Computer Crime Research Center

staff/gva2.jpg

Credit card frauds, an interview with Vladimir Golubev

Date: June 03, 2005
Source: Computer Crime Research Center
By: Vladimir Golubev

Roman, who is the victim, told us about this outstanding case. He is a manager with one of big companies here in Zaporozhye, Ukraine. He said his company set up a contract on salary cards project with the bank A. Employees have their personal credit card accounts and receive their wages through ATMs of the VISA Classic international payment system. Roman also used mobile-banking services. When a transaction on his account occurs, an immediate notification is sent to his GSM phone via SMS.

Roman told CCRC it happened on February 6th, 2005. On that Sunday evening he and his wife were at home. They were receiving guests when Roman got an SMS saying that $300 have withdrawn from his account, he continued. In a minute he received another message and another $300 were gone. The third message notified about the next inquiry for $300, which was not performed due to insufficient funds on the account. His wife also had an additional card on the same account. The first idea that came into Roman’s mind was that the cards were stolen. However they found all their cards. SMS also stated the place where the inquiries were performed. It was the ATM of the Privatbank.

Without any loss of time Roman dialed the hotline number of the bank A. Bank personnel confirmed the cash disbursement of $600. According to their words, his wife’s Visa card was used to withdraw money. Bank officials recommended him to turn to the central office of the bank A in Kiev, the capital of Ukraine.

Next day Roman came to the central office of the bank A in Kiev. There he put in an application and canceled the additional card. He was told that bank’s security service would carry out an investigation and take certain measures. The most interesting is that Roman travels very much all over Ukraine, being in different cities, using the card to pay in shops, withdrawing money via ATMs. Therein it is much more possible that his card could be forged rather than his wife's. His feme was a housewife, she used her card only in two or three ATMs. Noone knew she had an access to the account.

The bank was silent during the next month. Roman spent a quite sum on phone calls to Kiev, resulting in no outcome. He was only told that bank security service is engaged in the case. Thereafter it turned out that the materials on the case were brought to the local Zaporozhye bank office. He received no answers except endless “will you call back tomorrow?”

In the middle of March bank security service of the Zaporozhye office phoned Roman and told that they turned out incompetent, such case was new to them. All they could do for him was just to pass the case to police. At the end of their conversation bank officials blabbed out about a certain scandal in the Visa payment system. An alleged leak of data occurred, someone supposedly could have obtained access to card accounts and Roman was not the only victim. Policemen in the regional police department didn’t promise much. They only told if they found a person, it would be possible to give the money back. The bank dropped out of the game. Police argued that Roman was the owner of the account, thus the money was stolen from him.

Here are few comments on the case by Dr. Vladimir Golubev, director of the CCRC.

Q: Vladimir, you seem to deal with plenty of such cases. Can you explain us the case?

A: It will be clear if you carry everything happening to you in real life to the virtual world. How do people get robbed in the street? People are robbed in the Internet the same way. Criminals just use IT instead of a knife or a cudjel. Virtual criminals use the same schemes. The Internet, being an open and global information system, is not entirely adapted to these services acquired by our banks. Criminals will always be around where they catch a smell of money.
Thus information is stolen, money on bank accounts is stolen, websites are hacked, technical espionage and information war are carried out.

Q: What is carding?

A: Carding is not just a bunch of swindlers with plastic cards, it is a well-organized criminal community. They have special websites, blogs, forums. Newcomers are training and pros exchange useful information there. Anyone may know how it is organized on their sites.

There are many ways of carding. It's a credit card fraud. Carder is the player in such fraud. It is hard to get PIN-codes from real cards, though, it is possible. Carders use a wide range of tools like PIN MasterCard, PIN Visa card and other systems. They can also resort to systems of exterior videomonitoring over ATMs and key logging devices. Finally criminals could just peep your pin-code over your shoulder.

Q; How did they get the card?

A: It is a sure thing. Carders often use the so-called “white plastic”. It is a forged blank payment card with a magnetic strip. There is nothing labelled on it. All the data on the real card is written to this magnetic strip. So the criminal can use it only at the ATM. Salary cards are usually of no interest for criminals. They prefer credit cards with an overdraft option on the holder’s account.

There is a certain risk that data on the card could be read while paying for the goods in the markets. It is easy to make a slip, a copy of the card. There are also pocket devices designed to make a print of the card in a moment, and then criminals create a copy.

Q: Bank insiders also could be involved in this case, couldn't they?

A: We can’t rule this out. I will tell you more, in 70% of frauds with payment cards, a former or a present employee of the bank is involved with the criminal group. Here in Zaporozhye, Ukraine we had a case when a former bank official tried to transfer $1 million from the account of a local company last year.

Q: What are the scales of the carding in Ukraine, is there any official statistics?

I brought up a question of statistics at one of the latest conferences where employees of the National Bank of Ukraine were present. One of their officials told there was no such statistics and would never be. Bankers are not interested to divulge their incompetence to the public. Thus, we call such crimes latent.

Q: It is much more complicated to cope with secret threats. Therein I would like to know rights of victims.

A: I believe that in each specific case any bank should carry out an investigation and also recompense the damage to the victim if carding was proved. And it is a point of honor for police to go find and punish the criminal and then to pay damages to the bank.

And what is more, everything that the bank should and should not do is provided by a contract signed by both the bank and the client.

By the way, having read some blank contracts we surprisingly found out the presence of the following clause:

“Bank is not responsible for any operations performed with the payment card by third parties, for any money transfers perfromed using lost or stolen cards until the bank receives a notice of a loss. Such risks and responsibilities are laid on the client.”

Unfortunately this clause is typical in every contract. A carder who hacked the system and stole money could have been that third party.

But I still believe that Visa could have been compromised much more likely than the bank. Such case could have happened to any Visa holder.

Q: Then the Visa is not so reliable if it was hacked, right?

A: The point is that protection and hacking is the everlasting competition of the intelligence. Thus, if the security system was hacked today, tomorrow this flaw will be fixed. Somehow or other, any bank has its own security policy. I think such precedents will make officials to draw some certain conclusions about the information security. However it doesn’t mean that tomorrow will be no breaks-in.

Here are some recommendations for plastic cards holders:

Take an interest in insurance policy at purchase of a card. Take insurance always. Most likely, money for this service is already paid.

Never write a PIN-code on a card.

Never store the written down PIN-code together with a card. Learn a code by heart and do not store it in written form at all.

Leave a sample of the signature on the back side of a card at once after its reception.

Never transfer a card to other person. In case of need it is possible to make, for example, a family card.

Never inform somebody the PIN-code. None (workers of the bank, the attendants of a cash dispenser, the inspector) has right to demand it.

Do not leave a card without supervision, for example, in the machine, on a table at restaurant and so forth.

Never phone to anybody number of the card. It is not known how many the person will hear your conversation, and whether there is no among them the one who can use heard number in the mercenary purposes.

At loss cards phone about it immediately. If you have lost a debit card, call in bank which has given out it. It is necessary to inform representatives of payment system and the bank which has emitted a card at loss a credit card.

Check movements of money on your card account not less often, than once a month. The special attention should be turned to operation after trips in which you used the card.

The safety precautions at a cash dispenser (ATM):

Try to not use a cash dispenser in deserted places or in places where is the big congestion of people....


Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo