Is Buying Stolen Credit Card Numbers Really This Easy?

With the help of the Internet, crime rings have been able to steal tens of millions of credit card numbers each year -- plucking them right from the ether in fact. But the FBI's cybercrime unit is reportedly stepping up its game in pursuit of criminals who buy and sell stolen credit card numbers in an online marketplace.  To gain access to the sellers' inventory, one must be a tried-and-true criminal, complete with references...honestly.

NPR reported that Keith Mularski, an agent with the FBI's cybercrime unit, has had to pose as a rather dubious character in order to gain entree to the online marketplace:

To even be able to see this site — to register and get a password here — Mularski had to use an an alias to persuade two criminals already on the inside to vouch for his criminality.

It's sort of the exact opposite of getting two references when you're applying for a job; rather than vouching for you as an upstanding, law-abiding citizen, you're getting people to attest to your deviousness.

How the site works:

In order to sell products on the site, you need to be reviewed. So if I was going to sell credit cards, what I would have to do is provide a sample of 50 cards to each reviewer. Then they would test them out and then write a review back, and say, "XYZ provided me 50 cards and there was a good mix of classics and platinum and business cards and there was a 98 percent approval rating. So now I vouch for him to be a vendor on the site."

This is the central paradox of this marketplace. In order to get in, you have to be a verified credit card thief. But in order to do business, you have to show that you can deal honestly.

This one seller is rated A++, so we click on his name. That takes us to another shop, with a pop-up window. We have to agree with the terms and conditions — which explicitly bar both journalists and law enforcement officials.

But once the credit card numbers are successfully purchased, then what? How are the numbers actually used? According to Mularski, it's as simple as printing up a new credit card with some very inexpensive equipment, and, off you go to the mall!

Mularski jumps up and pulls open his desk drawer. He pulls out a piece of white plastic with a magnetic strip on it (it looks like a hotel key), and a machine that looks like a toaster for really skinny bagels.

The machine's called an MSR-206. You hook it up to your computer, and swipe your plastic card through it. It encodes the credit card information onto the magnetic strip — like burning a playlist onto a CD.

Next you run the white plastic card through another machine to get the raised lettering and the holograms that make it look legit.

But this is nothing new.  For years, Hackers have been allegedly positioning themselves outside vulnerable retailers with a laptop and simple wifi connection until a customer makes a purchase using his or her credit card.  It's reported that the credit card's number is then intercepted from the store's unsecured credit card processing equipment.  Simple as can be.

Here's a video from back in 2008 that explains how it's done.

40 Million Credit Card Numbers Stolen! -8/6/08by Carter_Flores1585