Re: Costs of Credit Card Fraud and Brute-Force Codebreaking

[fc@all.net (Dr. Frederick B. Cohen)]

> 
> fc@all.net wrote:
> >I think a lot of people miss the distinction between automated message
> >cracking and dumpster diving.  Dumpster diving is not free.  It costs at
> >least a dollar each to get credit card slips by dumpster diving.
> >
> >Consider that in order to use the information, you have to get the slip,
> >pull off the numbers, enter them into a computer (or even worse yet,
> >create a phoney card or make a phone call) in order to use the
> >information.  The break-even point for an automated cracking and usage
> >system is more than a dollar per stolen card.  My parallel processor
> >is actually more cost effective for crimilar theft via credit card fraud.
> 
> Well, a few years ago I partially satisfied my phone-phreaking habit in
> the following manner:
> I would walk up to a busy intersection in a comercial area and stroll
> through the various gas stations located there, collecting receipts
> that careless customers had forgotten to take with them after using the
> "pay-at-the-pump".  Then I would visit the pay phones at the nearby
> mini-malls.  It sure didn't cost me a dollar a number.

But you miss the costs of your time.  You have to find the right
dumpster, you have to dive, you have to find the slip, you have to walk
across the street, you have to make the call.  Time, as they say, is
money.  For a criminal enterprise to make money, they have to not only
get the cards, but use them and then resell the goods for cash.  The
sheer size of a criminal organization that could handle the sort of
codebreaking we are talking about would make it possible to buy goods at
wholesale prices, so the profit on stealing goods and reselling them on
the open market is far less than the savings an individual gains by the
effort.  Then there is the potential cost of people getting caught, etc. 
that has to be figured into the overall cost.  Criminal enterprises have
high overheads.

> The cost/value of a card number depends a lot on what you seek to gain.
> If it's free phone calls, your costs are basically nil.

It costs you 10-15 minutes of time, and it probably saves you a few
dollars of phone charges.  If the chance is only 1 in 100,000 of
getting caught and convicted to 5 years in prison, the amortised time
cost is another 25 minutes, not including legal fees.

>  If you want
> free gas, it'll cost you $500 or so for the card reader/writer and a
> few old cards.

But you still have to get the magic numbers.  Maybe it takes a bribe,
maybe it takes dumpster diving, but whatever the deal, it all costs
money in the form of time, overhead, etc.

>  If you have a system for extracting thousands of dollars
> from each card, economics of scale would probably justify the $10000
> rc4-breaker.

The point of the parallel processor is that the cost is about $1.45 (or
whatever) per card number, not thousands of dollars.  The results are in
computer-ready form, so that you can charge directly over the Internet
and have a fully automatic system for theft.  No large number of
employees, no phone bills that get traced by the FBI, only an Internet
link that moves from provider to provider, account to account, city to
city, country to country.

>  ...or you could just hack netcom, steal the mother lode
> and be set for life...  (Hi Kevin!  drop me a line when you get out;
> ya gotta love those plea-bargains - 30 year sentence reduced to 8
> months! ;-)

It's true that breaking into computer systems is cheaper for small
numbers, but as a big business, the labor is too high for this sort
of attack, and the results are too unpredictable.  Taking credit card
nuymbers over the net is a lot more ammenable to the economies of scale
required for big codebreaking efforts.

-- 
-> See: Info-Sec Heaven at URL http://all.net
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236