On a Thursday back in February I was relaxing and watching TV when my evening was interrupted by the ping of a text message from my bank.
“You will shortly receive an SMS to confirm recent activity on your card.”
I was puzzled. I certainly hadn’t made any strange or unexpected purchases that day, so what was this about? About 30 seconds later, I received my answer in a second text message.
It said my credit card details had been used less than a minute before to try to make a payment of £108 at a store with an unfamiliar name.
A quick search online revealed it to be a supermarket in the city of Paramaribo, Suriname – a small country on the north-eastern coast of South America, bordered by Brazil, Guyana and French Guiana. That’s quite a long way from my home in London, so I was pretty sure I hadn’t popped into that store to pick anything up in the last 60 seconds.
The alert asked me to confirm the transaction by replying with ‘Yes’ or ‘No’. It did cross my mind that perhaps this was a double- or triple-bluff scam and that by responding to an unexpected text message, I would be making a big mistake. Just in case, I chose to phone the bank instead.
They confirmed that yes, someone had attempted to use my card details over 4,500 miles away from London – but the attempted payment was blocked as suspicious, so no money was stolen.
I cancelled my card and ordered a new one as the recommended safety precaution, given someone else had my details. But as a reporter I was left wondering how did this happen?
How was it that my bank details were somehow stolen, passed onto someone on the other side of the world and almost successfully used at what looked to be a small retailer in Suriname?
Credit cards are a solution – and part of the problem
Debit and credit cards are a part of everyday life that we don’t think about, but not so long ago they would have felt like a strange concept to those using physical currency to buy things. The first UK credit card was issued in 1966, while the first debit card didn’t arrive in the UK until 1987.
Now, there are over 51 million debit cardholders in the UK, accounting for 96% of adults, while over 32 million UK adults have a credit card. According to the trade association UK Finance, total spending on credit and debit cards accounted for over £800 billion during 2018, with over 20 billion transactions over the course of the year.
Such is the increased popularity of using card payments – helped by online shopping and the ability to make contactless payments in stores – that it’s overtaken cash as the most common form of payment in the UK, and the number of card payments is still growing.
We’re using them a lot more online, too. That makes it easier for us all to buy all manner of goods and services, but it also means that if crooks have the details they can use your account even if the physical card is safe in your pocket, because with online shopping, which only requires the input of credit card numbers, the card doesn’t need to be present.
And the unfortunate truth is that crooks have access to a lot of credit card numbers, thanks to almost constant waves of data breaches from companies big and small.
So how are cyber criminals gaining access to all this data, how do they trade it and just how big is this illicit underground economy?
“It’s a really interesting question because it doesn’t have a clear answer. This sounds really Rumsfeldian but there are just unknown unknowns,” says Troy Hunt, creator of Have I Been Pwned?, a website that allows people to check if their email address, password or other personal data has been compromised in a breach.
Have I Been Pwned? currently contains data on almost 10 billion compromised accounts from over 450 websites and data dumps that have been released publicly by hackers – but that’s almost certainly just scratching the surface of the information that’s been stolen over the years, because there are many more data breaches where the data hasn’t been publicly dumped by the hackers.
“We know there’s a huge amount of incidents, which have made the headlines, which aren’t in the system,” says Hunt.
There are also many more breaches at smaller companies which might not even make headlines, but could still involve the personal data of thousands of people being stolen.
Businesses need to be more careful with your data
There are a number of ways criminals can steal data.
One classic example of this is point-of-sale (PoS) malware, which is malicious software that gets installed by gangs onto the PoS terminals that shops, restaurants, bars and other retailers use to take payments by card – a key part of almost any retail business.
And it’s because they’re a part of the furniture that many of these systems are so vulnerable, because organisations forget they’re computer systems that can contain vulnerabilities and need to be updated. Businesses can go years without being aware that customer payment information was being copied and stolen every time a transaction was made.
It’s possible to install malware onto PoS terminals physically but such systems can also be compromised across the corporate network itself as the result of a hacking campaign.
The attack might start with a phishing email aimed at unwary employees or a more technical approach targeting the network’s internet-facing remote ports as a way to get onto the network and move across the network to the PoS unit to install malware.
