The Washington PostDemocracy Dies in Darkness

Think your credit card is safe in your wallet? Think again.

Credit card data is stolen in lots of different ways: phishing, skimmers, malware on e-commerce sites, scam phone calls, dishonest clerks and data breaches, which can affect hundreds of millions of people.
Credit card data is stolen in lots of different ways: phishing, skimmers, malware on e-commerce sites, scam phone calls, dishonest clerks and data breaches, which can affect hundreds of millions of people. (Sofia Varano for The Washington Post)

Check your bank balance, Avril Rhoades in Valdez, Alaska. Freeze your credit, Nazaryah Minnieweather of Victorville, Calif. And cancel your credit card, Jennifer Kelly in LaGrange, Ga. A gang of thieves was selling your card information on a public Facebook group, and anyone willing to pay as little as $4 for stolen credit card information could use it to buy, say, a $1,499 iPhone and you’d get the bill. (Facebook shut down the group when notified of its existence by The Washington Post.)

While microchips in credit cards have sharply reduced fraud in transactions that take place in stores, mobile and online transactions have become the low-hanging fruit of criminal opportunity.

“Card-not-present” credit, debit and prepaid card fraud has ballooned in the United States in the last few years, reaching $4.57 billion in 2016, up 34 percent from the year before, according to the most recent Federal Reserve Payments Study . These shadowy crimes hurt both small businesses and the customer shopping experience.

If you’ve swiped a credit card at a gas station that has a hidden skimmer, your information was compromised during the Equifax data breach, or you ordered something from a website infected by malware, it is more than likely that thieves have your card information, according to cybersecurity experts, who often find themselves one step behind international criminal networks.

The spy in your wallet: Credit cards have a privacy problem

“Recent figures suggest that over 80 percent of credit cards currently in people’s wallets have already been compromised,” said Markus Bergthaler, director of programs and marketing for the nonprofit Merchant Risk Council, which educates businesses on strategies to curtail fraud.

Crooks obtain credit card information by stealing it right from the card or buying it on the massive online marketplace for stolen cards on Facebook, Twitter, Instagram and YouTube as well as the dark Web, a separate network that can’t be reached with normal browsers.

They then use the information to impersonate the cardholder and buy nearly anything over the Internet. The goods are delivered to an address here or abroad, and the scammer, who is rarely pursued by law enforcement, lives to steal again another day.

“I’m pretty confident my credit card information is in cyberspace,” said Chris Leone, assistant to the special agent in charge of the Criminal Investigative Division of the Secret Service, the government’s lead agency on financial cybercrime. “These guys have gotten so good, they have a checkout box to buy stolen credit card numbers just like on a retail website.”

The cost of card-not-present cybercrime goes far beyond the billions lost in merchandise. Businesses spend heavily to protect against fraud, hiring security experts, buying software and contracting with outside companies to monitor transactions. Banks have to replace stolen credit cards regularly. As the Federal Reserve noted in a report last year, payment fraud “represents a drag on economic activity.”

And the problem has a “major effect on the consumer-buying experience,” said Michael Reitblat, CEO of Forter, a fraud prevention company, who estimates that between 5 percent and 10 percent of online orders are declined, sometimes for innocent anomalies. “Retailers are turning away a lot of good orders.”

The toll on small business

But these thefts go largely unreported to law enforcement, uninvestigated and unpunished. Most businesses don’t report, in part because it reflects badly on their company. Cardholders don’t report the fraud because banks immediately void bogus charges. So the public is not clamoring for a solution.

“That’s what underpins it,” said D.J. Murphy, editor in chief of Card Not Present, an online publication devoted to the topic. “If it doesn’t hurt consumers, there’s no outcry.”

Help Desk: Ask our tech columnist a question

Whom does it hurt? Small-business owners.

“If you shoplift a $10 item from Target, you’re going to get in trouble,” said Wes Pritt, president of Blue Ridge Net Publishing, an online retailer in Roanoke. “The police will come, and you’ll be charged.” But if his company sends out a $3,000 order paid for with a stolen credit card, no law enforcement agency will try to find the perpetrator. His company will absorb the loss, as well as incur a “chargeback fee” from the credit card processing company.

A business owner who tries to get law enforcement involved rarely succeeds, so most don’t try.

Small retailers pay the price, said Avivah Litan, senior security analyst at the advisory firm Gartner Inc. “The large retailers like Amazon have very advanced fraud detection. The small guys don’t have anything. Fraud could easily put them out of business.”

That risk for small business is a legacy of the early days of e-commerce when banks and credit card companies were unwilling to approve payments over the Internet — so retailers stepped up. Merchants saw the potential of online sales and accepted the liability “in exchange for being able to tap a new and powerful sales channel,” Murphy said.

But if the Internet was in its infancy, so was cybercrime.

