Instagram "Likes" Worth More Than Stolen Credit Cards

Barence writes "In the world of online fraud, a fake fan on Instagram can be worth five times more than a stolen credit card number. In a sign of the growing value of social network 'likes', the Zeus virus has been modified to create bogus Instagram 'likes' that can be used to generate buzz for a company or individual, according to cyber experts at RSA, the security division of EMC. These fake 'likes' are sold in batches of 1,000 on hacker forums, where cybercriminals also flog credit card numbers and other information stolen from PCs. According to RSA, 1,000 Instagram 'followers' can be bought for $15 and 1,000 Instagram 'likes' go for $30, whereas 1,000 credit card numbers cost as little as $6."

Do the CCs work?

[MozeeToby]

If they're up for sale on a hacker forum how long are those CC's really going to be valid for? Seems more like you're paying $5 for the chance to race against everyone else to exploit them before they get closed down, which will take somewhere between minutes and hours, certainly not days. Social network followers and likes are much, much more likely to be valid. Still surprising that they go for more than $.01 a piece though, I would have thought less than 1/10th that.

Re:Do the CCs work?

[Yebyen]

A friend's debit card number was stolen. We narrowed down the time when it could have happened to one of two places. Both places were some time during the day Friday. The charges happened Saturday (they bought liquor, $80 of McDonalds, gas, some more drinks at a bar, probably 4-7 people packed into a car spent $600 in one night.)

She found the charges Sunday, cancelled the card within 1 hour.

Worth $5 to someone? Definitely.

Re:

[notanalien_justgreen]

How do you buy from an actual store without the physical credit card? I can understand online purchases, but don't you need the piece of plastic to buy at McDonalds? Or do you mean her actual card was stolen (in which case hackers wouldn't be selling it for $5)?

Re:

[stewsters]

I assume you would make one from the stolen numbers. Most casheers do not scrutinize the card heavily if its signed. http://www.alibaba.com/showroom/credit-card-blanks.html [alibaba.com]

Re:

[Anonymous Coward]

Most cashiers don't scrutinize it heavily even if it isn't signed.

Re:

[aztracker1]

I actually never sign my cards, as a point of course... I put "Ask for ID" on the signature line... rarely do I get asked for ID.

Re:Do the CCs work?

[PTBarnum]

I used to do that. However, there are some cashiers (even rarer than the ones who ask for ID), who know and care that credit cards aren't valid unless signed and will not accept a card with "Ask for ID" on it.

Re:

[jours]

I stopped doing this when the US Post Office wouldn't take my credit card. They can't manage to get my catalogs all delivered in 3 weeks, but they've got credit card review down perfectly.

Re:Do the CCs work?

[ottothecow]

You don't get asked for ID because the merchant agreement forbids the cashier from requiring an ID for a credit card transaction. An ID is not required to use a credit card and random merchants or customers don't get to change the agreement willy-nilly (not that it stops them from trying...just like all the shops that had $5 minimums on CCs before that became legal in 2010). In fact, a credit card without a signature is technically not a valid card and can be refused.

A merchant can ask for your ID, but they cannot require it for acceptance of the card (maybe it will scare someone off, but a smart criminal would just refuse). In the case where the card is not signed (or has See ID or some other housewife-myth written on it), the protocol is for the cashier to ask you to sign the card in front of them and compare the signature to a government ID. In this case, it is not quite clear, but it sounds like they *can* deny you for not presenting ID. So basically, the unsigned/See ID trick only works once--the first time someone actually follows the rules and calls you out on it, they will make you sign the card.

Check out pages 33 and 34 (the written numbers, not the PDF numbers) of this PDF for more info: http://usa.visa.com/download/merchants/card-acceptance-guidelines-for-visa-merchants.pdf [visa.com]. If you recall back to maybe the early 90s, there was a big ad campaign where celebrities (I think I remember a seinfeld one) would try to pay with a check and the cashier wouldn't take it since they forgot their ID...and then some random guy would walk in and pay with a CC without a question.

