Card Hacker Gets Nearly 10 YearsTook Part in Carder.su Online Hacker Forum
A Georgia man has been sentenced to nearly 10 years in prison, and ordered to pay $51 million in restitution, for his role in an Internet-based scheme that trafficked in hacked payment card data.
See Also: Taking Advantage of EMV 3DS
Cameron Harrison of Augusta, Ga., pleaded guilty in April to participating in a racketeer-influenced and corrupt organization, conspiracy to engage in a racketeer-influenced and corrupt organization and trafficking in and production of false identification documents.
The stiff penalty in the case sends a strong message about the serious nature of identity theft, says Scot Ganow, an attorney at the law firm Faruki Ireland and Cox PLL who specializes in privacy and security law. "As the news cycle runs through seemingly endless data breach and identity theft scandals, it is easy to forget that lives are being impacted by each and every attempt to steal an identity," he says.
But more of these types of sentences are needed to make a major impact on cybercrime, says Shirley Inscoe, an analyst at the consultancy Aite Group. "To date, cybercrime has been a very high-reward, low-risk business, resulting in millions in profits for the criminals," she says.
Harrison, who went by the alias "Kilobit," became associated with Carder.su, an Internet-based, international crime enterprise, in June 2008, according to the Justice Department. Carder.su members trafficked in compromised credit card account data and counterfeit identifications and committed money laundering, narcotics trafficking and computer crimes, prosecutors allege.
Harrison admitted that the group tried to protect its anonymity and security by communicating through various secure and encrypted forums, such as chatrooms, private messaging systems, encrypted e-mail, proxies and encrypted virtual private networks. To gain membership into the group, two current members in good standing had to offer up a recommendation, authorities say.
In his guilty plea, Harrison admitted to purchasing compromised credit card account data and other personal identifying information from fellow Carder.su members. He also admitted to possessing more than 260 compromised credit and debit card numbers, which were recovered from his computer and e-mail accounts following his arrest.
Harrison was eventually caught when he purchased a counterfeit Georgia driver's license from an undercover special agent through the Carder.su network, prosecutors say. During his interactions with the agent, Harrison admitted to having been a vendor of counterfeit identifications, according to authorities.
In total, 55 individuals were charged in four separate indictments in what was known as Operation Open Market, which targeted the Carder.su organization. So far, 26 individuals have been convicted and the rest are either fugitives or are pending trial.
Curbing the Tide of Fraud?
It's too early to tell whether high-profile arrests and sentences will have an impact on curbing online fraud, says Ganow, the attorney. "Online crime is so attractive for the relative low cost - both financial and the likelihood of being caught," he says.
And more savvy online criminals often keep an arm's length from their crimes and are less likely to be caught up in law enforcement actions against carder forums and their members, says Neal O'Farrell, executive director at the Identity Theft Council. "There's just too much at stake for the criminals, many of whom enjoy state protection."
But by targeting the buyers of the stolen information on these online forums, authorities can work to remove the incentive for the data to be stolen in the first place, Ganow says. "If you eliminate the marketplace, you might be able to eliminate the crimes designed to serve that marketplace, at least ... in theory."
Another way to help reduce the amount of compromised data being sold online by criminals is by not storing so much personal data, O'Farrell says. "A big part of the privacy debate is around trust, and part of that trust focuses on the inability of big organizations to protect what they collect," he says. "So maybe they should stop collecting it; maybe that would take some fuel from the fire."
To make a dent in cybercrime, law enforcement must continue to pursue these type of cases and courts must impose tough penalties for the guilty, says Inscoe, the analyst. "These are not easy cases. ... They take many months and are expensive, so a commitment is necessary."