As fast as detectives delete one website selling your stolen credit card details, another pops up. How do police track these online identity thieves?
By Dominic Casciani
BBC News home affairs reporter
Sixteen storeys up in an anonymous London tower, the people inside this office aren't admiring the view of the capital's financial heart.
They're hunkered down over laptops, delving link-by-link into another world - the e-crime that attacks the bricks and mortar of Britain's finances.
"Paul" is a field agent with the Serious Organised Crime Agency (Soca), the secretive national policing department that's often dubbed Britain's FBI. But the doors Paul tries to smash through are not bolted from the inside.
Everything has its price
The doors that interest him are virtual gateways to international rackets plotting to steal your financial identity. No stab vests and baseball caps - just a lot of mouse clicks. It's like that fairground game Whack-A-Mole. As fast as they hit one target, another replaces it.
"Quite simply, organised criminals are able to get at data on machines where there's been no attempt made to secure the PC and prevent an attack," says Paul.
"These websites are selling data harvested from computers. That data is being packaged up and sold on for a price."
It starts with a hack of personal data from PCs which have no defences. And then, like a horde of uninvited guests to a teenage house party, they're trashing the place. Everything is vulnerable, passwords, usernames, credit card details - even your mother's maiden name has an online value.
We looked at one forum where "Donkos" sells his wares back to criminals in the West: "Santa has nice goodies for you," declares Donkos with a smiley emoticon. On sale are UK log-ins and associated data. Donkos boasts of account details for major UK banks.
Other retailers offer "dumps" - the encoded information on a credit card. "Visa/master £1," reads the small ad. "Amex/Discover $3 each … cheap price, buyer support."
Other ads promote "fresh" credit cards with a US$21,000 credit limit - yours for $180 each. "Me deal with serious people only!!!!!"
Criminals with the right kit drop by these marketplaces and pick up the identities, says Paul. They reprint credit or debit cards and take money as quickly as possible.
HOW MUCH IS BEING LOST?
£1.7bn personal losses in 2006
$1trn global losses
£224m UK card losses, 2007
Est 25,000 fraud websites, 2007
Source: Reports quoted in Hansard
According to Get Safe Online, an officially backed campaign body, a full British financial identity can sell for as little as £80.
"The personal data is easy to find and sell," says Paul. "But for many criminals it's very risky because there are a lot of rip-offs and scammers involved."
One online trader makes it abundantly clear with an angry emoticon: "NO free tests or demos, I want a reputated business [sic] not jokes!"
Bryn Wellman, a self-styled "Prince of Thieves", was part of a gang calling itself the Shadowcrew, trading identities and impersonated account holders to get hold of new cards. When arrested, he had some £10m of instant credit at his personal disposal, say investigators.
A year on and the challenge has not lessened. Investigators know some online identity fraudsters are now so brazen they will take hacked details, change a billing address and order high value goods to a safe drop point.
The rip-off takes a few hours and the team move on. Goods are delivered, cards are destroyed, no trace is left.
The rackets selling your identity online are hardly working in the shadows. The markets we saw at Soca were so mouthy in their sales pitch they could have been standing in the street with a loud-hailer.
Dumps: Data from your credit card?
And it's this virtual two-fingers to law enforcement worries many experts.
Soca has been trying to join the dots in these scams, particularly with direct on-the-ground action in Nigeria and elsewhere.
But officials are not quite sure how much money is being lost through online identity theft. One 2007 estimate suggested £1.7bn.
Apacs, the financial body responsible for clearing UK bank payments, has warned of the growing menace of phishing - attempts to extract personal information through bogus emails.
MPs from all sides have accused ministers of sticking their heads in the sand, and earlier this year a House of Lords committee questioned a 2006 decision to merge the National High-Tech Crime Unit into Soca.
Critics say the new focus on international crime, coupled with a decision that account holders should refer claims of fraud to banks rather than police, leaves a gap in the national defences.
The Home Office has now changed course. In summer it told the Lords' committee it has recognised computer crime "does not sit comfortably" with traditional local policing.
Ministers promise a £7m specialist computer fraud team at Scotland Yard to help police around the country conduct investigations. They also promise to ratify a 2001 convention to help police around the world work more closely on combating internet identity theft.
So while Paul and his Soca colleagues are involved in today's skirmishes, there is a very long war ahead.