MOSCOW – As Russia has long been dubbed a hub of tech fraud, credit-card holders have been justifiably wary about using their plastic there. Travelers have been warned that after charging a dinner to their card in Russia, that number could be copied and used even after the owner left the country.
The advice on avoiding fraud in the former Soviet Union includes only using credit cards in reputable locations and monitoring their balances.
However, even good advice may fail. For example, a resident expat said he did monitor his balance and used his debit card only at ATMs inside Moscow banks’ offices, but still found his checking account cleaned out at Moscow ATMs when he was out of Russia.
Apart from anecdotal evidence, there are some solid reasons for switching to a paranoid “cash only” existence. Notably, an unknown number of PIN codes giving access to credit- and debit-card accounts were stolen in mid-1999 after a security breach at a Moscow card-processing center. Subsequently, many cardholders had their checking accounts cleaned out, in a rare example of a massive PIN theft.
These days, however, Russian banking officials argue that it is now safe to use plastic in Russia, as better antifraud mechanisms are being put into place. Natalia Dokuchayeva, spokeswoman of Alfa-Bank, Russia’s largest private bank, said that Alfa-Bank’s ATMs and transactions are fully safe.
“Within the past year or so, Alfa-Bank has not experienced any ATM security problems at all,” she said.
Major processing companies typically decline to reveal figures on how much money is lost to fraud in Russia, citing security concerns. Estimates of fraud amounts vary from 1 cent for every $100 up to 1 percent of all card transactions in Russia.
According to the Internet Fraud Complaint Center‘s 2001 Internet Fraud Report (PDF), Russia is at the bottom of a list of the top 10 countries for Internet fraud perpetrators, with only 0.2 percent of the identified perpetrators.
However, the endemic character of Russia’s identity theft can be clearly seen right in downtown Moscow, including Tverskaya and Mokhovaya streets. Rows of compact discs are laid out on tables within shouting distance of the Kremlin.
These discs are full of expensive pirated programs and stolen databases. The data include personal addresses, phone numbers and police databases of car registry, indicating how easily personal information is being stolen and traded in Russia. All of it is technically illegal, yet the databases are on sale for 150 rubles, or about $5, a disc.
Hackers’ software, including “carding generators” designed to generate and authenticate credit card numbers, is also available on vendors’ tables. This software can also be downloaded for free.
After a bit of talk with vendors, one can be offered stolen card numbers at 1,500 rubles ($50) for 100. However, in the crocodile world of identity theft, these vendors often cheat buyers, as the credit card numbers could be expired or invalid. Other less daring vendors comment that most of the databases sold in downtown Moscow are obsolete or incomplete, hence they have little value.
Stolen credit-card numbers are also available online. Last May, The New York Times reported that stolen credit-card numbers were on sale in membership-only cyberbazaars operated by people from the former Soviet Union. According to the report, credit-card and identity theft costs the global financial system $1 billion or more a year.
Russia’s computer crimes include hacking, stealing credit-card numbers and software piracy. It has been argued that the country’s hacker problem began during the Soviet era, when the authorities encouraged people to copy Western software. As a result, a computer culture emerged in which many otherwise honest people think that copying software is no big deal.
The Russian authorities have long pledged to combat cybercrime. Russian police recently detained a “Spider Group,” including four suspected hackers, ages 18 to 24. They were accused of stealing credit-card numbers and pocketing more than $100,000. The group reportedly was busted when hackers tried to use numbers from cards belonging a murdered woman, police said.
Russian police also launched an Internet project, designed to discourage potential and actual hackers. The website warns that Russian hackers could be prosecuted on charges stipulated by four articles of Russia’s Criminal Code, notably Article 272, “illegal access to computer information.”
However, the website’s content indicates that it has not been updated since 1998.
On the other hand, in an unprecedented development, Russian authorities moved to protect secrets of the country’s hackers. Igor Tkach, an officer in the Chelyabinsk unit of the Federal Security Service, has opened a criminal case against FBI special agent Michael Schuler, official RIA news agency reported Friday, citing the FSB press service in Moscow.
Schuler is accused of “illegally accessing” Russian Web servers to gather evidence against two computer hackers from Chelyabinsk who were lured to Seattle in November 2000. Last April, the FSB (KGB’s main successor agency) asked the U.S. Justice Department to investigate Schuler’s actions, yet no response has been received so far, according to RIA.
Vasiliy Gorshkov, 26, and fellow hacker Alexey Ivanov, 20, were persuaded to travel to the United States as part of an FBI undercover operation. The hackers stole credit card information in the United States and used stolen card numbers to commit a massive fraud involving PayPal and eBay. Their programs created associated accounts at PayPal with random identities and stolen credit cards.
Additional computer programs allowed the conspirators to control and manipulate eBay auctions so that they could act as both seller and winning bidder in the same auction and then effectively pay themselves with stolen credit cards.
In November 2000, the FBI entered the computers in Russia where Gorshkov and Ivanov kept their data and downloaded their databases, including more than 56,000 stolen credit-card numbers. This is why FBI’s Schuler is now being accused of illegally entering Russian computers.
Gorshkov was convicted by a jury in October 2001 and awaits sentencing in Seattle, facing up to 100 years in prison. Ivanov reportedly awaits trial in Connecticut, facing up to 90 years in jail.
Russian online retailers also tried to band together in an attempt to discourage cyberfraud. Earlier this year, the Petersburg Online portal and the Continent Internet retailer, both based in Russia’s second largest city, St. Petersburg, launched a joint project against online fraud. As a kind of counter-measure, they decided to publicize the identity of online fraudsters.
So far, the website mentioned only four persons who allegedly used someone else’s credit card data. Therefore, attempts by law enforcement agencies and the Internet community to combat cybercrime in Russia seem to produce few practical results.
In the meantime, post-Soviet scammers are weaving a net of plastic card fraud.