This chapter provides a single person case study of Mr. Dan DeFilippi who was arrested for credit card fraud by the US Secret Service in December 2004. The chapter delves into the psychology of a cybercriminal and the inner workings of credit card fraud. A background context of credit card fraud is presented to frame the primary interview. A section on the identification of issues and controversies with respect to carding is then given. Finally, recommendations are made by the convicted cybercriminal turned key informant on how to decrease the rising incidence of cybercrime. A major finding is that credit card fraud is all too easy to enact and merchants need to conduct better staff training to catch fraudsters early. With increases in global online purchasing, international carding networks are proliferating, making it difficult for law enforcement agencies to be “policing” unauthorized transactions. Big data may well have a role to play in analyzing behaviors that expose cybercrime.
TopBackground
Dan DeFilippi was a black hat hacker in his teens and early twenties. In college he sold fake IDs, and later committed various scams, including phishing, credit card fraud, and identity theft. He was caught in December 2004. In order to avoid a significant jail sentence, DeFilippi decided to become an informant and work for the secret service for two years, providing training and consulting and helping them understand how hackers and fraudsters think. This chapter has been written through his eyes, his practices and learnings. Cybercriminals do not necessarily have to be perfect at counterfeiting, but they do have to be superior social engineers not to get caught. While most of the cybercrime now occurs remotely over the Internet, DeFilippi exploited the human factor. A lot of the time, he would walk into a large electronics department store with a fake credit card, buy high-end items like laptops, and then proceed to sell them online for a reduced price. He could make thousands of dollars like this in a single week.
In credit card fraud, the expected payout is so much higher than traditional crimes and the risk of being caught is often much lower making it a crime of choice. Banks often write off fraud with little or no investigation until it reaches value thresholds. It is considered a cost of doing business and additional investigation is considered to cost more than it is worth. Banks in Australia, for instance, used to charge about $250 to investigate an illegal transaction, usually passing the cost onto the customer before 2002. Today they usually do not spend effort on investigating such low-value transactions but rather redirect attention on how to uphold their brand. Since about the mid-2000s, banks also have openly shared more security breaches with one another which have acted to aid law enforcement task forces to respond in a timely manner to aid in investigating cybercrime. Yet, local law enforcement continues to struggle with the investigation of electronic fraud due to lack of resources, education, or jurisdictional issues. Fraud cases may span across multiple countries requiring complex cooperation and coordination between law enforcement agencies. A criminal may buy stolen credit cards from someone living on another continent, use them to purchase goods online in state 1, have the goods shipped to state 2 while living in state 3, with the card stolen from someone in state 4.