 2709173 )
        If only someone has invented a mobile phone. Maybe in an alternate earth, who knows? If there is something unlimited is peoples stupidity.
        • The latest set of attacks on two-factor auth work by exploiting the fact that Google people are idiots and granted the Google Play app the ability to install applications without user intervention and exposed this via a UI to the Internet. If you compromise the user's browser and they log in with their Google credentials, then you can replace their bank app with a trojaned one and allow the two-factor auth to go forward.
    • If we really wanted to stop CC fraud, we could almost eliminate it. It's pretty simple, but we've abandoned this in favor of convenience.

      100% guaranteed that there would not be any credit card fraud, if there were no credit cards. In other news, people who have their appendix removed don't get appendicitis, which is why it was SOP for the Mercury, Gemini, and Apollo astronauts.

    • If we really wanted to stop CC fraud, we could almost eliminate it. It's pretty simple, but we've abandoned this in favor of convenience.

      We haven't abandoned it. The credit card companies have. They have successfully shifted all the costs associated with poor security to the merchants. If there's a fraudulent transaction and the merchant can't prove the cardholder actually made the purchase, there's a chargeback and the merchant eats the cost of the fraud. The credit card company pays nothing (their fe

    • Do you realize that the credit card companies make money on fraudulent transactions?

      Their profit is built into every transaction, legal or not. The cost of fraud is spread over the customer base, and is part of the fees paid by users and merchants. Collectively the user base pays for theft from the system, and the credit card companies make more money. That $1.8 billion in illegal billings is a profit center.

      The reason that the credit card companies are rolling out smart cards in the US after all this tim

    • by ctime ( 755868 )
      Hey, we're Americans, not some kind of progressive island nation with 10 million people. We're a huge moving ship of 300 million and it takes time to change things, chip + signature is a huge step in the right direction. Why? Most of the scams involving purchases with stolen credit cards involve "carding", or simply stealing the magnetic strip data and reusing it online and on duplicated cards.

      The chip eliminates this as the chip can't be skimmed in practice. The big credit card folks (EMV) would love t
    • You're exactly right, but the CC companies have little interest in ending fraud. Instead, they just pass along the costs. Think about it: it's actually kind of shocking that the credit cards collect a percentage of gross, i.e., the full purchase price on every transaction. In terms of processing, it doesn't matter if a transaction is for $5 or $500. This more than covers the costs of fraud, and the charge is ultimately passed on to the consumer.

      Meanwhile, they impose very strict security requirements on the

    • The new credit cards in the US with chips are good, but why chip and signature?

      Because the signature (on a debit card) makes it a credit transaction allowing the credit card company to charge 2 to 5% commission on the sale. If you authorize a debit card with a PIN instead of a signature the credit card company gets a flat fee of 25 cents.

    • by locotx ( 559059 )
      I'll give you a hint. Look into the insurance on the debt and how they package any debt collections. There's a lot of money in re-selling debt on collections and the merchants have fraud insurance. There's more money in making a fraud claim than actually recovering product and it's so much easier.
  • I'm surprised this scam still works today. All of my cards automatically reject purchases where the shipping address isn't the billing address of my card. I can add addresses to the valid list, but I have to do it beforehand through their web site or through customer service. That should shut this kind of scam down.

    Or the other obvious change of, instead of having the merchant charge my card, have me tell my bank/issuer to pay the merchant. Then the merchant never needs to know my card number and it's a lot

    • by ruir ( 2709173 )
      There are other obvious answers. In my country we have virtual CC cards. I just create one with the amount I need for the article I want to buy, with a margin of a couple of euros - or a recurring one for a period of one year, say for my Apple account, with a limit of 100 dollars. However, once I set it to one entity, it cannot be used by another entity. This technology proved to provide a huge boost in electronic commerced as it provided an inceptive for many sceptics to buy things using "VISA". I also he
      • by ruir ( 2709173 )
        As a anecdotal tale, I provided a virtual CC to the free tier of amazon, ending, guess what, at the term of their "free" time interval. My luck, because I had forgotten a stopped virtual VM that was paying for hard disk used. First month out of the trial got an email...cannot charge you on your expired "VISA", give us a new one,... good way to control hidden recurring fees after "free" trials.
  • in 20 years they'll be no petty crime outside of the poor stealing from the poor and the occasional white collar crook who manages to steal things legally Bain style. Software will eat the world.
  • Most of the CCs that are stolen en-mass have 2 things in common:
    1) the systems run Windows.
    2) the company outsourced to India.

    now some of you will say that it is not so , or that I am biased. Yet, nothing of the kind. Russians approach Indians and point out correctly, that the company that they work for pays them crap. In fact few make more than $9k / year. As such, Russian can offer them 90k to leave a back door. Once in, the Russian will clean it up and point elsewhere.

    This will continue until weste
  • I suppose, any sort of credit card scam can be linked that way. The credit system was introduced primarily to help people set up their business. Now it is a business in itself. Good Job Loan Sharks.
  • by Alain Williams ( 2972 ) <addw@phcomp.co.uk> on Tuesday September 29, 2015 @03:32AM (#50618367) Homepage

    Article says "carded consumer goods from America to Eastern Europe — primarily Russia".

    I don't think that Putin would like Russia to be seen as part of Europe. Look at the fuss that he made when Ukraine was getting too close to Europe [wikipedia.org].

  • I live in Russia and I think that this information is not completely true. Please note that $1.8 billion is a lot of money. What can I see here is that this service is not offered to a general public. It is not advertized, I knew nothing about it before reding this article.
    That means that the situation when many Americans are constantly sending things to many Russians is very improbable. What are the alternatives?
    They can send these goods to few companies or persons which later resell them in Russia. But he

Beware of all enterprises that require new clothes, and not rather a new wearer of clothes. -- Henry David Thoreau

Working...