CHAT ROOMS ARE IDENTITY THIEVES ' STREET CORNERS

(We rarely post material that is not original with KnightsBridge Castle. However this article which appeared in the San Jose Mercury News this week was simply too compelling. From the San Jose Mercury News Friday September 15, 2006)




NEW YORK (Dow Jones/AP) -- On a weekday afternoon in a chat room, hackers are busy exchanging credit-card numbers, cash, hacked servers, information and stolen identities.
A hacker called Pinokio logs on and posts six identities, known as "fulls.''

"Mesage (sic) for trade with me :)'' he writes.

A "full'' contains enough information to take a thief on a multiyear identity theft ride, as it will include someone's Social Security number, home phone number, e-mail account and password, debit card PINs, credit-card numbers, and mother's maiden name. Hackers like Pinokio sell them in bulk for $1 to $5 a pop in an international ring of credit ``carders,'' as sophisticated as it is blatant.

Welcome to the world of identity theft, a market that costs the U.S. economy $56.6 billion last year, according to a study by Javelin Strategy & Research using methodology developed by the Federal Trade Commission.

The problem's so prevalent that financial advisers guiding America's affluent through investment decisions now want training on how to deal with the crime. Indeed, Charles Schwab Corp. is holding a session at its upcoming Impact 2006 conference in November on how to teach clients about the problem. Vanguard Group Inc. added a ``Security Center'' section to its Web site to teach consumers about identity theft and other issues.

That's all the more significant given that the rich seem most at risk. While 4 percent of Americans fell victim to identity theft in 2005, 6.38 percent of households earning more than $150,000 reported fraud, the Javelin survey found.

``Ten years ago it was a bunch of frustrated teenagers who had something to prove,'' said Supervisory Special Agent Thomas Grasso Jr. of the FBI's cyber division. ``Now, it's all about the money.''

There are several reasons hackers like Pinokio post these identities: to show he has good data and there's more to be had, to raise his status in the underground or to muddy the waters of any potential investigation by getting others to use a card he's already used.

``The other 240 hackers can get it right now and hammer this credit card in the next 10 minutes, and there is no way for a law enforcement officer to see who ordered first,'' said Dan Clements, chief executive of CardCops Inc., an Internet-security company based in Malibu, Calif.
Pinokio
may have one more motive: bonding. The chat room's a community, said Clements. ``They're a brotherhood.''

One of the stolen identities Pinokio posted belongs to Brandee Sissom. Her trouble began about a year ago, when she began receiving letters about credit-card accounts for which she had never applied. Credit reporting agency Equifax Inc. told her that people had been trying to open accounts in her name.

She recently noticed three charges for $25.90 from AOL on her credit card, canceled them and filed a complaint with AOL. The day her stolen data had been posted in the chat room, an anonymous caller told her that her Social Security number was compromised. But she still hasn't been able to change it.

"I have cancer, and I'm extremely tired all the time,'' Sissom said. "And if you've ever been in a Social Security office; it's a long wait, and I don't have the time or energy to wait.''

She put 90-day and year-long alerts on her credit. She said she has no idea how her information got online. "I'm really careful with my credit information,'' Sissom said."I chop up everything.''

The 363 hackers in the chat room are gathered together under the aegis of the room's administrators, the top dogs of this particular group. The chat room is hosted on Internet Relay Chat, more commonly known as IRC. At any given time there are thousands of chat rooms open, about 30 to 40 discussing credit-card information. This is one of the more popular ones. Anyone who knows the name of the room can log in.

According to the Secret Service, most carders are based in the former Soviet Union or Southeast Asia. Some, Clements, the CEO from CardCops, said, claim to make $10,000 to $20,000 a month.

"We haven't really seen any (other) illegal activity, (such as) drugs,'' said Scott Johnson, Secret Service Criminal Investigative Division's acting special agent-in-charge. ``They're too busy rolling on their piles of money.''

The administrators are marked by an ``'' symbol next to their name. They have what the FBI's Grasso called channel ops, meaning they can kick people out of the room and set passwords, as well as load programs onto the page, allowing the hackers to check the validity of stolen credit cards in real time.

An administrator will use a hacked merchant credit-card account, check the information and post it in the room. Typically, they don't actually charge the cards; instead they run authorization transactions, which don't cost the cardholder anything but confirm whether a given card is valid. The merchant takes a hit for the minimum transaction fee, usually about 10 cents, and the consumer is none the wiser.

Though there is no agency tasked with culling chats for consumer data, the FBI and Secret Service do occasionally monitor the rooms.

Eric Zahren, a spokesman for the Secret Service, said that he couldn't ``discuss or confirm'' that the Secret Service monitors chat rooms, but did say that ``we've proved we can operate in the same environments'' as the hackers.

The Secret Service, which was empowered by Congress to combat computer fraud, has 24 electronic crimes task forces across the country and 20 foreign offices working with local law enforcement on the issue. Their strategy is to go after top-tier carders, people who have millions of individuals' information at their disposal.

The Secret Service said it recently brought agents from Latvia and Lithuania to the United States for training on cyber crimes, and currently it is now running a training program in Thailand.

Cathy Milhoan, an FBI spokeswoman, said the agency doesn't have "teams of people'' monitoring these rooms "24 hours.'' She said it monitors the rooms only when it has a ``legal reason for being there.''

...