Stop cybercrime, protect privacy, save world

Chris Monteiro Cybercrime, dark web and internet security researcher Systems administrator Pirate / Digital rights activist Futurist

Blog: pirate.london Wikipedia:

Disclaimer!

Today we will cover: ●Clueless politicians ●Unfaithful Wombles ●Drugs ●History of Carding ●Actual solutions to financial fraud

Things we will not be solving today

When will computers be secure?

What do you do following your data being stolen? ●Change passwords ●Cancel credit cards ●Argue with bank ●Move house ●Reissue birth certificate ●Burn off fingerprints ●Facial surgery ●Burn credit agencies to the ground ●Join hippy commune / post WW3 dystopia

AM UK Map here (redacted)

SW18

Problems stopping financially motivated cybercrime ●Larger fines for breaches? Longer development, slows technical innovation ●Better security experts? Expensive, lack of talent ●Bug bounties? A possible step in the right direction, mostly for larger players only ●Unofficial bug bounties - hack the site win a prize

Government responses

History of Carding

Structure

Forums and Markets Online Merchant Desktop malware POS system ATM skimmers In person or receipt skimming, social engineering Hackers Resellers Checker services Offline fraudsters Hacking ecosystem

Cash-out

Buy game currency with stolen cards, minimal verifications Trade or ‘lose’ money to another account or accomplice Accomplice sells game currency directly or via 3rd party brokers Digital currency laundering

Purchase expensive consumer goods via websites will below- average payment verification with stolen details Ships to drop houses List goods on eBay Sell on eBay for ‘clean’ profits Ship to end customers Ship to 3rd party mules Use shady reshipping service Reshipping laundering

Print cards with stolen magstripe data (not chip & pin) Have ‘cashers’ buy luxury goods in-store Sell goods on ebay In-store cashing

Physically steal goods Purchase goods with stolen details Return to store without receipt and get gift card credit or store points Sell gift cards online or offline Gift and loyalty card fraud

Pizza & accounts

Card validation Address data required by the banks for payment verification ●IP address ●Country ●Browser ●Cookies ●Recent purchase history ●Unexpected quantity ●Unexpected currency ●Name match ●Address match “Sorry your payment has been declined” Fraudsters know how to circumvent all of these checks

Merchant Payment processor phish mitm hacksubvert But we use a payment processor so we’re secure!

Solution!

Virtual visa & one time payment options

Merchant Bank Unexpected charges Eventual refunds Eventual loss of merchant account

Merchant Bank Unexpected charges/payment declined Swift refunds #shame company on social media Small claims damages Inform consumer watchdogs Clean up infected local computer Swift action on merchant account Swift action on site breaches

Which site is worth attacking now?

Benefits Increased trust in small businesses for payments Better merchant accountability for banks Better breach and security accountability for merchants Better user accountability for infections / phishing Cybercriminals have almost nothing worth stealing :(

Use in other sectors: Delivery/Postal companies could offer limited use shipping addresses providers could offer integrated limited use addresses Telcos could offer limited use phone numbers

Moving forward Regulatory or deregulatory incentives via legislative changes

Future commerce Never give out ‘non-accountable’ information like credit card details or addresses Never give out personal information

End!