To find the online megamall for stolen credit cards, I have to go to Pittsburgh.
That's where Keith Mularski works. He's a cybercrime agent with the FBI, and he's going to show me how to buy thousands of stolen credit card numbers.
Mularski pulls up a login screen on his browser.
To even be able to see this site — to register and get a password here — Mularski had to use an an alias to persuade two criminals already on the inside to vouch for his criminality. (For more on Mularski, see our post "The FBI Agent Who Became A Black Market Mogul.")
It's sort of the exact opposite of getting two references when you're applying for a job; rather than vouching for you as an upstanding, law-abiding citizen, you're getting people to attest to your deviousness.
Not a problem for us. We're in.
It's the photo-negative version of sites that you've been to like Craigslist or eBay. The background is literally black instead of white. Vendors have banner ads across the top, advertising illegal things like hacking and phishing tutorials.
Mularski explains how the site works:
In order to sell products on the site, you need to be reviewed. So if I was going to sell credit cards, what I would have to do is provide a sample of 50 cards to each reviewer. Then they would test them out and then write a review back, and say, "XYZ provided me 50 cards and there was a good mix of classics and platinum and business cards and there was a 98 percent approval rating. So now I vouch for him to be a vendor on the site."
This is the central paradox of this marketplace. In order to get in, you have to be a verified credit card thief. But in order to do business, you have to show that you can deal honestly.
This one seller is rated A++, so we click on his name. That takes us to another shop, with a pop-up window. We have to agree with the terms and conditions — which explicitly bar both journalists and law enforcement officials.
Let's buy some credit cards!
Inside the shop, different credit cards sell for different prices — platinum cards are $35; corporate cards, $45. It's more expensive for cards with higher credit limits.
So you pick and choose a basket of numbers. Criminals usually buy these things in bulk, in case the credit cards get canceled. But a few of them should work.
Once the online deal is done, you get a list of credit card numbers. To turn the numbers into a piece of plastic you can actually use, you need some equipment.
Mularski jumps up and pulls open his desk drawer. He pulls out a piece of white plastic with a magnetic strip on it (it looks like a hotel key), and a machine that looks like a toaster for really skinny bagels.
The machine's called an MSR-206. You hook it up to your computer, and swipe your plastic card through it. It encodes the credit card information onto the magnetic strip — like burning a playlist onto a CD.
Next you run the white plastic card through another machine to get the raised lettering and the holograms that make it look legit.
Then you hit the malls and go shopping.
One swipe and a couple of purchases later, some chick gets a call from her bank saying there's been a fraudulent charge on her card.
So many hands on that card number, and the card itself never left her wallet.