What methods and targets are attractive to criminals?
Generally, professional criminals have similar goals to other business people. They wish to generate profit in a sustainable way while minimising risk. They also like to take advantage of opportunities that arise in the course of other business.
We have already seen that credit card details have a relatively low value, and this is reflected in both the low risks and low amounts of effort that criminals will take to acquire them.
The methods used by criminals to steal credit cards details include the following:
In the course of another crime, a criminal acquires a small amount of card details and decides to sell them online for extra profit.
Directly stealing credit card details that the criminal is authorised to handle. This may be purely opportunistic, eg when an employee realises that valuable card details are not protected, or may be the result of a careful plan to take such a job and defeat sophisticated prevention mechanisms.
Theft of credit card details through skimming; the use of information gathering devices surreptitiously attached to point of sale terminals or ATMs.
Online phishing scams to obtain credit card details, where mass emails, or in some cases automated online messenger contacts, are used to trick users into divulging their credit card details.
All of these methods involve low risk and low effort per card. The first method begins after another crime has been committed, with the only additional risk being the actual online sale of the credit card details. The second, third and fourth methods both allow large numbers of card details to be stolen, for a fixed amount of initial effort.
If you follow cybercrime in the news, you may be aware of a fifth method of stealing credit card details which may at first not seem to fit this pattern of low risk and low effort. Hackers exploit vulnerabilities in the computer systems of a large company and steal large amounts of customer credit card details.
Such attacks can involve a large amount of specialist knowledge, skill and effort, and the high-profile nature of the attacks, coupled with the resources of the targeted company can make them higher risk.
Even these attacks can be seen to fit the pattern outlined above. A number of these attacks actually fit into method one. Hackers target the company for political reasons, for revenge, or because they want to steal other secrets, and then decide to sell (or in some cases publicly release) the credit card details as well. Additionally, the large amount of credit card details that some companies hold can make the risk and effort per credit card attractive even when financial gain is the main motive.
© Newcastle University