Elizabeth Weise

USATODAY

SAN FRANCISCO — The end of the road for the 56 million credit card numbers stolen a month ago from Home Depot turns out, often as not, to be a cheap meal at McDonald's or a gallon of milk at Walmart.

"We're generally not seeing $1,000 transactions where they're buying wide-screen TVs," said Rob Miller, chief operations officer with San Diego-based Mission Federal Credit Union.

The story of how a massive international data breach ended up at a fast food store in California's Central Valley began last April.

That was when someone inserted malicious software — malware — into point-of-sale machines at Home Depot stores in the USA and Canada.

Many in the security community suspect the attackers were in Russia or Eastern Europe, but there's no way to know for sure. What is known is that malware skimmed off credit and debit card information, undetected, for six months.

As many as 56 million cards were compromised, according to Home Depot.

The news broke in September, when someone put a batch of cards for sale on a criminal Internet site that trafficked in stolen financial information.

Banks and credit unions began to see bogus charges appear almost immediately. Despite the far-reaching criminal networks that create these massive computer security breaches, the people who end up buying things with the stolen cards appear to be "just using them for day-to-day living," Miller said.

For Air Academy Federal Credit Union in Colorado Springs, the first indication something was wrong was when members started seeing charges on their cards from Indonesia.

"Our people travel, many of them are Air Force, but we don't have a whole lot of customers who go to Indonesia," said Brad Barnes, chief financial officer for the non-profit organization.

It was easy to cut off cards whose owners were buying gas in Colorado Springs the same day a charge suddenly popped up in Jakarta. It got a whole lot harder when the charges began appearing in Denver, an hour to the north, Barnes said.

"The financial institution is going to reimburse the customer for any fraudulent transaction on the account," said Doug Johnson, vice president for risk management policy with the American Bankers Association.

Computer security writer Brian Krebs reported that banks have taken big losses from cards compromised in the breach.

Mission Federal has dealt with more than $100,000 in fraud claims that might be linked to cards compromised in the Home Depot breach in the past month, Miller said.

Credit unions are not-for-profit, he said, so "when we take $100,000 in credit card losses, that's $100,000 that we could have used to give our customers higher interest rates or lower loan rates."

Another cost financial institutions face is replacing compromised cards. Mission Federal Credit has gotten about 10 lists of compromised cards from MasterCard in the past two weeks. They total 28,000 cards.

"That's about 15% of the credit cards we issue," Miller said. It costs the credit union about $2.60 to replace each card, so "that's $72,800 so far. It's another hit."

The trajectory, from a continent away to a few ZIP copes away, isn't any surprise to security experts.

"The thing to remember about this whole process is that it's an industry," said Geoff Webb, director of strategy for NetIQ, a Houston-based computer security company.

ILLEGAL DIGITAL SUPPLY CHAIN

Data theft is like any supply chain. First come the manufacturers, then the wholesalers, the middlemen, the retailers and, finally, consumers.

The manufacturers are the organized professionals who plant the malicious software that steal the card information. "They've had a lot of training; they steal huge numbers of credit cards," Webb said. "That's the raw material."

Once these might have been used to buy expensive merchandise online, but credit card companies created sophisticated anti-fraud algorithms that quickly detected anomalous charges on compromised accounts.

The thieves reconfigured.

Now these numbers go to wholesalers, usually still overseas, who break them down in manageable groups of cards, sorting them by area and ZIP code.

These bundles are offered up for sale in bulk on underground websites.

"They'll even send you samples, so you can test the quality. If it's good, you come back and buy more. Some of these guys are so confident that they have money-back guarantees," Webb said.

The middlemen buy up a list of numbers and use them to make cloned credit cards. Machines and blanks cards are readily available online.

"It's going to cost you about $500 online to set up a nice carding operation," said John Sileo, a data security expert with the Sileo Group in Denver.

The FBI broke up one such group in January, arresting three men behind the site Fakeplastic.net.

CLONE CARDS

The newly cloned cards are sold to low-level gangs or criminals.

One tactic is to use the cloned cards to buy gift cards. Target is a popular choice because "there they can buy 50 different kinds of gift cards in one place. They're laundering the money because it's very hard to trace those cards," Sileo said.

Cards are sometimes sold on street corners. Sileo's talked to people who were approached in New York City by someone saying, "I've got this $50 gift card that I can't use, I'll give it to you for $10."

The dealers are "incredibly entrepreneurial. They're working it out for their little corner of the world, in their ZIP code," he said.

The amounts the final users end up charging are tiny. The average fraud on the fake cards Mission Federal Credit Union saw in July was $201, Miller said.

"We see a lot of McDonald's meals, Jack in the Box, visits to Target and Walmart, maybe to get a fan or a heater," he said.

The role of the people committing the original crime — stealing the data — is limited, said Dan Kaminsky, chief scientist at White Ops, an anti-fraud company.

The final users are often poor people trying to get by, charging small amounts on cards that last for a week or so until the credit card company cancels them.

The computer criminals half a world away "have taken the risk out of it" for themselves, Kaminsky said. This leaves law enforcement with no one to target.

"What are they going to do," he said, "go bust some guy in Modesto who's just trying to feed his family?"