This is possible because most PoS systems run on a modified version of Windows, meaning that the computer can be vulnerable to attack like other Windows devices. And while most Windows systems on a network should be receiving regular security patches to ensure they can’t fall victim to attack, it’s all too easy for the PoS terminal to be forgotten about.
A report by the Information Commissioner’s Office pointed to “systematic failures” in how the retailer safeguarded personal data and managed the security of its networks – including the failure to patch systems against known vulnerabilities.
There are expectations that larger businesses will, for the most part, budget for IT security and upgrade the network when needed, but for smaller businesses that approach might not be as simple – yet they’re going to be targeted by hackers too, especially if they’re viewed as an easy target.
“Change is hard for everybody, especially for small businesses. If that credit card terminal is working, do you want to spend hundreds to upgrade to a new system you have to learn to use? Businesses just want to be paid as normal,” says Kevin Lee, digital trust and safety architect at Sift, a payment-fraud prevention company.
That’s why PoS malware remains so common – and potentially how my card details got stolen. But it’s far from the only way it could’ve occurred.
Another common means of card information being stolen is directly from ATMs. While it’s possible to remotely install malware on cash machines – after all, they’re mostly just Windows PCs and often old versions of Windows at that – physically tampering with the devices provides attackers with an even simpler means of stealing bank details.
These skimming attacks see criminals placing their own card-reading components on top of the real device, allowing them to not only see the card details contained within the mag stripe, but also able to see the PIN code – providing them with all the data they need to make payments and withdrawals – or collect that information to sell it.
“It’s entirely possible that you’ve used your card at an ATM and there’s been a skimmer that’s read your card and someone has figured out how to clone your card and sold it online. That’s entirely feasible – your card might not have been involved in a breach at all, but a skim,” says Leigh-Anne Galloway, head of commercial security research at Cyber R&D Lab.
“There’s still a large amount of skimmers in circulation. They’re still pretty popular because they work.”
Your data could be on an underground market
In some cases, criminals will use stolen card information for themselves, simply using the details either to clone the card, or to make purchases online. But tying purchases made on a stolen card directly to their own identity is likely to risk getting them caught sooner rather than later.
That’s why selling stolen card details online is the lower risk choice for crooks with large numbers of credit card details to sell. And with large scale data breaches so common, the cyber-criminal underground markets specialising in trading stolen information are extremely busy.
“Cyber criminals are just looking for a way to monetise the data that they get and often it’s a lot more complicated than people realise. If you’re good at writing malware, but you don’t know what to do with credit card information, that’s why you’d turn to the underground,” says Liv Rowley, threat intelligence analyst at Blueliv. “Sometimes it’s clear following big-data breaches and they’re handed off,” she says.
There are dozens of different card shops at any one time as criminals attempt to trade stolen details while also remaining outside the eyes of the law. Some remain in business for a long time, while others get shut down – either by law enforcement, or by the operators themselves in an effort to avoid getting caught. One of the largest and most successful is Joker’s Stash, which is often used as a way to sell millions of credit card details and other personal information at any one time.
Earlier this year, US authorities directly linked Fin7 to Joker’s Stash, among other carding forums, in an indictment following the arrest of Ukranian nationals accused of being members of the hacking group.
However, it doesn’t appear as if my details being stolen was related to any of these breaches – at least any that are in the public light – so what are the other options if it was stolen in a data breach?
There are smaller carding forums where users turn up to sell data they’ve stolen, and potential buyers can barter to buy as many or as few as they’d like – sometimes details on a single stolen card can cost under a dollar.
In many cases, the process is completely automated and users can establish who can be trusted via the reviews that have been left by previous buyers – much like any other peer-to-peer online retail environment.
“You don’t really need to interact with anyone, you just go there, search what you’re looking for and just buy it. It’s nice for cyber criminals because it’s a pain-free process,” says Rowley. The pain is felt, of course, by the victims instead.
Two seconds that make all the difference
It could be that my card details passed through a few different hands before ending up in South America – but why, of all places, was it a gas station or a small convenience store where it looks like a copy of the card was attempted to be used?
Printing cards is a relatively simple process for criminals, and the physical tools they need to do it aren’t actually illegal. After all, plastic identity cards exist in many workplaces, and they need to be able to print them out, while it’s also possible to buy and use an embosser to punch raised bank details and personal information onto cards so they look like the real thing.
