FBI Forum Sting Nabs Payment Card Cyber-Fraud Ring

FBI Forum Sting Nabs Payment Card Cyber-Fraud RingAn online forum providing tips and stolen data for online payment card fraud turned out to be the wrong click for the cyber-criminals who frequented the site.

The forum, called Carder Profit, was in fact an undercover operation by the FBI, called Operation Card Shop. The agency monitored not only messages on the forum but private messages that forum sent to each other through the forum. Carder Profit was set up in June of 2010. Two years later to the month the FBI closed in, announcing eleven arrests in the US and thirteen more arrests abroad.

One of those arrested, Mir "JustTheGod" Islam, claims to be a member of the UGNazi hacker group. Ironically, shortly before his arrest his own personal information was put online by a rival hacker, an action known as "doxing." The UGNazi group has claimed exploits including knocking Twitter offline (though Twitter denies their claim, saying a software bug caused the outage).

"Carding" is a blanket term for a variety of cyber-crimes involving credit (or debit) card fraud. Users of the Carder Profit forum sold remote devices for recording card users' keystrokes, along with stolen account information. Some of those arrested were involved in other tech-related crimes, such as fraudulently obtaining replacement consumer gadgets from Apple.

According to the FBI, Operation Card Shop was technically not a "sting," because undercover agents did not induce or suggest criminal activity. The agency merely provided a cyber-hangout where carders discussed criminal schemes.

While Operation Card Shop is a win for the good guys, it also offers a rare glimpse into the world of criminal "carding." Carders turn out to be a remarkably brazen group, as demonstrated by their willingness to join Internet forums devoted to their activities. For firms that deal with payment cards – not to mention individual card users – this glimpse provides a sobering lesson in the scale of cyber-crime involving payment cards.

The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: "Security is not a product, but a process."