Websites Selling Stolen Cards FoiledSizing Up the Impact on Card Fraud
International law enforcement agencies last week touted the takedown of 36 websites that were used to sell stolen debit and credit data for more than 2.5 million accounts. But how much of an impact will the takedown ultimately have on card fraud?
See Also: Autonomous Response: Threat Report
"The impact of this is going to be, I'm afraid, short-lived," says Amit Klein, chief technology officer at the security firm Trusteer. "In the short-term, there may be a drop in fraud activity, but we can expect to see it back to normal levels pretty soon."
It's easy for cyberthieves to just take their card numbers to new domains, Klein says. "It's so way down on the fraud chain, it won't have a big impact," he says. "What we need is more effort to arrest bot developers, and then we are really hitting them where it hurts."
A U.S. law enforcement source connected to the bust says that while investigators are combing through the details for connections to other ongoing cybercrime investigations, this source does not see this takedown as extremely significant. Even the amount of recovered card data is low, relative to the number of cards compromised in a typical database breach.
International Collaboration Improving
On the bright side: This takedown is an example of extraordinary international cooperation.
Led by the United Kingdom's Serious Organised Crime Agency, the investigation involved two years of tracking e-commerce sites, including the 36 shuttered last week, where stolen card information is sold.
Working with the Federal Bureau of Investigation, the U.S. Department of Justice, the BKA in Germany, the KLPD in the Netherlands, the Ukraine Ministry of Internal Affairs, the Australian Federal Police and the Romanian National Police, SOCA connected international dots and made three arrests - one of a suspect in Macedonia who's been charged with operating one of the e-commerce sites that sold the data and two of suspects charged with making large-scale purchases of compromised data to be sold on the sites.
"Five years ago, we were not in a position where some of these law enforcement groups would be cooperating. Now they are cooperating, even in some of these countries that are fraudster havens," Klein says.
In a statement, Lee Miles, SOCA's head of cyberoperations, says the takedown highlights new levels of international cooperation geared toward online fraud. "Our activities have saved business, online retailers and financial institutions potential fraud losses estimated at more than half a billion pounds, and at the same time protected thousands of individuals from the distress caused by being a victim of fraud or identity crime."
From a cybercrime prevention perspective, Klein says more drastic steps need to be taken to thwart fraud, such as more legislation targeted at cybercrime prevention and more information sharing.
But Avivah Litan, a fraud analyst at Gartner, says the takedown of these 36 sites should not be downplayed. "This looks like a very big bust to me, mainly because of the law enforcement agencies involved," she says.
She also notes, having just returned from Europe, where she spoke with law enforcement agencies about financial cybercrime, that the three arrests made in this case will have a direct impact on a major fraud ring.
"While it's true that the stolen data is probably still out there somewhere (since electronic data is easily copied and backed up), they likely put a severe dent in the ongoing operation," Litan says.
SOCA says it has seen an increase during the last 18 months in e-commerce sites used to sell stolen card data. The advent of e-commerce platforms, known as automated vending carts, has fueled that increase, because they allow criminal groups to sell data in larger volumes quickly.
What's Next for Banks?
The recovered card data has been passed to financial institutions in affected markets to help them track fraud. As a result, those institutions need to flag affected cardholder accounts for potential fraud.
But Klein says banks also should be mindful of the cross-channel fraud opportunities, as well as the fact that a number of compromised accounts may not yet have been identified.
"Financial institutions can correlate activity on compromised accounts and compromised credentials with fraud that has already happened, and then watch the fraud patterns to predict future fraud," he says. "There is a lot of uncapped potential here for multichannel fraud."