Re:

[Qzukk]

I actually never sign my cards, as a point of course... I put "Ask for ID" on the signature line... rarely do I get asked for ID.

And I'm sure the machine you swiped the card through yourself checked the signature very carefully.

Re:

[flimflammer]

Sadly no cashiers seem to scrutinize a credit card regardless if it's signed or not. Often times when I hand my credit card over, I will not be asked for ID, they won't check the signature, or any form of verification, unless I'm purchasing alcohol. Even then it's maybe a 20% chance I'll get carded and they're doing it purely for alcohol reasons.

Hell, my friend doesn't even sign the back of his cards for whatever reason, and he's never been questioned about it, despite a notice on the cards that say "CARD N

Re:

[radarskiy]

Retailers are prohibited from asking for ID as part of their merchant agreement.

Re:

[GLMDesigns]

This isn't true. I worked for a retailer that had an physical presence and part of the workflow included looking at the signature.. The cameras looked down at the cashier and one of the first things that a manager would do if there was a charge reversal was to see if the cashier had looked at the ID. Our processing check list required that manager select whether or not the the cashier had reviewed the signature.

Re:

[radarskiy]

Wait, what part is the cashier looking at the signature on the back of the CC and what part is the cashier looking at identification? You statement is not clear.

Re:

[GLMDesigns]

You're correct I wasn't clear. The first, and most important thing, was that the cashier looked at the signature (on the card) while examining the customer signature. This had to be done each and every time with one exception - if it was a repeat customer. The organization was a moderately high-end fashion company (below Prada but above Macy's). Rarely did the clerk ASK for ID as that was off-putting to our clientelle. The data, that I saw, indicated that outright fraud (as opposed to serial returning or

Re:

[ottothecow]

See my comment on the post above--Visa officially suggests against checking ID and it cannot be required to accept the card. Its not like you are liable for fraud on your card anyways (as long as you point out the transactions).

Re:

[flimflammer]

So I can take a credit card with an obvious woman's name such as "Susan Kay Johnson," hand it to a cashier, and they're required to accept it (even if I might have to imply that's my name), and they aren't allowed to card me to verify as part of their merchant agreement?

That is bonkers. I don't care if you're not liable for the transactions; there should at least be some attempt to prevent fraud in the first place at the point of sale.

Re:

[ottothecow]

They are required to verify the signature. They may also call in a potential fraud (whether or not the signature is a match).

So if you have Susan's signature down perfectly, they can still phone it in. I don't know what the credit card company does in this situation. If it is a small charge, maybe they just let it go through, but will try to call the card owner for a large charge? I would assume that once the merchant calls it in, they can't be liable for fraud if Visa says "no, that's ok, let them us

Re:

[Joce640k]

Why do you need to buy new blank cards? Just reprogram an old one...

Re:

[rwven]

I haven't signed a credit/debit card in years. Never once had it checked by a cashier.

Re:

[Splab]

Thanks to US for not pushing chip n pin, It's fairly easy to clone a card, including, sniffing the pin.

Re:

[Anonymous Coward]

Thanks to US for not pushing chip n pin, It's fairly easy to clone a card, including, sniffing the pin.

But then there'd be things we'd have to updaaaaaaate! And that'd be chaaaaaaange! That's haaaaaaaaaard! Change means we can't maintain our razor-thin margins! And we wouldn't have to hire nearly as many outsourced fraud response operators from India! That's job destroying! We don't wannaaaaaa!

Re:

[oPless]

Chip & PIN has been designed to offload risk to the card owner.

Besides, it's broken, and has been for a while. Now they're using contactless cards for sub £20 purchases - sigh.

Oh linky: http://hackaday.com/2010/02/12/chip-and-pin-broken-and-other-security-threats/ [hackaday.com]

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[MightyYar]

Why would the US government have anything to do with it. They already limit your liability to $50, the rest falling on the credit card companies and merchants. If fraud were such a big, expensive problem, then they would have fixed it. Or not - I could care less, since it is their problem.

