Card Fraud Scheme Netted $23 MillionGuilty Plea in Operation that Impacted 114,000 Cards
A Florida man has pleaded guilty for his role in a credit card fraud scheme that involved 114,000 credit card accounts and resulted in fraud losses of more than $23 million. Yet, fraud analysts say pinpointing the sources of the compromised payment cards could be difficult.
Miguel Gonzalez of Miami was charged with one count of conspiracy to commit wire fraud, according to the U.S. Attorney's Office for the District of New Jersey. The charge carries a maximum penalty of 30 years in prison and a $1 million fine. Sentencing is scheduled for Nov. 21.
What's most worrisome about the case is how run-of-the-mill it is, says Al Pascual, a fraud and security analyst at javelin Strategy and Research. "And that's the scariest part," he explains. "It provokes the question of just how many folks might be out there who are doing the very same thing."
Between January 2010 and July 2013, Gonzalez allegedly purchased the stolen credit card information from various online carding sites, authorities say (see: Taking Down the Underground Economy). The stolen data was transmitted over the Internet using e-mail and instant messaging software.
The online carding sites obtained the stolen data through network intrusions into various corporate victims, including major retailers in the state of New Jersey, authorities say. A spokesperson for the attorney's office was not able to comment on the names of the retailers that were impacted in this scheme.
Gonzalez and other co-conspirators allegedly used the stolen credit card information to create counterfeit cards, which they then used to conduct fraudulent transactions, authorities say. The credit card issuers associated with the impacted accounts suffered a combined loss of more than $23 million. Gonzalez allegedly used the illegal proceeds to purchase multiple homes, expensive jewelry and a speedboat.
Analyzing the Scheme
Because the stolen cards were purchased via an underground card forum, figuring out which organizations were initially breached is very difficult, says Julie Conroy, a fraud analyst at Aite Group. "In most cases, these underweb forums serve as an aggregation point for data breached through a variety of different sources," she says. "It's unlikely you could pinpoint the stolen data used by the defendant to any one breach, especially given the long timeframe involved."
The information being sold on the forums was most likely packaged in a list that includes the location of where the cards were compromised, since a certain amount of the data purchased was linked to New Jersey cards, Pascual says. "Card dumps and packs listed on these sites now often include the location where the cards were compromised in their names, so that fraudsters can identify where they will be most effective, as many issuers have controls that limit the use of cards outside of a specific geographic location."