Computer Crime Research Center

cr_card.jpg

Carders again

Date: March 30, 2004
Source: Computer Crime Research Center
By: Timofey Saytarly

The old and approved method of fighting carders is to record information on cards that were used in criminal activities or their owners in black lists. The list is the data base formed by payment system basing on heuristic analysis. Data on the client being authorized is compared to contents of the data base. Transaction is cancelled in case the client is in the blacklist. Thus a customer that didn't pay for purchase in one store is not allowed to pay in most of others. Certainly this method has some lacks: if a criminal uses a stolen credit card, a name of the true owner will be entered to the blacklist and the owner will be wondering for a very long time why his authorization is always denied. Besides fraudsters multiply daily even if not hourly. Since databases containing numbers of stolen cards are widely sold in Russian Internet at very cheap prices and in some places, one can get it for nothing (we do not give addresses of such sources for obvious reasons). Therein, quite a great part of these frauds are performed with "clean" unfiled cards and it seems impossible to prevent malicious activities using this mentioned way.

Then we apply other methods of preventing fraud. Usually Internet stores have no access to data on the client's credit card because filling of the appropriate forms is carried out at the website of the payment systems. Some systems, for example Russian system ASSIST, as one of options, admit that the online store may get such data for the further check through the protected SSL protocol. Efficiency of different software designed to maintain fraud monitoring at webstores and other commercial institutions, based on such received data, is often discussed at specialized forums. The analysis is carried both manually, i.e. directly by fraud-observers, and automatically. A more detailed description of knockout criteria is a confidential information, but it is known that their heuristic principles are mainly based on statistics. Client's behaviour is compared to a certain set of spread and typical variants of behaviour of carders (credit card fraudsters). If the system finds out any matches, it will send a warning to the security service of the payment system. And then the manager decides whether to deny or approve this operation, to phone to client's bank and to request confirmatory documents.

Some developments use neuronets technologies or apply theory of fuzzy sets in practice. These fraud monitoring systems are constantly being improved, however carding is not going to climb down and swindlers use new and new methods of overcoming protection. Fraud case is much alike to situation with spam and viruses. As it is impossible to create a perfect antivirus software or mail filter and the perfect algorithm of transactions control in e-business is impossible as well.

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo