BBC News


Page last updated at 13:18 GMT, Monday, 17 November 2008

Watching the hi-tech detectives

A Soca agent tracking down criminal websites

By Dominic Casciani
BBC News home affairs reporter

As fast as detectives delete one website selling your stolen credit card details, another pops up. How do police track these online identity thieves?

Sixteen storeys up in an anonymous London tower, the people inside this office aren't admiring the view of the capital's financial heart.

They're hunkered down over laptops, delving link-by-link into another world - the e-crime that attacks the bricks and mortar of Britain's finances.

"Paul" is a field agent with the Serious Organised Crime Agency (Soca), the secretive national policing department that's often dubbed Britain's FBI. But the doors Paul tries to smash through are not bolted from the inside.

A screen shot of a criminal website, selling credit card details
Everything has its price

The doors that interest him are virtual gateways to international rackets plotting to steal your financial identity. No stab vests and baseball caps - just a lot of mouse clicks. It's like that fairground game Whack-A-Mole. As fast as they hit one target, another replaces it.

"Quite simply, organised criminals are able to get at data on machines where there's been no attempt made to secure the PC and prevent an attack," says Paul.

"These websites are selling data harvested from computers. That data is being packaged up and sold on for a price."

It starts with a hack of personal data from PCs which have no defences. And then, like a horde of uninvited guests to a teenage house party, they're trashing the place. Everything is vulnerable, passwords, usernames, credit card details - even your mother's maiden name has an online value.

We looked at one forum where "Donkos" sells his wares back to criminals in the West: "Santa has nice goodies for you," declares Donkos with a smiley emoticon. On sale are UK log-ins and associated data. Donkos boasts of account details for major UK banks.

Other retailers offer "dumps" - the encoded information on a credit card. "Visa/master 1," reads the small ad. "Amex/Discover $3 each cheap price, buyer support."

Other ads promote "fresh" credit cards with a US$21,000 credit limit - yours for $180 each. "Me deal with serious people only!!!!!"

Reprinted cards

Criminals with the right kit drop by these marketplaces and pick up the identities, says Paul. They reprint credit or debit cards and take money as quickly as possible.

1.7bn personal losses in 2006
$1trn global losses
224m UK card losses, 2007
Est 25,000 fraud websites, 2007
Source: Reports quoted in Hansard

According to Get Safe Online, an officially backed campaign body, a full British financial identity can sell for as little as 80.

"The personal data is easy to find and sell," says Paul. "But for many criminals it's very risky because there are a lot of rip-offs and scammers involved."

One online trader makes it abundantly clear with an angry emoticon: "NO free tests or demos, I want a reputated business [sic] not jokes!"

Easy money

Bryn Wellman, a self-styled "Prince of Thieves", was part of a gang calling itself the Shadowcrew, trading identities and impersonated account holders to get hold of new cards. When arrested, he had some 10m of instant credit at his personal disposal, say investigators.

A year on and the challenge has not lessened. Investigators know some online identity fraudsters are now so brazen they will take hacked details, change a billing address and order high value goods to a safe drop point.

The rip-off takes a few hours and the team move on. Goods are delivered, cards are destroyed, no trace is left.

The rackets selling your identity online are hardly working in the shadows. The markets we saw at Soca were so mouthy in their sales pitch they could have been standing in the street with a loud-hailer.

One of the criminal websites selling credit card data
Dumps: Data from your credit card?

And it's this virtual two-fingers to law enforcement worries many experts.

Soca has been trying to join the dots in these scams, particularly with direct on-the-ground action in Nigeria and elsewhere.

But officials are not quite sure how much money is being lost through online identity theft. One 2007 estimate suggested 1.7bn.

Apacs, the financial body responsible for clearing UK bank payments, has warned of the growing menace of phishing - attempts to extract personal information through bogus emails.

MPs from all sides have accused ministers of sticking their heads in the sand, and earlier this year a House of Lords committee questioned a 2006 decision to merge the National High-Tech Crime Unit into Soca.

Critics say the new focus on international crime, coupled with a decision that account holders should refer claims of fraud to banks rather than police, leaves a gap in the national defences.

The Home Office has now changed course. In summer it told the Lords' committee it has recognised computer crime "does not sit comfortably" with traditional local policing.

Ministers promise a 7m specialist computer fraud team at Scotland Yard to help police around the country conduct investigations. They also promise to ratify a 2001 convention to help police around the world work more closely on combating internet identity theft.

So while Paul and his Soca colleagues are involved in today's skirmishes, there is a very long war ahead.

Print Sponsor

How secure is your card info?
06 Aug 08 |  Technology
Fears over online banking checks
13 Nov 07 |  Technology
'Lax standards' on data security
14 Mar 08 |  UK Politics
Personal data privacy 'at risk'
21 Feb 08 |  Business
Taking cover from ID theft
22 Nov 07 |  Magazine

The BBC is not responsible for the content of external internet sites

Has China's housing bubble burst?
How the world's oldest clove tree defied an empire
Why Royal Ballet principal Sergei Polunin quit


Sign in

BBC navigation

Copyright © 2017 BBC. The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.

Americas Africa Europe Middle East South Asia Asia Pacific