The dark side of Credit card theft in Africa

Posted on April 10, 2016 12:22 am

Theft of credit cards details has been on the rise in African countries despite the card service providers offering a straightforward payment system guidelines on how to protect users from Internet criminals who have been getting more “sophisticated” for years, trying to run their business raking in profits at selling stolen data online.The bad guys of the cyber-underworld have been exhibiting other unexpected traits which include a remarkable patience and restraint in stalking their victims by setting up highly developed businesses in the shady world of the ‘dark net’ in Africa.There are ten million or so Africans who were victims of credit and debit card fraud in 2015 according to confidential study conducted by an security research company in partnership with credit and debit card providers in the continent.In brief, a credit card thief usually needs technical skills to acquire the credit card details. A stolen credit card is called a “dump”. But to turn dumps into hard cash, the thieves need high end skills and a well organised crime ring.Here, i will focus on Nigeria, Kenya and South Africa the three leading countries in credit and debit cards theft the continent.In these countries, Cybercriminals in Nairobi, Lagos, Johannesburg have set up highly developed and well-funded organisations just like a legitimate business.There are many people involved, with different kinds of expertise.Some write the malware that allows hacking into supposedly secure data banks, while others do the actual hacking. For example, in several incidents involving a multi national bank operating in Kenya, criminals bust their way into a big bank’s point-of-sale network, and stole the data while it’s still being processed before it got sent to the bank.That left the bank $2.7m poorer in a matter of seconds.

In South Africa, cases of online crooks were deadly as they collected and checked the validity of the stolen data and whether the local bank might have cancelled the cards.Others went ahead and posted the cards on so-called “dark” websites. South Africa has more than 290 such sites where you find the sellers, and the buyers, of the stolen card details, the dumps, Kenya has 107 and Nigeria leads with 698 as per my count ending March 31st 2016.After thieves, the next step involves card counterfeiters, and eventually, the end user of the stolen card. Just like legitimate businesses, there are several layers of authority, and a ready supply of workers who work round the clock.These businesses have very highly skilled team and technology resources that rival those of big legitimate organisations.In the “dark” websites available in Africa, anyone can buy credit cards, or, dumps in bulk, on the so-called dark web and most of the buyers get them via Tor website.The dark web is a crazy topsy turvy affair, back to front place where if you want to do business on the regular web, you need to prove that you are forthright. But when you go to a site that sells stolen credit cards, you have to prove the opposite which is basically that you are a swindler.In all websites, you have to sign in with a username and password. To get the two, crooks in Nigeria, Kenya and South Africa demands that new user has to convince two people who already have bought stolen credit cards or dumps, to email the website moderator to vouch for your criminality and say that frankly that you are a complete crook.I can only equate this ring to the line of getting two references when you apply for a job but backwards. In this case, you need two condemnatory references that would otherwise land you in penitentiary.Once you become an insider, it’s topsy turvy again where the background is black, instead of white in what we call in coder’s world ‘nice shady touch.’Just like legitimate online businesses, this illegal sites are rated by its customers and in this case study shows that most of them are from Nigeria, followed by South Africans and Kenyans. In one review, a user in Abuja, Nigeria wrote how he bought 1,600 cards, and that they were a good mix of the basic card, with some platinum cards thrown in.

In this ring, there’s one set of criminals who are the card customers doing crafty work of rating the honesty of another set of criminals who are the card sellers.In more than 80% of the websites, there’s a section for Frequently Asked Questions commonly known as FAQs.In one example, a buyer and seller exchange read like this; “Hey dude, do you ship stuff from China in bulk? Buyer replies; Yes. Then went ahead to ask whether if she becomes a repeat customer will get a discount? and seller replied Yes.” In most websites in South Africa, users have click on a box that you agree to the terms and conditions and that really you are a criminal, and that you are neither a spy, journo or any other sort of a law enforcement agent.In one website whose IP address was traced to Cape Town that sells cards had a regulations that if users used CAPS LOCK in what us coders call “shouting” on email, users would be suspended for a week. The fact is that users can buy and sell millions of dollars of stolen credit cards same way as selling drugs mules do with coke etc. But you cannot use ALL CAPS.Once you click ‘OK’, you’re officially an insider. And there they are thousands of credit card numbers with their three-digit security codes. In Kenya, where the government is cracking down on such crimes albeit with little success, online criminals don’t want to release too many dumps at once as they don’t want to drive the price down too far, because they know of the law of supply and demand.In Kenya and Nigeria, users pay for dumps with WebMoney which for ethical reasons I can’t explain how its converted from mobile money which is the most commonly used mode of payment in Kenya and Nigeria.In South Africa, when a bank card holder notify the bank that fraudulent purchases have been made on their credit card,they normally don’t have to pay for those items or services. The bank, or the merchant, will carry the cost. Does thing ring like the perfect victimless crime? To me the answer is an absolute No.I say so because in the end, the bank and the merchant pass the cost back to the consumer, by way of higher bank fees and higher service prices. But,as we used to say back in my school days, boyo, no hard feelings, that’s just business!

Contador Harrison