After a couple of recent high profile data thefts, I put the question to myself, how does a cyber thief convert a large amount of credit cards into a financial windfall?
I did some research, and then momentarily put on the shoes of a cyber thief, here are my notes and thoughts:
I am the greatest hacker in the world and I just got a-hold of twenty million Home Depot debit cards and account numbers. What is my next move. Well I guess I could just start shopping at Home Depot every day and maxing out all my stolen account cards with a bunch of Lawn Mowers , Garden Hoses, and other items. How many times could I do this before I got caught ? Probably not that many, I am sure the buying patterns would be flagged even before the consumer realized their card was stolen , especially if I was nowhere near the home area code of my victim(s). And then I’d have to fence all those items to turn it into cash. But let’s assume I acted quickly and went on a home depot shopping spree with my twenty million cards. Since I am a big time crook I am looking for a haul I can retire on, and so I’d want to buy and fence at least a few hundred thousand dollars worth of stuff out the gate. Now that is going to be quite a few craig(s) list advertisements, and one logistical nightmare to move those goods, and also I am leaving a trail back to me because at some point I have to exchange the goods with the buyer and they are going to want to pay by check . Let me re-think this…
Okay so I am getting smarter, forget the conventional method , what if I find some Russian portal where I can just sell the Home Depot cards and have the funds paid in Bitcoin to some third-party account that is untraceable. How many people actually have Bitcoin accounts, and how many are interested in buying stolen credit cards on the black market, and then how to insure that the numbers have not been deactivated ? Suppose I sell to some Mafia type and the cards are not valid anymore ? Will they track me down and kill me ? Forget the Bitcoin, I’ll have to use Paypal , again leaving a trail of some kind. So now how do I market my credit card fencing site, I have 20 million cards to move and no customers. A television advertisement , an underworld blog post ? I need customers to buy these cards and I need them fast , once I start selling them Home Depot will only take a few days to shut down their cards . Maybe I can just have an agent hawk them in Thailand for $3 each , that way I stay anonymous, yeh that’s what I’ll do whew , I’ll be happy if I can net a few thousand dollars.
Conclusion: Although the theft of a data makes a great headline and is certainly not to be taken lightly , the ability for the crook(s) to convert bounty into a financial windfall, although possible is most likely a far more difficult task than the data theft . Stealing the data is one thing, but profiting from it on anything but the smallest scale is very difficult if not impossible.
The real problem for the hacked commercial institution is not the covering the loss of revenue from the theft, but the loss of company value from loss of public trust which can mount into the billions.
Although my main business is Bandwidth Control I do spend a good deal of thought cycles on Security as on occasion the two go hand in hand. For example some of the utilities we use on our NetEqualizer are used to thwart DOS attacks. We also have our NetGladiator product which is simply the best and smartest tool out there for preventing an attack through your Website.