“You’re a cyber criminal and you’ve bought this data, and it’s just raw numbers. You take that data, you take a plastic card and print out the correct bank information, you pop up the letters for the name and numbers that should be on it,” Rowley explains. “Then you write the information on the magnetic stripe and that should work,” she adds.
For cyber criminals, the perfect place to test if these cards – and the bank details they’ve stolen – work is small retailers as they often don’t have sophisticated security in place.
“Gas stations are a great place to test credit card numbers because you don’t have to deal with the gas attendant – you slide the card in and if it works you get a free tank of gas and keep going. If it doesn’t work, there’s no harm in trying. If it works at a gas station, it’s a green light to make larger transactions,” says Kevin Lee.
There’s no way to find out what the person using my details was attempting to buy, but it’s likely if the transaction had gone through, they would have attempted to milk my bank account for much more than the £108. Fortunately, the attempt at using my card was almost immediately detected and stopped by the bank.
“We have two seconds to make the decision. We would’ve decided in the first two seconds to decline that,” says Paul Davis, retail fraud director at the UK’s Lloyds Bank.
Lloyds Banking Group has 12 different systems to analyse transactions for unusual payments, and it works with external companies and Visa to examine the vast amount of payments which are made every single day. These systems need to find a balance between flagging potentially suspicious activity, while also not standing in the way of regular transactions.
“The fraud engine will look at things like who you’re trying to pay, how much you’re paying them, have you ever made a payment like that before,” Davis explains – pointing out how the unexpected location of my payment that was attempted using my card likely played a role in identifying it as potentially suspicious.
“I don’t know how many of our customers make transactions in Suriname – probably not many – so that’s more likely to flag an alert,” he says.
The location, combined with the merchant, the history of other transactions there – and whether they’re fraudulent or not – and the amount being paid all helps the bank come to a decision. And in this case, it correctly decided that the transaction was fraudulent – but these decisions have to be made quickly and without blocking genuine attempts at purchases.
“The more data we have, the better this system is and the more likely we’ll stop more fraud and interrupt fewer genuine cases,” says Davis.
In some cases, it’s easier to spot that attempts at fraud are happening, such as if criminals make lots of requests at once using sequential card numbers – indicating that they’re working their way down a list. In that case, attempted transactions for card numbers yet to be tested can be preemptively blocked.
“If there’s a merchant we’ve never seen before and all of a sudden we get 10,000 payments with almost sequential numbers, or with a pattern, they stand out as being suspicious. We block those payments before it even gets to the fraud-detection engine,” Davis explains.
In some cases companies may not even realise that they’ve been breached.
“Breaches aren’t always reported. In our experience, the number of merchants who’ve potentially had a breach, but haven’t yet noticed it, is a lot higher,” says Davis. “A lot of people’s card data is being traded on the web and so to keep the systems secure we’re reliant on systems we run in banks.”
Credit card fraud is far from unusual
But it isn’t just by directly stealing bank information that cyber criminals are able to get what they need to to abuse personal data to commit fraud. Names, social media accounts, addresses, birthdays and all sorts of other information is potentially out there and can be used to build false profiles or socially engineer victims into falling victim to cybercrime. It has even happened to high-profile politicians.
“Oftentimes, you can gather enough from social media to log in to their accounts or answer security questions,” says Charity Wright, cyber threat intelligence advisor at IntSights.
Information from stolen accounts can be put up for sale on underground forums and, if the victim has reused their email password on other important accounts, it could easily provide a means of attackers getting hold of much more information, potentially even online bank accounts.
Wright’s role involves searching the open and underground web for information about CEOs, executives and other high-profile individuals to see what information is out there – and crucially help stop cyber criminals from using and abusing it. She also looked at what information about me was out there and perhaps, surprisingly, given my job, there’s not much to find based on my name.
“Your digital footprint is limited to professional and social media from what I can tell, which is excellent given your public profile in the media,” she said.
Nonetheless, via skimming, PoS malware or something else, cyber criminals were able to get hold of my bank details – despite how I write about cybersecurity everyday and know how to take precautions to help protect myself.
However, I’m certainly not the only person I know whose had their bank information or other personal details stolen over the years and I won’t be the last; a lot of people have fallen victim to similar fraud and even many of the security researchers I spoke to when trying to find out what happened to my card details have fallen foul of cyber criminals at one point or another.
