Stop cybercrime, protect privacy, save world
advertisement
Stop cybercrime, protect privacy, save world Chris Monteiro Cybercrime, dark web and internet security researcher Systems administrator Pirate / Digital rights activist Futurist Blog: pirate.london Twitter: @Deku_shrub Wikipedia: https://en.wikipedia.org/wiki/User:Deku-shrub https://en.wikipedia.org/wiki/Darknet_market https://en.wikipedia.org/wiki/Carding_(fraud) Disclaimer! Today we will cover: ● Clueless politicians ● Unfaithful Wombles ● Drugs ● History of Carding ● Actual solutions to financial fraud Things we will not be solving today When will computers be secure? What do you do following your data being stolen? ● Change passwords ● Cancel credit cards ● Argue with bank ● Move house ● Reissue birth certificate ● Burn off fingerprints ● Facial surgery ● Burn credit agencies to the ground ● Join hippy commune / post WW3 dystopia AM UK Map here (redacted) SW18 Problems stopping financially motivated cybercrime ● Larger fines for breaches? Longer development, slows technical innovation ● Better security experts? Expensive, lack of talent ● Bug bounties? A possible step in the right direction, mostly for larger players only ● Unofficial bug bounties - hack the site win a prize Government responses History of Carding Structure Hacking ecosystem Online Merchant Checker services Desktop malware POS system Hackers Forums and Markets Resellers ATM skimmers In person or receipt skimming, social engineering Offline fraudsters Cash-out Digital currency laundering Buy game currency with stolen cards, minimal verifications Trade or ‘lose’ money to another account or accomplice Accomplice sells game currency directly or via 3rd party brokers Reshipping laundering Purchase expensive consumer goods via websites will belowaverage payment verification with stolen details Use shady reshipping service Ship to 3rd party mules Ships to drop houses List goods on eBay Sell on eBay for ‘clean’ profits Ship to end customers In-store cashing Print cards with stolen magstripe data (not chip & pin) Have ‘cashers’ buy luxury goods in-store Sell goods on ebay Gift and loyalty card fraud Physically steal goods Return to store without receipt and get gift card credit or store points Purchase goods with stolen details Sell gift cards online or offline Pizza & accounts Card validation Address data required by the banks for payment verification ● IP address ● Country ● Browser ● Cookies ● Recent purchase history ● Unexpected quantity ● Unexpected currency ● Name match But we use a payment processor so we’re secure! Merchant mitm hack subvert phish Payment processor Solution! Virtual visa & one time payment options Merchant Merchant Merchant Merchant Merchant Unexpected charges Bank Eventual refunds Eventual loss of merchant account Merchant Merchant Merchant Merchant Merchant Clean up infected local computer Unexpected charges/payment declined Bank Swift refunds Swift action on merchant account Swift action on site breaches #shame company on social media Small claims damages Inform consumer watchdogs Which site is worth attacking now? Benefits Increased trust in small businesses for payments Better merchant accountability for banks Better breach and security accountability for merchants Better user accountability for infections / phishing Cybercriminals have almost nothing worth stealing :( Use in other sectors: Delivery/Postal companies could offer limited use shipping addresses Email providers could offer integrated limited use email addresses Telcos could offer limited use phone numbers Moving forward Regulatory or deregulatory incentives via legislative changes Future commerce Never give out ‘non-accountable’ information like credit card details or email addresses Never give out personal information End!
