Hackers Stole Your Credit Card Number: Here’s Where It Goes Next

The Citizen's Guide to the Future
Jan. 14 2014 6:29 PM

Hackers Stole Your Credit Card Number: Here’s Where It Goes Next

78281926-in-this-photo-illustration-a-man-holds-up-some-credit
Stolen credit card numbers have a life of their own when they fall into the wrong hands.

Photo by Jeff J Mitchell/Getty Images

Recent large-scale hacks at Target and Neiman Marcus are a reminder that credit card theft is a growing issue. Hackers find a way to install malware on point-of-sale devices, and then sit back as the credit and debit card numbers stream in. But who are those hackers, and what happens to the numbers next? Here’s a breakdown in four easy steps. (But don’t try this at home.)

Lily Hay Newman Lily Hay Newman

Lily Hay Newman is lead blogger for Future Tense.

Step 1: Build your criminal network

Advertisement

The basic idea is that people use stolen credit cards to buy stuff. Sure. But if the same person stole the card numbers and bought the stuff, they would be easily caught. Instead, baddies create rings. There are the people who buy and sell card numbers in online markets, sometimes called “carding forums” or “card malls.” There are the people who actually make fake cards. There are recruiters who find people to make purchases with the fake cards. And then there are the folks who actually go to stores carrying the counterfeit cards and attempt to make purchases. That’s a lot of people!

Step 2: Create your workflow

The logistics must be worked out carefully. The counterfeiters need equipment to print the cards on, which costs about $100. The people who buy and sell card numbers need to understand how the numbers are constructed, to get a good price for the numbers they have to sell, and to find good deals on working numbers—meaning those that don’t yet look suspicious to financial institutions. Thousands of lousy card numbers will sell in a block for something like $20, but good numbers, like those stolen from Target recently, could sell for $135 each. The recruiters have to have contacts in the right places (a lot of cyber fraud originates in eastern Europe, for example). And finally, the buyers need to feel confident looking a cashier in the eye. They must be trained in what can go wrong at the register and how to deal with it. (The buyers are also frequently the ones who resell the merchandise.)

Step 3: Buy stuff

Once everyone is in place, it’s time to shop. Often criminals are using their stolen card numbers to buy items that can easily be flipped on websites like eBay. Luxury items, popular smartphones, or anything else with high resale value is appealing. The bosses running these operations want to get as much money out of the goods as possible so they can pay for the equipment and “employees” involved in the operation and then pocket the rest.

Step 4: Keep a low profile

The FBI and other law enforcement groups in the U.S. and abroad often work undercover, posing as potential card-number buyers in forums or offering to use numbers to buy goods. In this way, they can begin to get a sense of who is involved, but only at the level of employees who are buying and selling numbers. Sometimes low-level buyers also get caught if they use a fake card in a store and the cashier or bank identifies problems with the transaction. For example, fake cards often carry the stolen number on their magnetic strip, but have a dummy number on the card itself. To try to detect these types of fake cards, some stores require that the cashier enter the last four digits of the number on the card and flag the purchase if those four numbers don’t match the last four digits of the number being charged. In these schemes it can be difficult to identify the kingpin or group of leaders, but the criminals farther down the totem pole are at higher risk of being caught.

It doesn't seem like large-scale credit card hacks are going to stop any time soon, so if you get that fateful call from your bank you'll know that your card number is going down this rabbit hole.

Future Tense is a partnership of SlateNew America, and Arizona State University.

TODAY IN SLATE

History

Slate Plus Early Read: The Self-Made Man

The story of America’s most pliable, pernicious, irrepressible myth.

Rehtaeh Parsons Was the Most Famous Victim in Canada. Now, Journalists Can’t Even Say Her Name.

Mitt Romney May Be Weighing a 2016 Run. That Would Be a Big Mistake.

Amazing Photos From Hong Kong’s Umbrella Revolution

Transparent Is the Fall’s Only Great New Show

The XX Factor

Rehtaeh Parsons Was the Most Famous Victim in Canada

Now, journalists can't even say her name.

Doublex

Lena Dunham, the Book

More shtick than honesty in Not That Kind of Girl.

What a Juicy New Book About Diane Sawyer and Katie Couric Fails to Tell Us About the TV News Business

Does Your Child Have Sluggish Cognitive Tempo? Or Is That Just a Disorder Made Up to Scare You?

  News & Politics
Damned Spot
Sept. 30 2014 9:00 AM Now Stare. Don’t Stop. The perfect political wife’s loving gaze in campaign ads.
  Business
Moneybox
Sept. 29 2014 7:01 PM We May Never Know If Larry Ellison Flew a Fighter Jet Under the Golden Gate Bridge
  Life
Quora
Sept. 30 2014 9:32 AM Why Are Mint Condition Comic Books So Expensive?
  Double X
Doublex
Sept. 29 2014 11:43 PM Lena Dunham, the Book More shtick than honesty in Not That Kind of Girl.
  Slate Plus
Slate Fare
Sept. 29 2014 8:45 AM Slate Isn’t Too Liberal. But… What readers said about the magazine’s bias and balance.
  Arts
Brow Beat
Sept. 29 2014 9:06 PM Paul Thomas Anderson’s Inherent Vice Looks Like a Comic Masterpiece
  Technology
Future Tense
Sept. 30 2014 7:36 AM Almost Humane What sci-fi can teach us about our treatment of prisoners of war.
  Health & Science
Bad Astronomy
Sept. 30 2014 7:30 AM What Lurks Beneath The Methane Lakes of Titan?
  Sports
Sports Nut
Sept. 28 2014 8:30 PM NFL Players Die Young. Or Maybe They Live Long Lives. Why it’s so hard to pin down the effects of football on players’ lives.