Don't Buy Pizza With a Credit Card
The Russian foreign ministry is outraged about the U.S. authorities' arrest of alleged hacker Roman Seleznev, 30, in the Maldives: It screams of kidnapping. The Seleznev case, however, is not about the new Cold War now raging between the U.S. and Russia and not even about Americans' well-documented propensity to act as if they had jurisdiction over the entire world. It's about the dangers of shopping at mom-and-pop stores.
A grand jury in Seattle believes Seleznev is a carder -- a subspecies of hacker specializing in the theft of credit card data. His father, ultranationalist lawmaker Valery Seleznev, refuses to believe Roman is capable of computer hacking: in 2011, Seleznev Jr. was an accidental victim of a terrorist attack in Marrakech, Morocco, suffering severe injuries to his head. "He was in a coma for eight days, he has a metal plate in place of half of his skull," the legislator told the Moscow tabloid MK. Carding, however, is not rocket science: It's an illegal business for which most tools are readily available.
The 2011 indictment says Seleznev and other carders working with him (some are mentioned in more recent court documents) would gain access to the backroom computers of U.S. retail outlets and restaurants, launch a browser to download some malware from a server in Russia or Ukraine, then wait for the malicious program to record enough credit card numbers so the "dump" (batch of numbers) could be sold through some specialized carder sites. Seleznev allegedly administered some of these, such as bulba.cc and track2.name.
Both of these appear to be still active. I registered on bulba.cc and found that it required $1000 in Bitcoin to view the goods:
Such a system is common to carding sites, though the fee is on the high side. Once you pass that barrier, you're offered "dumps" with various estimated validity rates, depending on how fresh they are. If you're in the downstream part of the carding business, you will acquire the numbers for about $10-$15 each, then use an embosser and a hot stamping machine to create fake cards that you will send a courier to use in a store, preferably to buy electronics or other items that will be easy to resell.
No particular hacking skills are required for either the upstream or the downstream part of the business. Port scanning software that helps find computers used for card processing exists and can easily be obtained. Small retail operations are not too worried about securing these computers, or the card data on them, hence the list of Seleznev's alleged victims: Schlotzky's Deli in Coeur d'Alene, Idaho; Mary's Pizza Shack in Sonoma, California; City News Stand in Evanston and Chicago, Illinois; and, quaintly, the Phoenix Zoo.
These are not the huge computer systems of supermarket chains and major department stores. Breaking into those, like in the recent Target incident, does require some hacking powess (plus some ineptitiude on the part of corporate information technology departments). Hitting a small shop or restaurant is easy as pie, and almost anyone can do that. Because people blithely use their credit cards in such establishments, the pickings can be disproportionately good. The Seleznev indictment alleges he and his associates made $2 million from their illicit activity in less than four months in late 2010 and early 2011.
Because of Seleznev's father's status in Moscow, the case will now gain the status of an international incident. Seleznev Sr. is a man of means, having run a gold company in the Russian Far East before embarking on his political career, and expensive lawyers will almost certainly be deployed to convince a jury that Seleznev Jr. did not need the money and was unsuited to the technical tasks he allegedly performed.
He did, however, have plenty of time on his hands -- he did not have a job because of his disability -- and some basic computer skills that Seleznev Sr. says he was taught during his rehabilitation. That would have been enough.
Using credit cards online, especially with major retailers such as Amazon or Apple, is actually safer these days than trusting small retailers with your plastic. A carder like the indictment's Track2 or smaus -- nicknames the Seattle prosecutors atrribute to Seleznyov -- could be lurking within the pizza shop's main computer even now. Old-fashioned cash is the best way to pay in such establishments, unless you want your card number to turn into an exhibit in an exciting trial involving people apprehended at exotic locations.
This column does not necessarily reflect the opinion of Bloomberg View's editorial board or Bloomberg LP, its owners and investors.
To contact the author on this story:
Leonid Bershidsky at firstname.lastname@example.org
To contact the editor on this story:
Frank Wilkinson at email@example.com