Recent large-scale hacks at Target and Neiman Marcus are a reminder that our credit cards are increasingly vulnerable. In these cases, hackers found a way to install malware on point-of-sale devices and then sat back as the credit and debit card numbers streamed in.
But who are those hackers, and what happens to the numbers? Here’s a breakdown of what comes next, in four easy steps.
They Build a Criminal Network
Andrey Popov/ShutterstockThe basic idea is that people use stolen credit cards to buy stuff. But if the same person stole the card numbers and bought the stuff, he would easily be caught. Instead, baddies create rings: There are the people who buy and sell card numbers in online markets, sometimes called carding forums or card malls. There are the people who actually make fake cards. There are recruiters who find people to make purchases with the fake cards. And then there are the folks who actually go to stores with the counterfeit cards and try to make purchases. That’s a lot of people! (Here’s when you should NEVER use your credit card.)
They Create a Workflow
The logistics must be worked out carefully. To print the cards, the counterfeiters need equipment, which costs about $100. The people who buy and sell card numbers must figure out how the numbers are constructed: High-quality numbers that don’t yet look suspicious to financial institutions fetch a better price ($135 each, compared with $20 for a block of lousy numbers). The recruiters have to have contacts in the right places (a lot of cyber fraud originates in Eastern Europe, for example). Finally, the buyers need to feel confident looking a cashier in the eye. They must be trained in what can go wrong and how to react. (Here are four credit cards you should stay far away from.)
They Buy Stuff
leungchopan/ShutterstockOnce everyone is in place, it’s time to shop. Criminals often use their stolen credit card numbers to buy items that can easily be flipped on websites like eBay. Luxury items, popular smartphones, and other goods with high resale value are appealing. The bosses running these operations want to get as much money out of the items as possible so they can pay for the equipment and “employees” involved in the operation and then pocket the rest. (By the way, make sure you read up on the secrets an identity thief doesn’t want you to know.)
They Keep a Low Profile
The FBI and other law-enforcement groups in the United States and abroad often work undercover, posing as potential card-number buyers in forums or as people offering to use numbers to buy goods.
Sometimes low-level buyers get caught if they use a fake card in a store. For example, fake cards often carry the stolen number on their magnetic strip but have a dummy number on the card itself. To try to detect these fakes, a cashier may enter the last four digits of the number on the card and flag the purchase if they don’t match the last four digits being charged. Typically, cops don’t identify the kingpin—just these criminals farther down the totem pole. (Did you know your credit company knows all of these things about you?)
It doesn’t seem like credit card hacks are going to stop anytime soon, so if you get that fateful call from your bank, you’ll know that your card is going down this rabbit hole—and you’ll need a whole new number.