Anyway, chips, magnetic strips, what is the difference when ordering stuff via internet?

Re:

[xaxa]

Anyway, chips, magnetic strips, what is the difference when ordering stuff via internet?

You could cryptographically sign the transaction, although at present this isn't done (as far as I know).

It's used for online banking (e.g. http://www.lloydstsbbusiness.com/internetbanking/cardreader.asp [lloydstsbbusiness.com] ).

(The vulnerability in this proprietary encryption system isn't so much mathematical, but social. The readers validate the PIN, which means criminals can demand someone's PIN -- and then verify it! Two students from my university were killed, possibly because they first a false PIN http://www.theguardian [theguardian.com]

Re:Do the CCs work?

[plover]

You can erase and re-encode a different account number on an old mag stripe card. You may have noticed some stores have the cashier manually enter the last four digits of the credit card to prevent against this kind of fraud.

For a swipe-it-yourself terminal where the cashier doesn't see or handle the card, the bad guys can use any old card with a mag stripe. Some thieves have been known to reuse old gift cards. At least one scammer glued old VCR tape to cardboard squares and hand-wrote the PIN on the face of the cardboard as he encoded them. He then stood in front of an ATM with a stack of disposable cards, feeding them in one after another to rapidly tap as many accounts as he could.

Oh, and the entire article is wrong by three orders of magnitude. ONE credit card account number can go for between $2.00 - $40.00, based on the type of account and quality of numbers (the percent that will work.) ONE THOUSAND Instagram followers goes for $15.00. That's $0.015 for each fake follower. That's comparable to the going rate for bogus Twitter accounts ($0.02 - $0.10 each), Yahoo email accounts ($0.01 each), or Hotmail accounts ($0.012 each.) Gmail accounts are harder to dynamically create, perceived as spam-resistant, and therefore more valuable to bad guys, and go for $0.20 each.

Re:

[tlhIngan]

You can erase and re-encode a different account number on an old mag stripe card. You may have noticed some stores have the cashier manually enter the last four digits of the credit card to prevent against this kind of fraud.

For a credit card, they actually enter in the CVV code - that code is NOT encoded on the stripe and only the issuing bank knows it.

Re:

[SQLGuru]

I wouldn't be so sure......check out the wikipedia article on the format. In my testing (was working on a cash register app for a client), I found that many of my own cards included the number.

http://en.wikipedia.org/wiki/Magnetic_stripe_card#Financial_cards [wikipedia.org]

Re:

[radarskiy]

There are two CVV codes. The CVV2 code is only printed on the card; the CVV1 code is only encoded on the mag stripe. If you get the wrong code of the type of input, the transaction processor can identify a fraudulent transaction.

The cases where the cashier is manually entering the CVV2 code are on terminals where the mag reader is not talking directly to the transaction network but is filling out a form field. Some places just have a web app as their POS terminal.

Re:

[plover]

If the card data was captured from a skimmer (and is not simply an account number and expiration date), then the data the criminal encodes on the track is identical to the real mag stripe, including the card's CVV1 found in the discretionary data field of the mag stripe. Having the cashier re-enter the last four digits is one way that some stores use to catch people attempting this fraud. But it all depends on the Point of Sale software in use, and how the store authorizes their credit transactions. Ther

Re:

[Yebyen]

We are guessing that someone took a picture of the front of the card with an Iphone.
Nobody has been arrested. We really don't know the answer... the card left her possession only for a minute when the cashier took it to the register. No idea how it was swiped but I would assume someone can print a card if the issuing bank and the numbers are all known.

Re:

[timeOday]

How do you know there wasn't breach in the database of some company she purchased from any time in the last however many years she's had the card?

