Karen Dearne | July 08, 2008
PERSONAL financial and identity information is being freely traded on blackmarket web portals as data trafficking emerges as a major organised crime activity worldwide.
Cyber-crooks are buying and selling bank account and credit card information
Detective Superintendent Brian Hay, operations commander of the Queensland Police fraud group, says the blackmarket web involves secure private networks on which criminals buy and sell illicit commodities and data such as bank accounts, credit card details and identity information.
Last week, a Bureau of Statistics survey showed that Australians lost nearly $1 billion as a result of personal fraud in 2007.
A large percentage of this involved fraud on debit and credit cards, but there were also big losses to online scams involving unsolicited offers, lottery wins, pyramid schemes and phishing.
In a recent joint operation with the US Secret Service, Queensland Police traced money trails leading to about 81 offenders in 21 countries, Det Supt Hay said.
"It's not easy to find them on the internet. You know where they are but that doesn't mean you know where they are operating from," he said.
"You can bounce communications through numerous proxy servers all over the world and make use of zombie computers.
"It's always better to follow the money, because eventually someone has to pick up the money."
AusCERT general manager Graham Ingram said criminals used sophisticated methods of vetting users on black market web portals. "You have to present your crime credentials and people will vet you," he said.
"If you don't trade, they'll ask who you are. If you do trade, you are ranked according to the value of your trading and over time you move through a hierarchy and people will vouch for you."
Mr Ingram said data trafficking was industrialised: "These are not hoodlums on street corners.
"It has even reached the point that you can escrow transactions between criminals, so you've got third parties providing services for criminals bartering online."
The big credit card companies - Visa, MasterCard and American Express - are demanding banks and merchants crack down on fraud by adopting the Payment Card Industry data security standard, and have begun fining companies that do not comply.
The PCI standard aims to protect card details by keeping hackers out of systems and networks, and by encrypting data so it cannot be used.
IBM internet security systems PCI delivery manager and FBI veteran Howard Glavin said criminals were stealing financial and personal information in bulk by targeting anywhere card data was held and then selling it on.
Cards stolen from the Hannaford grocery chain in the US were being used in Central Europe within 12 hours, he said.
"The criminal element is very capable. The guy who steals the data sells it to crime gangs, which make a big sweep with it, then they sell it down the line.
"The person who generally gets a forged card on the street is about the fourth or fifth person to have use of it."
Australasian Consumer Fraud Taskforce chair Louise Sylvan said the ABS survey results were startling. More than 800,000 people fell victim to at least one fraud in the previous 12 months, representing 5 per cent of the population aged 15 and older.
Of those, the ABS reports, 453,100 victims lost money, incurring a combined loss of $977 million.
Identity theft accounted for 499,500 victims, with 77 per cent reporting fraudulent transactions on their credit or bank cards, ranging from less than $100 to more than $10,000. The remaining 23 per cent suffered identity theft, involving unauthorised use of their driver's licence, tax file number or passport.
These people reported that forged documents had been used to open bank accounts or take out loans in their name.
Ms Sylvan said the taskforce had been surprised by the extent of the losses.
"These frauds are very professional now. It used to be misspelt stuff, but now they look really good and it's really hard sometimes for people to even understand that they've been scammed," she said.
"When people call us to say they've got a letter saying they've inherited money or won a lottery, they actually want to believe it.
"It can be extraordinarily difficult to stop them sending money, particularly if they have sent some already. You can get enormous abuse, as they think you are keeping them from collecting their winnings."
Det Supt Hay has previously warned that Australians are sending millions of dollars overseas each months victims of advance-fee and other frauds. Advance-fee frauds are better known as the Nigerian letters scam, but Det Supt Hay says such scams now come from all parts of the world.
Chris Hamilton, chief executive of the Australian Payments Clearing Association - which runs the Eftpos network - said he was puzzled by the ABS figure of $1billion.
According to its figures, fraud on locally issued cards reached $111.5 million last year.
"I would have assumed that nearly all instances of card fraud that come to the attention of the individual consumer would be reported to their financial institution," he said.
"That's why we think our fraud data is probably pretty good there wouldn't be a lot of under-reporting.
"We're dealing with data on someone ringing their bank and reported a transaction that's not theirs. Those reports are put through our system, and in most cases the customer will get their money back."