1. Stop cybercrime, protect privacy, save world

2. Chris Monteiro Cybercrime, dark web and internet security researcher Systems administrator Pirate / Digital rights activist Futurist

3. Blog: pirate.london Twitter: @Deku_shrub Wikipedia: https://en.wikipedia.org/wiki/User:Deku-shrub https://en.wikipedia.org/wiki/Darknet_market https://en.wikipedia.org/wiki/Carding_(fraud)

4. Disclaimer!

5. Today we will cover: ●Clueless politicians ●Unfaithful Wombles ●Drugs ●History of Carding ●Actual solutions to financial fraud

6. Things we will not be solving today

7. When will computers be secure?

8. What do you do following your data being stolen? ●Change passwords ●Cancel credit cards ●Argue with bank ●Move house ●Reissue birth certificate ●Burn off fingerprints ●Facial surgery ●Burn credit agencies to the ground ●Join hippy commune / post WW3 dystopia

11. AM UK Map here (redacted)

12. SW18

13. Problems stopping financially motivated cybercrime ●Larger fines for breaches? Longer development, slows technical innovation ●Better security experts? Expensive, lack of talent ●Bug bounties? A possible step in the right direction, mostly for larger players only ●Unofficial bug bounties - hack the site win a prize

14. Government responses

15. History of Carding

16. Structure

17. Forums and Markets Online Merchant Desktop malware POS system ATM skimmers In person or receipt skimming, social engineering Hackers Resellers Checker services Offline fraudsters Hacking ecosystem

21. Cash-out

22. Buy game currency with stolen cards, minimal verifications Trade or ‘lose’ money to another account or accomplice Accomplice sells game currency directly or via 3rd party brokers Digital currency laundering

23. Purchase expensive consumer goods via websites will below- average payment verification with stolen details Ships to drop houses List goods on eBay Sell on eBay for ‘clean’ profits Ship to end customers Ship to 3rd party mules Use shady reshipping service Reshipping laundering

24. Print cards with stolen magstripe data (not chip & pin) Have ‘cashers’ buy luxury goods in-store Sell goods on ebay In-store cashing

25. Physically steal goods Purchase goods with stolen details Return to store without receipt and get gift card credit or store points Sell gift cards online or offline Gift and loyalty card fraud

26. Pizza & accounts

27. Card validation Address data required by the banks for payment verification ●IP address ●Country ●Browser ●Cookies ●Recent purchase history ●Unexpected quantity ●Unexpected currency ●Name match ●Address match “Sorry your payment has been declined” Fraudsters know how to circumvent all of these checks

28. Merchant Payment processor phish mitm hacksubvert But we use a payment processor so we’re secure!

29. Solution!

30. Virtual visa & one time payment options

32. Merchant Bank Unexpected charges Eventual refunds Eventual loss of merchant account

33. Merchant Bank Unexpected charges/payment declined Swift refunds #shame company on social media Small claims damages Inform consumer watchdogs Clean up infected local computer Swift action on merchant account Swift action on site breaches

34. Which site is worth attacking now?

35. Benefits Increased trust in small businesses for payments Better merchant accountability for banks Better breach and security accountability for merchants Better user accountability for infections / phishing Cybercriminals have almost nothing worth stealing :(

36. Use in other sectors: Delivery/Postal companies could offer limited use shipping addresses Email providers could offer integrated limited use email addresses Telcos could offer limited use phone numbers

37. Moving forward Regulatory or deregulatory incentives via legislative changes

38. Future commerce Never give out ‘non-accountable’ information like credit card details or email addresses Never give out personal information

39. End!