Credit card and ID thieves are turning to charities to help them validate credit card numbers, says computer security company Symantec.
The drill involves making a small donation to a non-profit to see if the transaction is successful, described Symantec security response engineer Yazan Gable in a corporate blog entry. If so, the scammer knows that it’s a good, or chargeable, number.
“In the world of carding, where stolen credit card information is bought and sold,” wrote Gable, “carders need to know if the credit cards they are buying or selling can actually be used. It is sometimes difficult for them to verify this without raising any alarm bells and risking that their cards will be identified as stolen and disabled.”
Charitable donations are uncommon transactions for most credit card holders, noted Gable. They are harder to identify as anomalous. Thus, “carders” — the moniker given to those who trade in stolen credit card numbers — have more time to exploit the card without being detected if they use it at a charity first.
Verification of credit card numbers is the single biggest challenge for carders, Gable wrote in previous reports. Stolen card information garners more or less money on the illegitimate market depending on whether or not it comes accompanied by a four-digit verification code or perhaps even an indication of the available balance.
Method De Jour
This is not the first trend among carders looking to double-check the card numbers they have purchased, Yankee Group Analyst Andrew Jaquith told TechNewsWorld. “A couple of years ago, gasoline purchases were being used as one way to check validity,” he said.
What do charities and gas stations have in common? For carders, perhaps more than meets the eye. For test transactions, thieves tend to use channels where they are personally removed from a live cashier. A quick yes or no on the transaction is essential. With charities, said Jaquith, the whole test can be conducted rapidly online, allowing carders to test a large volume of credit card numbers quickly.
Under Our Noses
In addition to bank behavior monitors, consumers themselves may not pick up on a small charity transaction when it appears on their credit card statements, Khalid Kark, senior analyst with Forrester Research, told the E-Commerce Times.
“People checking their credit card statements tend to look at bigger expenses,” he noted, “and this taps into the human side of vulnerability.”
Many consumers, he added, don’t have time to comb through each and every line item on each and every statement they receive.
On top of that, Kark explained, transactions sometimes cannot be identified from the information provided on a statement. A vendor name might be obscured by abbreviations or a string of numbers. Thus, even consumers who are scrupulous about reviewing statements when they get them can get tripped up by a cryptic entry. If that entry is for a very small transaction, many people’s tendency would be to ignore it.