April 15 - Just how long does it take for stolen credit cards to find their way around the Internet, and the world? About 15 minutes. That's what fraud investigator Dan Clements found this weekend when he posted a Web page full of faked credit card data to track how quickly the information would make its way around the "carder culture." He then planted links to the Web site in a few Internet chat rooms. Within 15 minutes, 74 carders from 31 different countries arrived to peek at the data.
By the end of the weekend, 1,600 potential thieves had visited the page, hailing from some 75 countries, with Indonesia, the United States, and Romania topping the list.
"It's frightening how vulnerable we are, and how quickly this information gets around," said Avivah Litan, fraud analyst with Gartner Inc.
Clements, who operates antifraud site CardCops.com, plans to locate as many individual IP addresses as he can. He will then inform Internet service providers that their customers are likely participating in illegal activity.
He also plans to share his data with the FBI and U.S. Secret Service.
"We caught a lot of people in this net. Word is going [around] that ID process will take place. Just identifying half of them will be a deterrent," he said. "We want the carders to know we're coming."
The Web page Clements produced included fake data that mimicked the kind often left accidentally on the Internet by e-commerce merchants. He then had people he trusted call attention to the Web sites in chat rooms that are known havens for credit card thieves. Then he sat back and watched, logging the IP address of every computer which visited the Web site.
Tracking the physical location of IP addresses can be tricky business, but Clements used a company named Nami Media Inc. to trace back addresses to originating countries, and in some cases, cities. In this case, Nami Media acts as a reseller of tracking information provided by Digital Envoy.
Nami Media's CEO, Gary Mittman, said technological advancements and plain old hard work has refined such IP tracking to the point where it's reliable.
"It's a mix of a variety of things, including crawling back up the line with spiders. There's relationships with ISPs. And there's 10 guys whose full time job it is to update systems with global database information. They keep it as accurate as they can," Mittman said.
Clements' results are certainly consistent with the anecdotal impressions merchants have about credit card fraud hot spots, Litan says.
"I know they have strong crime rings in Indonesia and Romania," Litan said. "These two countries keep coming up when people talk about fraud."
About 600 surfers from Asia hit Clements' site, almost 400 from Indonesia. Another 500 hits came from Europe, with 133 from Romania, nearly 80 from Turkey and about 40 from Bulgaria. In North America, some 400 hits originated in the United States and 80 in Canada.
"What this shows is that these guys work at light speed, and if you're going to war with them, you can't move in weeks or months," Clements said.