Wired Magazine produced a very interesting story on February 2 of this year. Called "Steal this download" it contains a 25 page PDF file story about David Thomas, a high tech criminal who for several years ran a website on behalf of the FBI selling credit cards and other identity theft type crimes.
To put credit card theft into perspective the story says:
"The full scope of the problem is hard to judge, but nonetheless staggering. U.S. banks lost $546 million to debit card fraud in 2004, according to banking research firm Dove Consulting, and credit card fraud losses were estimated to be about $3.8 billion globally in 2003 according to The Nilson Report."
The story documents the arrest of Shadowcrew, a much publicized credit card gang, in other stories documented as having 5,000 members. The story is interesting not because it gives an insider view into one view of credit card crime but because of what it states towards the end of Thomas's story. The story states:
"The Shadowcrew bust was touted as a major success by law enforcement. Since the initial action, subsequent arrests in Operation Firewall have brought the total number of carders nabbed to 38 globally. Authorities say the suspects trafficked in more than 1.5 million stolen credit card numbers, resulting in losses estimated to be at least $4 million. The sting also netted more than 8.5 terabytes of forensic evidence -- the equivalent of 2.2 billion pieces of paper -- and involved more than a dozen criminal task forces in the United States and elsewhere."
"But the long-term effects of the operation on curbing criminal activity have proven to be almost nil. It wasn't long after Shadowcrew went down before new carding sites, such as CardersMarket and the International Association for the Advancement of Criminal Activity, or IAACA, popped up to take its place. And the bust opened the way for new problems as well."
"Amir Orad, executive vice president of security company Cyota (now owned by RSA Security), which has a command center in Israel from where researchers monitor the carding boards, says Operation Firewall made it more difficult for law enforcement to track carders. Once Shadowcrew went down, the community morphed from a small number of large carding sites to a larger number of small sites that have become harder to trace and infiltrate. And many of the most serious criminals have disappeared from the boards altogether, taking their activities further underground."
""What we see clearly is that taking down ... one group doesn't solve the problem, it creates multiple small problems," Orad says. "(We) haven't seen a major impact of those arrests besides maybe the publicity and the awareness that this whole crime costs."
Others have also disputed law enforcement's characterization of the significance of Shadowcrew's role in cybercrime, saying the website was more a sandbox for kiddie criminals than a virtual Cosa Nostra, and that those who were arrested were mostly low hanging fruit."
What this story documents is the inefficiency of the law to catch and substantially diminish organized crime. Let's take a low average of $500 million lost by credit card fraud to US banks every year since 2004. That makes 1.5 billion for the last three years. The Shadowcrew amounted to $4 million. Let's assume that's only what the government can prove and be generous and say that the amount they stole was 10 times or even 100 times that. Where are the prosecutions for the other $1 billion?
And remember, that's only the US we're talking about. There was reported to be $3.8 billion stolen globally in 2003. Using this number for each of the successive years that amounts to a staggering $11.4 billion over the last three years.
Make no mistake. It is well organized crime that is behind the majority of the authentication theft going on and they are not being arrested. As the wired story notes, it's only the new age script kiddies and relatively low lifes like David Thomas and Kim Taylor who are getting caught and imprisoned.
People like these were paying $1000 per day to hackers to to crack banks and card processing databases. What is worse is that most security experts agree that organized crime is now attacking non-financial enterprises using targeted attacks. Imagine the arsenal that the real organized crime has who has literally billions of dollars in revenue can spend to crack enterprise security systems? What protection do you have in place against this?
Make sure you use layered strong authentication security or you will be sorry.