EC3, which is shorthand for Europol’s European Cybercrime Centre, just announced a big “carder gang” bust.
Carding is the general term for crimes involving the fraudulent use of credit cards, including:
- Stealing card numbers using skimming devices or data-grabbing malware.
- Buying and selling card numbers and related personal information.
- Using illegally-acquired card details for online fraud, often to buy products for cut-price resale.
- Making fake cards, encoded with stolen data, that rack up charges against other people’s accounts.
- Using fake cards to withdraw money from ATMs in return for a cut of the proceeds.
- Going on spending sprees with fake cards to buy products for cut-price resale.
In other words, there’s actually a lot more to carding that often meets the eye, or than makes the news.
Data breaches alone, like Target’s infamous loss of more than 40,000,000 credit card numbers in 2013 due to cash register malware, aren’t the only “moving parts” in a carder gang’s operations.
Cybercrime gangs in the carding scene often have fingers in all of the abovementioned pies, so that they can co-ordinate all of the steps needed to cash out.
That means they can organise the criminal process all the way from making realistic-looking card blanks, through acquiring stolen account details to encode onto the cards, to the final step of cashing out: turning stolen “cyberstuff” into the cold, hard proceeds of crime.
That’s why they’re known as Organised Crime Groups, or OCGs, in Europol’s terminology.
Unlike old-school bank robbers, OCGs are often scattered all over the world, using the internet to synchronise their criminal activities.
As you can imagine, this makes the job of law enforcement much harder, because investigations, busts and prosecutions typically require co-operation and synchronisation between many different jurisdictions.
If you live in the UK, it’s confusing enough just remembering that Scotland, for example, has bigger juries than England, a lower drink-driving limit, more sorts of verdict in criminal trials, longer University degrees, fewer years at school, an extra day off at New Year, and still uses £1 banknotes. (England and Wales switched to coins only in 1988.)
Imagine, then, how complicated and confusing it is to co-ordinate cybercrime investigations across multiple countries, judiciaries, languages, cultures and timezones.
The good news is this recent Europol carder gang bust dealt with just those complexities, with the ultimate arrest of 105 suspects:
During the operation led against an organised criminal group (OCG) responsible for producing and using counterfeit credit cards for purchasing of high value goods, 29 arrests took place in Malaysia and 76 all over Europe. [Austria, Belgium, Switzerland, Czech Republic, Germany, Denmark, Spain, France, Croatia, Italy, Luxembourg, The Netherlands, Norway, UK.]
During the final raid, the OCG’s leaders were arrested among others and two illegal production sites of high quality credit cards were dismantled. During house searches, 3000 counterfeit payment cards were also seized, alongside fake passports, cameras, jewellery and substantial amounts of money in cash. […]
The OCG was established in Malaysia with its members committing payment fraud crimes all over the world.
High quality counterfeit credit cards were manufactured in different locations and subsequently used by individuals to purchase high value goods, mainly at electronic stores and duty-free shops at airports, causing losses estimated at €5,000,000. The production sites of credit cards were equipped with sophisticated equipment to ensure that counterfeits would not be recognised as such by merchants. At European airports, the OCG purchased mainly jewellery and expensive watches.
Why Malaysia?
And why airports, where you might think tight security and the difficulty of escape if detected would put most crooks off?
We suspect the reason is that Malaysia has been slow to leave old-school “magstripe” credit cards behind.
It seems that Malaysian banks started moving to Chip and PIN only in July 2015, with 1 January 2017 touted as the date when the move should be complete.
Chip and PIN doesn’t solve the problem of credit card fraud, but it makes cards much harder to copy, because Chip and PIN cards (or Chip without the PIN, as it is currently implemented in the US) can’t easily be cloned.
The chip includes a processor that can perform cryptographic calculations internally, based on data that’s stored into the card but, at least in theory, can’t be read out again.
Conventional magstripe credit cards, on the other hand, can trivially be cloned, because everything needed to configure the card to work correctly can be written or printed onto a replica card with ease.
The only tricky parts are making the card look realistic enough, and then finding somewhere to use it where merchants are familiar enough with the issuing bank to accept it, but not familiar enough to be suspicious.
And where better to pose as a jetsetter with a Malaysian bank account, an old-style credit card, and the time and money to spend on shopping for expensive gifts like jewellery…
…than in the duty-free shops at European airports?
Sure, you might get caught.
But that doesn’t stop drug smugglers, even into Malaysia, where there’s a mandatory death penalty.
And if you don’t get caught buying your Rolexes, your diamond necklaces or your top-end laptop/mobile phone/smart watch combinations, then at least you’re on the next flight out, along with your ill-gotten gains.
So, well done to EC3 and its counterparts in Malaysia for knocking this crime gang on the head.