FBI’s ‘carding’ arrests impress, but battle wages on

The applause for the FBI among security experts was universal this week after the agency arrested 24 people — nearly half of them in the U.S. — in what it called “the largest coordinated international law enforcement action in history directed at ‘carding’ crimes.”

Sophos’ Chester Wisniewski, writing on the Naked Security blog, spoke for many when he wrote, “It is a good day when I can honestly say that crime doesn’t pay. The FBI did a fantastic job, working with federal police from around the world to shut down these fraudsters. It’s nice to see the FBI taking the initiative by creating a honey pot to snag these guys.”

But, does a good day make for a good week, month or year in the battle against cybercrime? Assuming these 24 are convicted, clearly crime will not have paid for them, but does that mean it isn’t still paying for hundreds or even thousands of others?

Or is this a bit like the drug trade, where a major international bust leads the evening news, produces headlines and some photos of bales of marijuana or bricks of cocaine and stacks of cash and eventually sends a dozen or so people to jail, but doesn’t really change the world, given that for every dealer taken off the street there are two or more to take his place?

Ben Knieff, director of product marketing at NICE Actimize, an anti-money laundering and anti-fraud vendor, said the unfortunate truth is that it is much like the drug trade.

“There are so many people who have the skill, motive and time on their hands to do it,” Knieff said. “Hopefully this will be a bit of a deterrent, but the deterrent tends to be on the margins. They’ve made this kind of crime their livelihood, and the barrier to entry is quite low. The size and scope of the problem is really substantial.”

But, he said, that should not obscure the fact that this is a major accomplishment for the FBI. “This [bust] is a surprise, but it is a happy surprise,” he said. “It is extremely rare to get indictments or even connect activity to a certain person because of anonymity online.

“Another pleasant surprise was the level of cooperation,” Knieff said, noting that more than half of the arrests were outside the U.S. cooperation from other governments is an, “ongoing problem,” he said. “So the fact that they were able to track down people at a higher level, instead of just money mules, is significant.”

Gary Long, CSO of ITWorks Operations at Cerner, said he is not really surprised. “The FBI has a wealth of cyber-knowledge from a breadth of resources,” he said. “Cybercriminals are not much different than your ‘run-of-the-mill’ criminals, and FBI operatives have extensive knowledge in covert operations.”

The FBI undercover operation, which involved setting up a “carding forum” — joining the underground marketplace where criminals buy and sell stolen credit card and other personal identity information, hacking techniques, malware and other products — lasted for two years.

The agency said the surveillance provided by its forum called Carder Profit, which offered to traffic in stolen credit cards, allowed it to notify 47 companies, government entities, and educational institutions that they had been breached. “In doing so, the FBI has prevented estimated potential economic losses of more than $205 million (and) notified credit card providers of over 411,000 compromised credit and debit cards,” the FBI said.

Knieff said the success of the Carder Profit site is impressive. To gain access to that marketplace, “you have to build some credibility,” he said. “There are dozens of these sites trading card data. So you have to get enough people involved so you have a good marketplace going.”

This, he said, is more effective than trying to shut down the criminal forums. “A lot are hosted by servers outside the U.S., where governments don’t care,” he said. “They tend not to respond to requests to shut down those sorts of domains.”

But Knieff said he hopes everybody with a stake in stopping cybercriminals will realize that there is a larger issue. “Part of reason this fraud is so prevalent is that we have an inherently insecure payment system, with built-in security holes,” he said. “If you lose your card, all your information is on it. I can take it and go right out and buy three flat-screen TVs.

“Don’t even get me started on magnetic stripe technology,” he added. “It’s way out of date. Nothing’s encrypted, so it’s very easy to skim and get the data. Compare that to a chip and a PIN. If you hand somebody that, they can’t get your information because it’s encrypted.”

Gary Long agrees. “The U.S. should have adopted smart card technology long ago, and the European market is significantly more advanced,” he said. “We catered to customer complaints. The U.S. needs to educate the customers on why smart-card technology is required — we all pay for data theft in one way or another.”

One example of the change, Knieff said: “30 years ago, this wasn’t a big issue because a magnetic coding machine was out of reach for most people. Now, you can get one for $50.”

“It’s fantastic that authorities were able to get hold of group and make some noise. But this is a huge problem that is not going away,” he said.