In mid-September, a European hacker nicknamed Poxxie broke into the computer network of a US company and, he said, grabbed 1,400 credit card numbers, the account-holders’ names and addresses, and the security code that comes with each card.
With little trouble, he sold the numbers for US$3.50 each on his own seller site, called CVV2s.in, to underworld buyers who have come to trust the quality of his goods, he said.
The main thing in any business is honesty, Poxxie said, without any trace of irony.
The Traverse City, Michigan-based Ponemon Institute, which researches data security, estimates that thieves annually steal 8.4 million credit card numbers in the US alone. How do cyberbandits, who have turned hacking into a volume business, unload all those numbers? A lot like Amazon.com, it turns out.
Customers on CVV2s can search for card numbers by bank, card type, credit limit and zip code, loading them into a virtual shopping basket as they go. The site offers the ability to search by bank identification number. That means customers can choose cards by institutions known to have weak security, Poxxie said. CVV2s even has an automated feature that lets clients validate the numbers in real time, to make sure the bank hasn’t canceled the card.
Sites like Poxxie make up the cyberunderworld version of a pirate cove, offering their online booty at cut-rate prices. Hundreds of millions of dollars in stolen data are bought and sold in underground chat rooms and forums every year, a fencing operation that becomes more robust annually, according to RSA, the security division of EMC Corp. CrackHackForum.com, one of the sites, even mimics eBay Inc, rating buyers and sellers with starred reviews.
Cybersecurity firm Symantec Corp estimates that cyberthieves steal data worth US$114 billion a year. By comparison, the FBI said the take from all bank robberies in the US last year was just US$43 million. The global market in cocaine is an estimated US$85 billion, according to the UN.
“The problem is getting worse faster than we’re getting better,” said Tony Sager, chief operating officer of the Information Assurance Directorate at the US National Security Agency, which includes some of the US government’s best cyberexperts. “We’re not keeping pace.”
To look inside the cyberbazaar, to find details on prices and goods for sale, Bloomberg News gathered information through publicly available Web sites and in restricted forums, aided in this search by cybersecurity experts. Some of the information was provided through online interviews with participants, who protected their real identities as they discussed details on their lives and criminal operations.
The cyberunderground thrives because of anonymity: Hackers can devise any persona to conduct business and use a variety of technical tricks to hide their tracks. Their stories were verified to the extent possible by security experts who have watched the careers and methods of specific hackers for years.
As recently as 2008, the fight between those who protect computer networks and those who attack them was about evenly matched. That is no longer the case, according to the cybercops.
The defenders are losing the battle because of a combination of their opponents’ technical achievements and rapid advances in a global supply chain of theft.