Re:

[Yebyen]

Because we saw suspicious girl playing with iPhone, talking to cashier all friendly and she got up 3 times, once while our cards were away, but never went to the bathroom. Realistically it's not enough to get anyone arrested (or even identify the person we saw at the time who looked suspicious)

Girlfriend believes it was a photo taken with iPhone, personally I know that Square readers are given away for free (I have one) and more likely the way it would be done, but I've never tried duplicating a card so th

Re:

[lgw]

Mag stripe readers are common for this purpose. Someone swipes the card through the register, and also through their own magstripe reader. You can get these readers as little attachments to smart phones, these days, but this attack is quite old. Maybe they also took a picture, but that's actually more of a hassle.

Re:

[Firethorn]

That particular CC? Sure. But like others have stated, when the cards are being sold in lots of 1k, odds are most of them are either already invalid or going to be so very quickly. So you might end up trolling through several hundred of them to find a good one, even if there is one.

Your friend's card was likely stolen by other means and not distributed precisely to give it the long longevity. On, and you're probably looking at 2-3 people for that $600.

Then balance the risk vs reward - the reward might b

Re:

[interval1066]

$80 of McDonalds...

Well, they weren't health nuts. Your friend might take solace in the fact that they'll die of heart disease.

Re:

[IamTheRealMike]

CC purchases are false positive declined so often that I doubt that any cashier would ever "stall until the cops come".

Re:

[LoRdTAW]

I had my CC number stolen about four months ago. By the time I received the fraud alert email the thieves already spent $1200. Eight hundred something at an Apple store, two hundred something at a walgreens and another one hundred something from a CVS. The fraud alert was for a buck fifty parking garage charge which was their test to see if the card was valid. Bank thankfully took care of everything and issued me a new card.

Re:

[jxander]

Similar thing happened to me a while back. Two charges for $1 at some clothing shop in Australia ... where I'm not. I can only guess they were testing the waters. Luckily my bank caught it quickly and locked down the card before anything monumental could get through.

Re:

[bhspencer]

1) Buy a set of credit card numbers. 2) Try to buy more credit card numbers with the numbers you purchased in 1. 3) Sell new numbers. 4) Repeat and profit...

Re:

[Hentes]

Stealing CC numbers is easy, getting out the money without getting caught is the hard part.

Re:

[jrumney]

The uncertainty is the important factor, I think. In the case of the credit card numbers, there is high uncertainty over whether the numbers you are buying have any real value, so the price is low. For Instagram Likes, there is absolute certainty that they have no real value, so the price is higher.

Who is getting ripped off here?

[Presto Vivace]

I am sorry to say that I have a grudging admiration for any grifter who can separate a client from money in exchange for fake "likes."

Re:Who is getting ripped off here?

[simonbp]

Who's the more foolish? The fool, or the fool who fake-follows him a 1000 times for $15?

Re:

[Redmancometh]

Dammit I can't undo the comment I already posted to mod you up anymore. A dad day indeed.

Re:Who is getting ripped off here?

[NoNonAlphaCharsHere]

I'm baffled that there's any value in real "likes". Other than marketing-department dick-waving, that is. Has anybody noticed the CW commercials for new shows this fall all end with "Go to Facebook and like (some show you've never seen and isn't out yet)". Seriously, does the fact that some random web surfer took the time and effort to click a button really have any real-world value?

Re:Who is getting ripped off here?

[Presto Vivace]

Getting viewers to go to the show's website and comment would be a better way. Or building an email list. What is happening is that marketers are being gamed into building Facebook's business rather than their own.

Re:Who is getting ripped off here?

[jours]

They're useful on Facebook. If I have 1000 likes for my show and I post something new then almost all of those 1000 are going to see it in their newsfeed. If I send 1000 e-mails only maybe 15% of them will open it. And I paid to send the e-mail.

Re:

[Presto Vivace]

Not really, just because someone has "liked" your page does not necessarily mean that they will see your feed. [allfacebook.com]. Unless, of course, you pay extra to Facebook so that those who "liked" your page will actually see your content. The question always arises, whose business are you building, yours or Facebook's?