“I don’t think there’s as much of a stigma of being caught out by credit card fraud; I don’t think as many people would feel it now. It’s just one of these things that happens and a lot of the time it’s completely out of your hands as you’re finding now – you have no idea where or how it happens,” says Chris Boyd, lead malware intelligence analyst at Malwarebytes.
“And when PoS malware can lurk on networks for a year or more, how are you going to know?”
I was fortunate that an attempt at using my bank account was spotted; many haven’t been so lucky – and they’ve had criminals use card details to make very large purchases. Boyd found himself a victim of one of these schemes.
“The short version is I got contacted and told there was fraud on my card,” he explains. “Usually you hear about small amounts claimed, people will get hold of card details and take a little bit here and there – but this was about £14,000!”
As with my case, it wasn’t possible to pin down how exactly the card details got stolen, but in this instance, the scale of the purchase was unusual.
“Somehow, someone had got my credit card details and they’d gone to a specialist wine supplier, an organisation that sells huge quantities of wine to shops, and put in a baffling order for £14,000 of wine,” says Boyd.
“The Great Wine Heist,” as he describes it just goes to show that even those who are deeply knowledgeable about security can fall victim to cybercrime – and in most cases, they’re unlikely to find out how it happened, either.
“You realise there’s only a small amount of places you buy from regularly and an even smaller amount of outliers, so it’s easy to figure out your day-to-day movements and what you spend,” Boyd explains.
“But then you still hit a brick wall because none of it comes in handy for finding out what happened to your information,” he adds.
Some people seemingly haven’t actively fallen victim to fraud, yet it still feels as if it’s only a matter of time before something happens.
“For me, as an American, I have a social security number and I have no doubt that my social security number is somewhere out there on the dark web, it’s just a matter of luck I haven’t had my identity stolen yet. That’s the point we’re at, it’s so easy to lose control of your data,” says Liv Rowley.
Take precautions to keep data safe and secure
It might feel as if getting your card details stolen is inevitable due to the sheer number of organisations that fall victim to hacking and malware campaigns. Nonetheless, it is possible to take precautions against credit card fraud.
“Don’t let your card out of your sight. Keep in control of your card because if you give it up, you don’t know if it’ll be skimmed or have the details written down,” says Paul Davis.
While it’s impossible to know if any organisation is about to become a victim of a data breach, on the whole, it’s recommended that people buy from trusted vendors, so in the worst case scenario even if details do get leaked, information about the leak emerges eventually. This might not be the case if people buy from online – or other – stores that have been set up with the intent of stealing personal data.
However, the individual can only do so much to stay safe online, when it ultimately falls to the organisations that are handling personal data to keep it from going missing.
Legislation like the General Data Protection Regulation (GDPR) provides an extra incentive for organisations to keep personal data of customers and consumers safe, because if the company falls victim to a breach and is judged to have managed security irresponsibly, they could face a huge financial penalty.
But even if your personal information is stolen in a big batch alongside hundreds of thousands, maybe even millions of others – and it isn’t your fault – it’s still hard not to feel as if your bank account being used, or your password being used, is a personal attack.
“Most of the time, it’s not personal, the same with things like account takeovers and credential stuffing – you’re one of a million people on a list and that’s the criteria as to why it’s happened, that’s literally it,” says Troy Hunt.
And it does indeed look as if some of my information was up for sale, with several cards at least partially matching my card number advertised on an underground forum for the price of $25, according to one researcher I asked to dig around.
No information about my address was listed, which appears to suggest that my details are potentially more likely to have been stolen via the use of a skimmer or PoS malware, rather than an online retailer that would also need my address to send out an item.
That’s all educated guesswork on my part. I’m unlikely to ever find out how exactly my card details got stolen, how they ended up in South America and who was attempting to use them. I, however, was fortunate that the bank managed to pick up suspicious activity and blocked anything from happening – many others aren’t so lucky.
But as long as there’s bank information and other personal data out there for cyber criminals to keep grabbing, exchanging and exploiting, it’ll keep happening. For victims, while it may be frustrating, even upsetting, perhaps knowing they haven’t been individually targeted could provide some comfort, even if they too never really work out how it happened.