A challenge I enjoy presenting in training environments for law enforcement is to task the class attendees to find a faster-growing, more rampant, more economically impactful area of criminality than cybercrime. They simply cannot do it. As the metrics estimate, by 2025, the global economy will lose over $10 trillion due to losses incurred by cybercrime (tinyurl.com/2y965y6u).
For me, that number in and of itself correlates to the Austin Powers character Dr. Evil bringing his pinkie to his mouth in excitement. But I assure you, these statistics are anything but comical. When the topic of “credit card fraud” is brought up to law enforcement, I can see the eye rolls and hear the heavy exhales.
In the United States alone, a 2021 study concluded that close to 47% of all Americans were subject to some sort of credit card fraud within the past five years (tinyurl.com/42mywrfe). It’s a crime so prevalent and part of our lives that we view it as more of a nuisance than a crime that warrants an investigation by law enforcement. The question I ask: Why? Why do we feel so complacent about chalking credit card fraud up as something the card services or banks can handle? Why do we feel that the victim simply getting their money back and being issued a new card is some semblance of justice? What I feel is the abridged answer: Law enforcement, especially state and local partners, don’t understand the dynamics of how these crimes are committed and just how much they can investigate to help bring these “carders” to justice.
If I were to ask, “Who do you think is committing credit card fraud?”, surely the stereotype that comes to mind is the hooded “hacker” behind the computer screen in some dark room. This image has become ingrained in our society, from cinema to commercials.
Personally, I believe this is a byproduct of many misnomers about cybercrime in general, believing that a suspect committing these crimes possesses a certain skillset with computers. This is a fallacy. In fact, when it comes to credit card fraud specifically, it requires very little skill or technical knowledge to commit the crimes. If you can shop online, which is something that I feel 99.9% of the readers of this article can do, then you can successfully commit credit card fraud. I feel this is the hardest hurdle for law enforcement to get over: understanding that these likely aren’t some skilled “computer hackers” in a foreign country committing these crimes. They are right here in your jurisdictions, and the nexus credit card fraud has to other crimes, from drug dealing to gang violence, is very likely. Every criminal enterprise needs a financial backbone, and while some gangs solely thrive by perpetuating credit card fraud and like schemes (tinyurl.com/5fk87kbx), others subsidize many vices with elements of “carding” and fraud (tinyurl.com/wyh87fm8).
Perhaps the most common pitfall state and local law enforcement encounter when it comes to investigating credit card fraud is the physical location of the victim of the crime. I (unfortunately) have encountered law enforcement agencies that adopt not to pursue a case involving credit card fraud unless the credit card was physically taken from the victim (i.e., burglary) and used elsewhere.
This confluence of events is few and far between when it comes to the present elements of the credit card fraud landscape. Understanding that is overcoming the first hurdle. While there will always be the “Felony Lane Gang” element to credit card and identity fraud, you are more likely to find a “carder” in your own jurisdiction versus a victim coming forward if their credit card information was stolen and used elsewhere. While I am certainly not espousing there won’t be victims coming forward to report credit card fraud, the societal norm we in law enforcement have accepted as this element of crime being more of a nuisance versus a pursuable case transcends to the victim mindset as well. Today, victims are more likely to pursue chargebacks via their credit card provider versus reporting it to police. The suspects know this as well, and because Visa and American Express won’t be knocking on their doors with search warrants and handcuffs, it only emboldens them more. In tandem with more people using online payment services than ever before, the statistics for credit card fraud continue to climb (tinyurl.com/26vfrjat).
I have used the term “carding” and “carder” synonymously, and if you are unfamiliar with this term, do not be concerned. There are different elements to how somebody facilitates credit card fraud, and criminals use different tradecraft to obfuscate their activities.
Some “carders” encode their own cards on the magnetic stripes of used gift cards or hotel cards, immediately using the cards at point-of-sale transactions over the counter to buy rechargeable gift cards they can use later. Others may simply use the credit card info online to purchase high-end products with the intent to resell at a discount to ensure sales. Similar to that activity, some use the stolen credit card info to buy gift cards online and sell those at an extreme discount. Some make a business encoding and selling the stolen credit cards to include a purchaser’s real name. The hardware necessary to undertake these different elements of carding is inexpensive.
The typical “carding” cycle is as simple as it is shockingly brilliant. A “carder” can purchase stolen credit card information via dark web shops/markets or deep web sites (like BidenCash, BriansClub or Rescator) for very minimal money, often less than $10 per card, with cryptocurrency (which can also be purchased with stolen credit card info!). From there, depending on the sophistication of the “carder,” they can implement their own tradecraft.
On average, the sites and forums dedicated to the sale of stolen credit card information update with fresh information anywhere between five to 15 minutes. While this is in part due to the voluminous sales, it is also due to the extremely short shelf life of stolen credit card information. While each shop/vendor is in competition to be the best, credit card providers are doing their due diligence to monitor these heavily traversed black markets. The stolen credit card info may have the card being canceled within 24 to 72 hours, even before the purchasing “carder” can use the card.
When it comes to what state and local law enforcement can do to investigate these cases, the answer is simple: a lot more than has been traditionally done. In my opinion, the platform CyberSixgill (cybersixgill.com) offers useful capabilities when it comes to searching for stolen credit card information. An investigator can search for personal identifying information (PII) often attributed to stolen credit card info and a specific region (i.e., New Jersey, New York, etc.).
In a recent webinar I presented (tinyurl.com/mrye73b2) with both CyberSixgill and Maltego (maltego.com), this exact approach was covered in detail. From a purely “boots-on-the-ground” approach, establishing rapport and a possible source of information with the local CVS, Walgreens, Target, etc., where gift cards can be purchased en masse, would be a phenomenal approach. Does a customer frequently come in and purchase various gift cards with different credit cards? While this behavior in and of itself is not indicative of criminal activity, it definitely warrants a closer look. How about searching Craigslist or OfferUp for gift cards? Do some of these listings/ads seem suspicious to you now, given what you’ve just read?
While there isn’t a quintessential “universal” approach to investigating the wide world of credit card fraud and the different elements of “carding,” just being cognizant of this massive and lucrative underworld is the most important step. Building relationships with federal partners like the United States Secret Service, FBI and Homeland Security Investigations is an important step as well, as these cases will often rise to the federal level due to an interstate nexus. While I can inundate you with statistics and bore you with voluminous studies about the rise in credit card fraud, I will leave you with this harrowing fact: It’s going to get worse before it gets better. The question I ask is: What are you going to do to help quell this scourge? Criminals in our jurisdictions as young as 13 years old are figuring out how to churn a profit with “carding,” while we in state and local law enforcement are still under the impression some hooded “hacker” overseas is behind it all.