In a case of honor among thieves, the site even offers a list of "Rippers," those who've used the marketplace but are unreliable. "Verified vendors," on the other hand, are those who've proven that they can deliver on their promised goods.
EBay-like setups such as TalkCash or TheftServices vary in the amount of time they're able to operate. While TalkCash has been around since 2002, others are around for six months or so before they morph into new sites with new addresses, even though the players are often the same, Orad told me. TalkCash qualifies its business model by posting rules that state, "If you suspect that information obtained through this site may be in violation of any laws or statutes of your country or nation: Please Leave This Forum Immediately!"
Payment often takes the form of Western Union wire transfers or payments of E-gold. CVV codes have been sold on TalkCash for $3 each, or more if the CVV code comes with date-of-birth information.
The sites have evolved from information postings to actual marketplaces, Orad said. Law enforcement is likewise improving its ability to track this illegal activity, "but the pace of the bad guys is way faster than that of the good guys," he added.
Online fraudsters are slippery but not impossible to catch. The U.S. Secret Service in 2004 made its biggest online fraud operation bust when it shut down the Shadowcrew.com Web site and arrested six Shadowcrew members. This online marketplace was responsible for trafficking at least 1.5 million stolen credit and bankcard numbers that resulted in losses of more than $4 million. Shadowcrew members pled guilty to a number of charges, including unlawful transfer of identification to facilitate criminal conduct and conspiracy.
Federal authorities said Shadowcrew had about 4,000 members, many of whom specialized in the electronic theft of personal identifying information and credit card and debit card fraud. The Secret Service used wiretaps, an undercover informant, and their own understanding of Web technology to infiltrate the group's private chat rooms and monitor their conversations and transactions. Shadowcrew obfuscated their actions by using a number of proxy servers that kept law enforcement from finding the sources of the different transactions. The Secret Service was able to get a break in the case by setting up its own virtual private network and inviting Shadowcrew members to connect.
These online black markets help us understand what's at stake when data is lost or stolen. While the VA was quick to point out that the unencrypted data on its stolen PC was likely of little use to the thief, it's obvious that someone with even the most basic computer skills can cause big trouble if they know where to look.
Weigh in with your thoughts on the state of IT security here.