Re:

[jours]

That's why I said "almost all." Many will see it immediately, most will see it eventually, and some may never see it. Still far, far better than sending to an e-mail list or hoping the user will (register and then) post in your comments section. It works and we prove it every day. And if it builds Facebook's business then all the better.

Re:

[rasmusbr]

It could have a considerable value for a new business that wants to give customers and potential investors the impression of being more established than it is. A lot of people will not see through it.

Our new software as a service has accumulated 10008 likes in one week after opening, and 102 five-star reviews!! Give us your money!!!

Re:

[phantomfive]

It's possibly useful for SEO. Think of all the shady methods people used to try to improve their search engine ratings (and it can be worth a lot to be at the top of Google search results). Marketers used to go crazy trying to get a story voted up, even one time, on Digg. Possibly the price is increased because marketers are not using their own money to buy them.

Re:

[ducomputergeek]

It's kinda of like the reddit fake it till you make it. If you have a business or product with 50k likes vs. 1000 likes people start to look at things differently. No one says how you got the 50k likes, but it leaves the impression to people that there is a rabid fan base.

I spent the last year working with emerging fashion designers. It's an industry that thrives on appearances even if there is nothing underneath. My clients were attempting to build likes and interest organically a few at a time. One o

Re:

[Gordo_1]

I wonder the same sorts of things myself. I sense that a good portion of this 'likes' business is actually a very subtle but sophisticated game of influence deployed by marketers. I suspect a few things are at play when a network encourages 'likes' for a TV show that hasn't aired:

1. It's a form of early market research. 'Likes' are probably as good a metric as any for predicting the size of the initial audience, which in turn helps the network fine tune what they can charge advertisers at the outset.
2. It d

Re:

[beh]

The person getting ripped off is the then genuine customer which might buy something from a company based on who well 'liked' they are.

If you use a stolen credit card, you can only use it very carefully - as you need to make sure that noone can trace the use of the stolen card back to you.

If you buy fake likes, who can prove how many of your likes are genuine? If you use them to lure customers to your site and your products to sell them, the customer will have to pay for those goods and can't claim them b

Re:

[vidnet]

Seriously, does the fact that some random web surfer took the time and effort to click a button really have any real-world value?

The "Like" button is actually just a marketing term for "Subscribe and recommend". The counter is just a tiny side aspect.

"Liking" something subscribes you to the news feed of whatever you "like", so that you will see show's promotions later. It actually allows you to advertise directly to people who have explicitly expressed an interest in your product. This is incredibly valuabl

Re:

[BitZtream]

There is no such things as SEO. All SEO schemes are scams from the start.

The only SEO in existence that is legitimate is making a useful site, which you can't do by being forced on SEO crap.

Supply and Demand

[Saint Gerbil]

I'd have thought that lots of people can offer credit card numbers since they have been around for a while.
Instagram likes are a new "product" and presumably available from fewer places hence more expensive.

What's a CC number worth, on average?

[TimHunter]

I'd guess that many, maybe most, stolen CC numbers are pretty close to worthless, given that the number has probably already been flagged as stolen and will be rejected on the first transaction. If it does succeed, the transaction will be flagged by the bank and not paid off. However one "like" is worth pretty much the same as any other "like". OTOH, the risk of using a stolen CC is non-zero but using fake "like" is risk-free.

Re:

[m1ndcrash]

Script kiddie detected.

Really worth more?

[djupedal]

Or is it just that c'card #s are plentiful....

Credit Card Numbers are almost worthless

[gurps_npc]

They can be gotten by almost anyone. Waitresses, cashiers, etc. can easily collect hundreds a day.

Our credit card system is set up so that getting money from the credit card account without being quickly caught is the hard part.

Usually you need some kind of idiot mule to get the money, sent it to you, without knowing who you are. Then when the cops arrest him, he is stuck holding the 'bag'.

