GN Focus | Credit, Debit and Loyalty Cards

When you become a partner in crime

Pfishers don’t just ask for your credit card details to steal from you — with clever emails, they rope you in to help them steal from others. GN Focus explains the terms you need to know to avoid being conned

  • By Paul Ducklin Special to 
GN Focus
  • Published: 00:00 November 29, 2012
  • GN Focus

  • Image Credit: © Image Source/Corbis
Image 1 of 2
12

Frequent travellers have probably experienced the taxi payment conundrum. Before you jump in a cab from the airport — especially if you haven’t yet got local currency — you probably look for the telltale payment card icons in the taxi window. Usually, this will be a list of cards that you can use to pay for the cab ride you’re about to take.

But this isn’t always the case. Unbelievably, sometimes it can be a list of cards available for you to buy!

Like me, you probably get a persistent stream of bogus emails from phishers, scammers and the like. They’re all trying to trick you out of your money, your passwords and your digital identity. That’s hardly unexpected. Scamming is, after all, what scammers do.

But sometimes you’ll get emails from real criminals who are genuinely proposing criminality — not with you as the victim but as a partner. These criminals sometimes use electronic direct mails just like regular, legitimate companies. They want your details not to steal from you but in order to sell you stolen identities so you can steal from others.They’re happy for you to be anonymous — indeed, it’s probably slightly safer for them if they don’t know who you are. They only really need to care whether you’re an undercover cop or a genuine crook.

If you’ve ever received spam trying to draw you into the scammer underworld, you’ll understand some of the terminology at once — most of us know what is meant by scam pages (pre-prepared phishing sites to buy or rent), bank accounts and credit cards. But let’s look at some other jargon. This will give you some insight into the sort of data they like to acquire, to collate and to sell on.

CVV: Card verification value (CVV) digits stamped at the back (or sometimes on the front) of your card that are not encoded on the magnetic strip. These numbers are often used in online transactions to prove you have the card in your hand, not just a skimmed copy of the magnetic strip data. Technically, the printed code isn’t the CVV and different countries know them by different names. The crooks just call them CVVs.

SSN+DOB: Social security number or whatever your country uses as a national ID number and date of birth.

Fullz: Detailed database records of personally identifiable information. For any individual, this might include full name, address, telephone number, full bank account details, SSN, DOB, employment details and more.

Dumps: These are copies of the raw data from payment card magnetic strips. Handheld or device-mounted skimmers capture and record dumps directly off the card. Modern malware also sniffs for raw card data in memory. Writing a dump to a blank magstrip creates a clone of the skimmed card.

Plastics: Blank plastic cards for writing dumps onto. They may be plain if they don’t have to pass human inspection (for example, in an ATM). Or they may be counterfeits of cards in circulation, with varying degrees of quality and 
verisimilitude.

Sometimes, users are tempted to play along with the baddies by signing up to this sort of site, just to see what happens.

Is it really that easy to become an online criminal? Are the crooks really that open about recruiting?

It’s tempting to find out — for research purposes only, of course. But it’s not a good idea. It’s hard to remain perfectly anonymous online, so by fooling around with criminals online, you might end up on the radar screens of both the crooks and the police.

Also, this sort of spam should serve as a reminder that every little bit of extra safety and security really matters when it comes to preventing identity theft. Where modern cybercriminals are concerned, no data is too small or insignificant. Any personally identifiable information (PII) that a criminal can steal from you has some sort of value in the underground economy and is likely to be sold on.

So, if an online offer sounds crooked, it is crooked. If it sounds too good to be true, then you can be sure that it is too good to be true. When it comes to spam of any sort, especially spam to do with credit cards and financial transactions, the best advice is — don’t buy, don’t try, don’t reply.

And when it comes to PII, even of the most modest-sounding sort, remember this simple adage — if in doubt, don’t give it out.

GN Focus