6 Nov 2014

Thousands at risk from credit card fraud website

Thousands of British bank customers are at risk of fraud thanks to a website which offers a “one-stop shop” for anyone to buy credit card details stolen by hackers.

Rescator.cc offers an eBay-style service for hacked financial data. In just half a dozen clicks anyone can purchase a stolen card for as little as £8.

Channel 4 News has been in touch with the site’s owners, who not only defended its activities but claimed that the fraudsters who use it are “virtually untraceable”.

In anonymous instant messages the site’s owner told us: “Pay using anonymous payment…. buy dumps [hacker slang for credit card data] from around the world and use it. This is virtually untraceable. We’ve got thousands of feedback on various forums (sic). We don’t need to prove anything to anyone.”

Rescator is not hidden in the “dark web” but is openly accessible and is easier to use than many online shops. Visitors simply specify their chosen country, pick a card type from among Visa, Mastercard and American Express, and then choose a bank.

Channel 4 News found thousands of cards from every one of the UK’s major high street banks on the site, including HSBC, Barclays, Royal Bank of Scotland and Lloyds.

It costs around £8 for a standard card, and around £12 for a gold card. Once added to a user’s basket, the cards are paid for using bitcoin, a virtually currency famed for its ability to hide the identity of purchasers.

‘Vulnerable’

We managed to track down just one of the site’s thousands of British customers.

Joanne Smith had no idea her card had been compromised until we told her, and neither did her bank. She has now cancelled it.

She said: “It’s actually not a card I use often, that’s why I was quite taken aback by it. As soon as I saw it was this card I was really shocked. It doesn’t make you feel very secure that someone knew my name out there, someone had my card details. It makes you feel very vulnerable.”

Read more: Geoff White on technology blog

Purchasers are given the cardholder’s name, card number and expiry date. The file does not include the three-digit CVV number from the back of the card, but it is not needed for many websites, including the world’s largest online retailer, Amazon.

Amazon not only fails to ask for the CVV number, but will deliver purchases to a corner shop or one of its network of lockers, meaning that credit card fraudsters do not need the cardholder’s address.

In a test purchase Channel 4 News used a legitimate card number, name and expiry date, but gave a random address for the invoice. The goods were delivered to an Amazon locker in central London where we collected them, no questions asked.

Amazon told Channel 4 News: “We are very serious about protecting customers and use a range of different methods to detect and prevent fraud. For obvious reasons, however, we don’t comment on those methods.”

Website screenshot

Photo: screenshot of website rescator.cc

Cybercrime experts fear sites like Rescator provide an online version of the traditional “fence” who traded in stolen goods.

Charlie McMurdie, who ran the Metropolitan Police’s Central eCrime Unit and is now a cybercrime adviser to PwC, said: “Hackers steal data from retail sectors, financial sectors, wherever they can lay their hands on big volumes of data.

“People want to use credit card information to commit fraud. These sites are the conduit that enables the two ends to come together.”

Rescator’s .cc internet address means it is registered in the Cocos Keeling Islands, a tiny archipelago in the Indian Ocean. The company responsible for overseeing .cc internet addresses is the US technology giant Verisign, which not only oversees .com and .net websites but also offers tech security services.

Channel 4 News contacted the company with our evidence, requesting that the site be suspended. Verisign said it “takes all reports very seriously and responds to lawful court orders from courts of competent jurisdiction. We respond within our technical capabilities.”