SAN FRANCISCO — It's as easy to buy stolen credit cards online as it is to shop at Amazon.com, a security company demonstrated at the RSA security conference here Wednesday (Feb. 26).
Ricardo Villadiego, founder and CEO of Sunrise, Fla.-based Easy Solutions, showed a reporter how he could log into a "carder" site based in Russia, search for various kinds of stolen credit cards and quickly purchase them with one click.
The site even offered an instant validity check to make sure each stolen card was still valid, and an instant refunds if it wasn't.
"It's the Amazon of the cybercrime economy," Villadiego said.
The site, Valid Shop, operates on the ".su" top-level domain, once reserved for the Soviet Union but now used by many shady sites. Accounts on Valid Shop can be bought with Bitcoins, and the front page even asks registered users to pass a CAPTCHA test to prove they're not automated scripts.
Once inside, the user is presented with a sleek black interface, including navigation buttons for "News," "Buy," "Orders," "Billing," "Cart, "Services" and "Support." The amount of money left in the user's on-site account displays in the top right.
Searches for stolen card data can be fine-tuned according to type of card, bank name and country. Users can also check off what kind of additional personal information they'd like about card holders: address, email address, phone number, date of birth or "fullz" — the whole package.
A list of the most recent stolen cards appears below the search fields, listing details of each including expiration dates, country, issuing bank, card spending level (regular, platinum, black, etc.), city and state.
Villadiego said the column marked "database" indicated which "dump," or batch of stolen card numbers, each card belonged to.
A drop-down menu allowed him to select individual databases and view its provenance, validity rate — which percentage of cards in the database were still valid — and when it was dumped onto the black market.
Buying a stolen card
Villadiego decided to search for Bank of America cards. A list appeared with the most valuable cards, in this case Bank of America platinum cards, at the top.
He decided to buy a Bank of America platinum debit card that belonged to a woman in Florida. The price: $4 plus a 20-cent surcharge for the search.
After Villadiego paid for the card, the site took us to a new screen that displayed the card's number, expiration data and one of two card verification value (CVVs), and well as the holder's full name, full address and telephone number.
On the right side of the screen were two buttons: "Check," which ran an instant validity check on the card, no different from the check a merchant would run while accepting the card from a customer; and '"Refund," which allowed the buyer to return the card if the validity check failed.
Several things were missing from the card-information screen: the user's date of birth or Social Security number, which would have made the personal information much more valuable; and the debit card's PIN, which would have allowed ATM withdrawals from the holder's account.
But because debit cards can be used as credit cards, this card could still be "cloned" — its information placed on a blank card — for use in retail establishments.
It also wasn’t clear which CVV was included with the card data — CVV1, which is hidden on the card's magnetic stripe and verifies to a retailer that the card is physically present during a transaction, or CVV2, which is printed on the card itself and which online and telephone-order retailers ask for during remote transactions.
A victim who may never learn her card was stolen
At a reporter's suggestion, Villadiego Googled the card holder's name and quickly found several social-media accounts. Personal details on a LinkedIn page matched those Villadiego had just bought from Valid Shop.
Villadiego said it was possible that Bank of America already knew that this card had been stolen, but added that many card issuers don't replace most stolen cards, or even notify the users that the cards have been stolen.
Instead, he said, the issuers generally stop the problem upstream by denying payment requests for possible fraudulent activity while allowing the card holder's payment activity.
The card holder often is never aware his or her card appears on an underground forum of stolen cards, never sees a fraudulent charge, and, apart from rare exceptions, is never liable for money lost to fraudulent card activity.
Villadiego's company is part of this ecosystem — it scours carder sites to amass lists of stolen cards, and then provides subscription services to banks and other financial institutions so that they check to see whether a card has been stolen every time a payment request is made.
He would not say whether Bank of America was a client.