Russia would like to turn the case of Roman Seleznov, arrested in the Maldives by U.S. authorities on charges of computer hacking, into an international incident, an example of America's propensity to act as if it has jurisdiction over the whole world. The real significance for most people, though, is more prosaic: Beware of using your credit card in mom-and-pop stores.
A grand jury in Seattle believes Seleznev is a carder -- a subspecies of hacker specializing in the theft of credit card data. His father, ultranationalist lawmaker Valery Seleznev, says this isn't possible given the severe head injuries his son sustained in a 2011 terrorist attack in Marrakech, Morocco. "He was in a coma for eight days, he has a metal plate in place of half of his skull," the legislator told Moscow tabloid MK. Carding, however, is not rocket science. Most of the required tools are readily available.
The 2011 indictment says Seleznev and other carders working with him (some are mentioned in more recent court documents) would plant malicious software in the backroom computers of U.S. retail outlets and restaurants, then wait to record enough credit card numbers so the "dump" (batch of numbers) could be sold through specialized carder sites. Seleznev allegedly administered some of the sites, such as bulba.cc and track2.name. Both sites appear to be still active. I registered on bulba.cc and found that it required $1,000 in bitcoins to view the goods:
The bulba.cc system is common to carding sites, though the fee is on the high side. Once you pay up, you're offered "dumps" with various estimated validity rates, depending on how fresh they are. If you're in the downstream part of the carding business, you acquire the numbers for about $10 to $15 each, then use an embosser and a hot stamping machine to create fake cards that you send a courier to use in a store, preferably to buy electronics or other items that will be easy to resell.
No particular hacking skills are required for the upstream or the downstream part of the carding business. Specialized scanning software that helps find computers used for card processing can easily be obtained.The list of Seleznev's alleged victims -- Schlotzky's Deli in Coeur d'Alene, Idaho; Mary's Pizza Shack in Sonoma, California; City News Stand in Evanston and Chicago, Illinois; the Phoenix Zoo -- suggests that small retail operations are not too worried about securing these computers or the card data on them.
Breaking into the huge computer systems of supermarket chains and major department stores, like in the recent Target incident, does require some hacking prowess (plus some ineptitude on the part of corporate information technology departments). Hitting a small shop or restaurant is easy, and almost anyone can do it. Because people blithely use their credit cards in such establishments, the pickings can be disproportionately good. The Seleznev indictment alleges he and his associates made $2 million from their illicit activity in less than four months in late 2010 and early 2011.
The elder Seleznev has ample status and resources to turn his son's arrest into an international scandal. He ran a gold company in the Russian Far East before embarking on his political career. Expensive lawyers will almost certainly be deployed to convince a jury that Seleznev Jr. did not need the money and was unsuited to the technical tasks he allegedly performed.
The younger Seleznev did, however, have plenty of time on his hands -- he did not have a job because of his disability -- and some basic computer skills that Seleznev Sr. says he learned during his rehabilitation. That would have been enough.
Using credit cards online, especially with major retailers such as Amazon or Apple, is actually safer these days than trusting small retailers with your plastic. A carder like the indictment's Track2 or smaus -- nicknames the Seattle prosecutors attribute to Seleznev -- could be lurking within a pizza shop's main computer even now. Old-fashioned cash is the best way to pay in such establishments, unless you want your card number to turn into an exhibit in an exciting trial involving people apprehended in exotic locations.
To contact the writer of this article: Leonid Bershidsky at firstname.lastname@example.org.
To contact the editor responsible for this article: Mark Whitehouse at email@example.com.