In the past 72 hours I’ve learned quite a bit about the market for stolen credit cards. It’s a surprisingly mature market. There are multiple parties and service providers with something akin to modular integration. Volumes are large enough that textbook economics prevails. The only gotcha, of course, is that it’s completely illegal.

A standard supply chain might look like this: thieves from around the world steal a handful of credit card numbers using a wide variety of techniques, social or technological. These numbers are sold in small batches, at pennies per card, because most of the stolen cards won’t prove to be usable. Industrious market participants called validators purchase these inexpensive tranches, aggregate them into larger blocks, and then attempt to determine which cards are actually usable. Usable cards are resold at huge margins to upmarket purchasers. Typically, these “usable” blocks come with predictions of how much total credit the cards represent, and of how long the cards are likely to be usable before banks shut them down. Upmarket purchasers run the gamut from the stupidly unscrupulous to the organized and dangerously criminal.

The web plays a role in all parts of the supply chain, but it’s the middle step — bulk validation — where innocent third parties (like, for example, my own company) get involved. The simplest way to validate a stolen card is to make a small purchase and see if it goes through. The lowest-risk way to validate a card is to be somewhere else during the transaction. And, of course, it helps to be able to test a lot of cards at once. As a result, many validators have turned to the web, where credit card entry forms are plentiful and often easily scriptable.

Despite its sophistication, the scam run against my own site in the past 72 hours is apparently relatively typical. A large botnet is tasked with scripting the creation of new accounts on a forgiving web site. As they become available, stolen cards are fed to the botnet for testing. The moment a card is validated it is added to a tranche for immediate sale; time is of the essence, as stolen credit cards rarely stay valuable for long. In my case, the botnet in question appears to be massive, world-wide, and comprised of older Windows machines. My site requires email validation; as near as I can tell, the email addresses being used for fraudulent transactions are also stolen: they are not sequential and span an enormous number of domains.

It’s worth commenting on the modularity of the market. Thieves, validators, resellers, coders, malware authors, and botnet owners all have a part to play. My understanding is that, these days, the parties are typically separate entities. For example, validators who want to test stolen credit cards purchase bogus email credentials from one party, task a second party with scripting the desired target site, and rent time on “reputable” botnets to unleash their attacks. In a word, it’s amazing.

Equally amazing is the speed with which my (relatively unknown) site was targeted. Our iOS app launched last Friday afternoon; by late Sunday night, we started seeing a trickle of fraudulent charges. We didn’t catch them, unfortunately, until nearly a full day later.

How does one detect and manage such fraud? I started learning about, and implementing, some best practices on Monday. I’ll wrap up that work and share what I’ve learned in my next post!