“The fraudulent orders were more obvious back then,” said Pritt. “The billing and shipping addresses were far apart, the IP address of the computer was some place different from both, and the shipping method was typically Next Day Air.” He could spot them easily. “Nowadays they’re way more sophisticated.”

Thieves route orders through a computer in the same region as the presumed buyer: an order from a Kansas credit card that comes from a Kansas computer won’t trigger a security alert. The owner of the hacked computer in Kansas will never know.

Close to half of attacks on American companies come from the United States, Reitblat said. But some foreign criminals — experts cited countries in Eastern Europe and West Africa — now specialize in credit card fraud aimed at American businesses and consumers.

“In my estimation, there are at least 2 million people and this is what they do for a living — they steal credit cards from Americans,” said Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham.

Apple Card’s cash-back reward doesn’t impress me. Here’s why.

On his computer screen, he scrolled through Web pages showing the names and numbers of credit card holders — and the answers to their security questions. The pages belonged to the Full House Money Gang, a mainly West African computer crime syndicate with 2,553 members, according to Warner.

All it takes is high-speed Internet, “a good educational system and no chance in hell of anyone getting a decent-paying job,” he said. “We saw it in Eastern Europe — they had great universities, they had high-speed Internet, but the economy had crumbled to a point that no one could make a decent living working honestly.”

In Nigeria, criminals shifted to credit card theft with the arrival of cell towers. “What changed in the last five years? Decent cell service. Now they can sit with their Android phones and open a bank account in the U.S.”

An 'ecosystem' of fraud

Credit card data is stolen in lots of different ways: phishing, skimmers, malware on e-commerce sites, scam phone calls, dishonest clerks and — the big one — data breaches, which can affect hundreds of millions of people.

Over the years, an international “ecosystem” of fraud has developed, Reitblat said. One organization specializes in cyberbreaches or phishing attacks, another extracts the credit card data, and yet another sells the information. Each player takes a cut, and the price increases every step of the way. A sale early in the chain may ask one bitcoin (currently about $9,500) for 100,000 credit cards, while the price at the end will be from $5 to $20 per card. Cryptocurrencies make these transactions untraceable.

And therein lies the problem facing the Secret Service. Even determining the country that is the source of the breach is confounding. If the scammers are identified, “many of them are in places where we can’t go out and get them,” Leone said.

Banking while black: Minority business owners with better credit scores than white counterparts face worse treatment and more scrutiny

Many cybercriminals “deliberately target companies in nations that do not have extradition treaties with their own home country,” said Stas Alforov of Gemini Advisory, a fraud intelligence company that works with global financial institutions.

In the last year and a half, a new kind of malware called Mage­cart has “taken off massively,” said Brian Krebs, author of Hackers insert one line of malicious code into retail websites, and that code harvests the payment data, sort of “the virtual equivalent of skimmers.” And if the malware is implanted in a third-party supplier’s software, it will send data from every company that uses the third-party site.

Much of the trade in stolen cards takes place on the dark Web. It hides all trace of its users and erases browsing history and cookies.

But the biggest crooks operate on the regular Web, said Michael Dickson of the Secret Service’s Cyber Intelligence Section. Facebook, according to experts, wipes out thousands of credit card shops every day. In April, Cisco’s Talos Security division uncovered 74 Facebook groups with 385,000 members buying and selling stolen credit card numbers “in every language.”

Jaeson Schultz of Talos said Facebook has been “very responsive,” closing down the groups his company found, but relying on groups to self-police, which is unlikely to happen in criminal enterprises. “They’re going to keep coming back and back,” he said.

Devon Kearns, a Facebook spokesman, said the company has “dedicated teams” that use “a combination of reports from our community, technology, and human review to enforce our policies. … Facebook’s Community Standards do not allow the promotion or the sale of illegal goods or services, including stolen credit card data.” Twitter, Instagram and YouTube also said that the sale of stolen credit cards violates their policies and they remove such posts when notified.

With ever-more-sophisticated methods of stealing credit card data and ever-more-blatant methods of marketing it, it would seem that the best opportunity to catch the crooks would be at the delivery site. Most fraudulently ordered merchandise is sent to brick-and-mortar addresses in the United States.

But these addresses do not belong to the scammers, and many of the recipients may be unwitting conduits for the stolen goods, perhaps after answering ads to work from home. Some delivery addresses are vacant houses, with a scammer parked outside, waiting for FedEx.

“They case houses and know exactly when those people go to work,” said Bergthaler. “Whatever the shipping address is, it’s never going to be the actual fraudster. We always have to be reactive because we never know what the next scam is going to be.”

Security alerts on credit cards work. Just be sure to set them at the lowest amount possible.

Some of the merchandise eventually is shipped abroad and sold for much higher prices. Some is resold domestically on “pop-up” online stores, at suspiciously low prices; when someone buys the merchandise, the scammer obtains yet another credit card number.

