Costs of Credit Card Fraud and Brute-Force Codebreaking
fc@all.net wrote:
I think a lot of people miss the distinction between automated message cracking and dumpster diving. Dumpster diving is not free. It costs at least a dollar each to get credit card slips by dumpster diving.
Consider that in order to use the information, you have to get the slip, pull off the numbers, enter them into a computer (or even worse yet, create a phoney card or make a phone call) in order to use the information. The break-even point for an automated cracking and usage system is more than a dollar per stolen card. My parallel processor is actually more cost effective for crimilar theft via credit card fraud.
Well, a few years ago I partially satisfied my phone-phreaking habit in the following manner: I would walk up to a busy intersection in a comercial area and stroll through the various gas stations located there, collecting receipts that careless customers had forgotten to take with them after using the "pay-at-the-pump". Then I would visit the pay phones at the nearby mini-malls. It sure didn't cost me a dollar a number. The cost/value of a card number depends a lot on what you seek to gain. If it's free phone calls, your costs are basically nil. If you want free gas, it'll cost you $500 or so for the card reader/writer and a few old cards. If you have a system for extracting thousands of dollars from each card, economics of scale would probably justify the $10000 rc4-breaker. ...or you could just hack netcom, steal the mother lode and be set for life... (Hi Kevin! drop me a line when you get out; ya gotta love those plea-bargains - 30 year sentence reduced to 8 months! ;-)
fc@all.net wrote:
I think a lot of people miss the distinction between automated message cracking and dumpster diving. Dumpster diving is not free. It costs at least a dollar each to get credit card slips by dumpster diving.
Consider that in order to use the information, you have to get the slip, pull off the numbers, enter them into a computer (or even worse yet, create a phoney card or make a phone call) in order to use the information. The break-even point for an automated cracking and usage system is more than a dollar per stolen card. My parallel processor is actually more cost effective for crimilar theft via credit card fraud.
Well, a few years ago I partially satisfied my phone-phreaking habit in the following manner: I would walk up to a busy intersection in a comercial area and stroll through the various gas stations located there, collecting receipts that careless customers had forgotten to take with them after using the "pay-at-the-pump". Then I would visit the pay phones at the nearby mini-malls. It sure didn't cost me a dollar a number.
But you miss the costs of your time. You have to find the right dumpster, you have to dive, you have to find the slip, you have to walk across the street, you have to make the call. Time, as they say, is money. For a criminal enterprise to make money, they have to not only get the cards, but use them and then resell the goods for cash. The sheer size of a criminal organization that could handle the sort of codebreaking we are talking about would make it possible to buy goods at wholesale prices, so the profit on stealing goods and reselling them on the open market is far less than the savings an individual gains by the effort. Then there is the potential cost of people getting caught, etc. that has to be figured into the overall cost. Criminal enterprises have high overheads.
The cost/value of a card number depends a lot on what you seek to gain. If it's free phone calls, your costs are basically nil.
It costs you 10-15 minutes of time, and it probably saves you a few dollars of phone charges. If the chance is only 1 in 100,000 of getting caught and convicted to 5 years in prison, the amortised time cost is another 25 minutes, not including legal fees.
If you want free gas, it'll cost you $500 or so for the card reader/writer and a few old cards.
But you still have to get the magic numbers. Maybe it takes a bribe, maybe it takes dumpster diving, but whatever the deal, it all costs money in the form of time, overhead, etc.
If you have a system for extracting thousands of dollars from each card, economics of scale would probably justify the $10000 rc4-breaker.
The point of the parallel processor is that the cost is about $1.45 (or whatever) per card number, not thousands of dollars. The results are in computer-ready form, so that you can charge directly over the Internet and have a fully automatic system for theft. No large number of employees, no phone bills that get traced by the FBI, only an Internet link that moves from provider to provider, account to account, city to city, country to country.
...or you could just hack netcom, steal the mother lode and be set for life... (Hi Kevin! drop me a line when you get out; ya gotta love those plea-bargains - 30 year sentence reduced to 8 months! ;-)
It's true that breaking into computer systems is cheaper for small numbers, but as a big business, the labor is too high for this sort of attack, and the results are too unpredictable. Taking credit card nuymbers over the net is a lot more ammenable to the economies of scale required for big codebreaking efforts. -- -> See: Info-Sec Heaven at URL http://all.net Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236
-----BEGIN PGP SIGNED MESSAGE----- On Sat, 19 Aug 1995, Dr. Frederick B. Cohen wrote:
Date: Sat, 19 Aug 1995 14:23:14 -0400 (EDT) From: Dr. Frederick B. Cohen <fc@all.net> To: Flame Remailer <remailer@flame.alias.net> Cc: cypherpunks@toad.com Subject: Re: Costs of Credit Card Fraud and Brute-Force Codebreaking
But you miss the costs of your time. You have to find the right dumpster, you have to dive, you have to find the slip, you have to walk across the street, you have to make the call. Time, as they say, is money. For a criminal enterprise to make money, they have to not only
howdy, time is not money if you're a high school student with nothing else to do. time is not money if you're a grad student. i spend approx 14 hrs or more a day in the lab seven days a week. there's no way my stipend adds up to anything close to minimum wage at that rate. the value of time is subjective. if i had a wife and a couple of kids AND i was a grad student, my time would be worth more. as it is, my time is not worth a whole lot. you're assessment that this cost our anon friend some money to obtain these cc numbers is simply not true. when you have nothing else to do, choosing one thing over another involves no cost. if anything, he made money by using the cc numbers to make long dist calls instead of using any cash he might have from working or an allowance. my $0.02, - -pjf patrick finerty = zinc@zifi.genetics.utah.edu = pfinerty@nyx.cs.du.edu U of Utah biochem grad student in the Bass lab - zinc fingers + dsRNA! ** FINGER zinc-pgp@zifi.genetics.utah.edu for pgp public key - CRYPTO! zifi runs LINUX 1.2.11 -=-=-=WEB=-=-=-> http://zifi.genetics.utah.edu -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMDY0T03Qo/lG0AH5AQEmuwP9F30sfk4PrGRqf5kqsKs1lcX67CSctU/z hJEM8a1IFpPQL+FHRfy2eRueWNa1OiuyQZN8qt8EiP93MzScEJCEomxaTKowQjQk p9cQKg2SsFmxgc4whS4Ny22x3Aw1FinB2DzlhPrDB6jLAT1cWkQrE7K85VSCcC+j AVjV0CS0ufM= =7tS0 -----END PGP SIGNATURE-----
participants (3)
-
fc@all.net -
Flame Remailer -
zinc