Stop cybercrime, protect privacy, save world Chris Monteiro Cybercrime, dark web and internet security researcher Systems administrator Pirate / Digital rights activist Futurist Blog: pirate.london Wikipedia: https://en.wikipedia.org/wiki/User:Deku-shrub https://en.wikipedia.org/wiki/Darknet_market https://en.wikipedia.org/wiki/Carding_(fraud) Disclaimer! Today we will cover: Clueless politicians Unfaithful Wombles Drugs History of Carding Actual solutions to financial fraud Things we will not be solving today When will computers be secure? What do you do following your data being stolen? Change passwords Cancel credit cards Argue with bank Move house Reissue birth certificate Burn off fingerprints Facial surgery Burn credit agencies to the ground Join hippy commune / post WW3 dystopia AM UK Map here (redacted) SW18 Problems stopping financially motivated cybercrime Larger fines for breaches? Longer development, slows technical innovation Better security experts? Expensive, lack of talent Bug bounties? A possible step in the right direction, mostly for larger players only Unofficial bug bounties - hack the site win a prize Government responses History of Carding Structure Forums and Markets Online Merchant Desktop malware POS system ATM skimmers In person or receipt skimming, social engineering Hackers Resellers Checker services Offline fraudsters Hacking ecosystem Cash-out Buy game currency with stolen cards, minimal verifications Trade or lose money to another account or accomplice Accomplice sells game currency directly or via 3rd party brokers Digital currency laundering Purchase expensive consumer goods via websites will below- average payment verification with stolen details Ships to drop houses List goods on eBay Sell on eBay for clean profits Ship to end customers Ship to 3rd party mules Use shady reshipping service Reshipping laundering Print cards with stolen magstripe data (not chip & pin) Have cashers buy luxury goods in-store Sell goods on ebay In-store cashing Physically steal goods Purchase goods with stolen details Return to store without receipt and get gift card credit or store points Sell gift cards online or offline Gift and loyalty card fraud Pizza & accounts Card validation Address data required by the banks for payment verification IP address Country Browser Cookies Recent purchase history Unexpected quantity Unexpected currency Name match Address match Sorry your payment has been declined Fraudsters know how to circumvent all of these checks Merchant Payment processor phish mitm hacksubvert But we use a payment processor so were secure! Solution! Virtual visa & one time payment options Merchant Bank Unexpected charges Eventual refunds Eventual loss of merchant account Merchant Bank Unexpected charges/payment declined Swift refunds #shame company on social media Small claims damages Inform consumer watchdogs Clean up infected local computer Swift action on merchant account Swift action on site breaches Which site is worth attacking now? Benefits Increased trust in small businesses for payments Better merchant accountability for banks Better breach and security accountability for merchants Better user accountability for infections / phishing Cybercriminals have almost nothing worth stealing :( Use in other sectors: Delivery/Postal companies could offer limited use shipping addressesproviders could offer integrated limited useaddresses Telcos could offer limited use phone numbers Moving forward Regulatory or deregulatory incentives via legislative changes Future commerce Never give out non-accountable information like credit card details oraddresses Never give out personal information End!