An asymmetrical battle

All this results in what Leone calls “an asymmetrical criminal environment,” in which the scammers maneuver anonymously in cyberspace and have no constraints.

“The overseas criminals are sitting in front of a computer educating themselves all day long,” he said. “A lot of these criminals in Eastern European countries have gone to school for this and they continue to get training.” Law enforcement, meanwhile, struggles to stay up with the changing technology.

The Secret Service concentrates on the “more prolific sites with transnational capability,” Dickson said, but “a lot of countries won’t respond to U.S. law enforcement inquiries.”

Even if investigators identify a suspect, nabbing the perpetrator can take years. Roman Seleznev, a notorious Russian hacker serving a 27-year sentence in federal prison for cybercrime, was finally arrested in 2014 while vacationing in the Maldives.

“Investigators had to wait for him to get to a country that allows extradition,” said Leone.

So the Secret Service focuses much of its attention on prevention and education. At its National Computer Forensics Institute in Alabama, law enforcement officers learn how to build computers and conduct computer forensics exams. In a mock courtroom, judges and prosecutors learn about encryption and electronic communications and how this evidence can be used in court. And in 40 cities across the United States, Electronic Crimes Task Forces made up of law enforcement, academics and corporate executives regularly meet to discuss cyber-related crime.

Also, periodically, the Secret Service partners with local police to search gas stations for skimmers. In November 2018, before the holiday season, they searched 400 gas stations in 16 states and located nearly 200 skimmers. (Gas stations are particularly vulnerable because few use chip technology and they are unstaffed at night.) And the newest skimmers are Bluetooth-enabled; the criminal can just drive by to download the data.

Equifax promised up to $125 for the hack. Now the FTC says you’ll get ‘nowhere near’ that amount.

The FBI maintains a website,, for victims — both consumers and merchants — to report card-not-present fraud. The bureau “always follows up” on complaints, said supervisory special agent Zacharia Baldwin. “The information is reviewed and disseminated.”

But that doesn’t mean agents visit the physical address. “A lot of these frauds are part of larger frauds, such as human trafficking, sex trafficking, terrorism, mortgage fraud, bank fraud, so it will lead to other investigations,” he said. Just because agents aren’t knocking on doors “does not mean we’re not following the address or looking into it.”

Which is small consolation to victimized merchants. But capitalism has provided them with a weapon. Dozens of companies, several of them cited in this article, sell software and services to detect suspicious charges. Some will reimburse the merchant if an approved credit card turns out to be stolen.

These services are too expensive for some small businesses, however.

In search of a solution

What’s going to stop card­-not-present fraud?

There’s no “magic bullet,” said Craig Williams, Cisco’s director of Talos Outreach, who cited “a multilayer defense” of user education and more secure sales system.

Lots of companies try to prevent and detect fraud, said Murphy of Card Not Present, “but there is little coordination among them and they are all doing it for different reasons.” And, he pointed out, no technological solution is foolproof. “It is an incredibly complex topic in an incredibly complex ecosystem.”

Card-not-present fraud is “a business, a profitable business,” said Chris Reid, Mastercard’s cybersecurity chief for North America, and fighting it is “a little like squeezing a balloon — if you shut off one vulnerability, they will look for other weak links in the ecosystem.”

A variety of tools are available; each merchant has to decide which ones will work best, and sign up for those.

How to protect yourself from credit card fraud

“Tokenization” turns credit card numbers into code, so that even if a thief breaches the payment process, the number will not be revealed.

Another tool is 3Dsecure, a system mandated in some European countries but that met resistance in the United States because it was seen as a “conversion killer” — customers abandoned their online shopping carts rather than go through extra security steps. A new version, referred to as 2.0, is said to be less cumbersome. Under that system, if a fraudulent charge is allowed to go through, the bank assumes liability for it.

Mastercard has high hopes for its “bot detector,” which identifies and turns away programs randomly trying username-password combinations on commercial sites; these attacks have increased greatly in the last year.

Brian Krebs says much fraud could be prevented if e-commerce websites stayed on top of their software. “Usually it’s because they’re running outdated shopping-cart software,” he said. “It needs to be updated all the time, because there are vulnerabilities.”

So far there’s “no real one-stop shop,” Murphy said, for a crime that goes “basically unopposed.”

All in all, the cybersecurity community has a matter-of-fact attitude about the constantly evolving threat. The thieves are motivated to come up with new schemes because “they have to feed their families too,” said Bergthaler. None of the experts interviewed for this story thought their jobs would be redundant any time soon.

In the view of Avivah Litan of Gartner Inc., at least some of the burden should lie with Visa and Mastercard, which together hold the lion’s share of the credit card market; if they were held responsible, they could use their “substantial consolidated market power to fix the problem.”

“This is a technology problem,” said Wes Pritt, the online retailer. “If all of these entities came together, they could find a way to reduce it. Nobody wants to own this.”