Re:

[Jason Levine]

But if you steal someone's identity and open a card account in their name, the cops will claim it's not in their jurisdiction, the feds won't care because your loss wasn't big enough, the credit card company won't care because they just declare it fraud and close the account (but won't give you information because "if you go and shoot the person, we're liable"* ), and the credit agencies don't care because it doesn't matter to them if your credit file is messed up.

Not that I'm bitter or anything.

* Yes, I wa

Re:

[Jason Levine]

... AND I pressed Submit before re-reading my post. (When will I learn?!!!)

Should have been: "But if someone steals your identity..." to keep the pronouns straight the whole way through.

Re:

[gurps_npc]

The company lied to you.

You can easily have that removed from your credit history simply by talking to the right people - aka the credit agencies and the card issuing people if you are persistent.

The credit card company itself must have reasonable reason to think it was you. The credit agencies are not legally allowed to not care if your credit file is messed up. They have to resolve it in a reasonable amount of time.

The real problem is when this happens repeatedly - as in they repeatedly do this to y

Re:

[Jason Levine]

The credit agency did remove it and my credit file is now frozen so nobody can access it (without me thawing it first). Credit agencies don't like freezes, though, because it means they can't sell access to your file to credit card agencies for those "you're pre-approved" letters. After this happened to me I did some research and found that there was going to be a law allowing anyone to freeze their credit file whenever they wanted to for no charge and the credit agencies fought (and defeated) it. Instea

Re:

[BitZtream]

Bwahahahahaha

Yea, and its against the law for politicians to lie too (seriously, it is!).

You're an idiot. TUnion, Equidix and experiscam have absolutely no incentive to fix your report and the requirement to prove them wrong is on you. It is practically impossible for them to every get in any sort of trouble for their behavior, and its that way because they lobbied it that way and we keep voting in the same politicians.

Re:

[mjwx]

They can be gotten by almost anyone. Waitresses, cashiers, etc. can easily collect hundreds a day.

Our credit card system is set up so that getting money from the credit card account without being quickly caught is the hard part.

Actually, it's not.

You only get caught if your dumb (I.E. order a big screen TV delivered to your home).

The majority of credit card fraud occurs through high volumes of low value transactions. For US credit cards it's normally US$20-15 per transaction and for UK/European cards it's more like US$30-50 as European banks believe a bit more in their own security. This is actually very hard to catch if done properly, most people wont notice the money gone and by the time the bank pieces it together (as you

the real reason

[slashmydots]

I don't even get why people bother anymore. You can barely use my credit card outside of my state let alone another country and even online it's protected with an interception password for any new vendors. It's basically impossible to steal and use my credit card number and it's just a basic, nothing special Visa. So yeah, it's not that Instagram likes are worth so much, it's that credit cards are so useless.

So a like is worth 3 cents?

[neminem]

I'll totally like whatever crap you want, if you'll pay me. No criminal activity required - cut out the middleman!

p.s. I'm sad this page doesn't yet have any references to whuffie in it. Now it does. (This reminds me of it greatly.)

Re:

[TheCarp]

I have looked through those a few times, its always makes me marvel at people. Not the ones who accidentally grab a shot of their card, leaving it in what is obviously a photo of something else...that is dumb but, its not stupid. Thats kinda on the level of "hey you know theres a dildo in the background?"

However, most of them however, most of them are people showing off their new card like some sort of status symbol; Kind of like "Look, my name is in the phonebook! I am a somebody now!"

Lady GAGA

[hesaigo999ca]

Thats how she got 25 million fans on twitter!.
I knew that was a bit much for fans that actually liked her music, ;)

Real likes always is better

[instagress]

Fake followers is good for those who are interested only in the quantity. If you want to get real likes, comments and followers - you should be doing the same for others. The more active you are, the more fans you will get! It's much better to use services which will help you to automate your activity and attract attention to your Instagram account. You can try this one http://instagress.com/ [instagress.com]

Re:

[Redmancometh]

Because the people that shop at forever 21 definitely care about these things.