Recent large-scale hacks at Target and Neiman Marcus are a reminder that credit card theft is a growing issue. Hackers find a way to install malware on point-of-sale devices, and then sit back as the credit and debit card numbers stream in. But who are those hackers, and what happens to the numbers next? Here’s a breakdown in four easy steps. (But don’t try this at home.)

Step 1: Build your criminal network

The basic idea is that people use stolen credit cards to buy stuff. Sure. But if the same person stole the card numbers and bought the stuff, they would be easily caught. Instead, baddies create rings. There are the people who buy and sell card numbers in online markets, sometimes called “carding forums” or “card malls.” There are the people who actually make fake cards. There are recruiters who find people to make purchases with the fake cards. And then there are the folks who actually go to stores carrying the counterfeit cards and attempt to make purchases. That’s a lot of people!

Step 2: Create your workflow

The logistics must be worked out carefully. The counterfeiters need equipment to print the cards on, which costs about $100. The people who buy and sell card numbers need to understand how the numbers are constructed, to get a good price for the numbers they have to sell, and to find good deals on working numbers—meaning those that don’t yet look suspicious to financial institutions. Thousands of lousy card numbers will sell in a block for something like $20, but good numbers, like those stolen from Target recently, could sell for $135 each. The recruiters have to have contacts in the right places (a lot of cyber fraud originates in eastern Europe, for example). And finally, the buyers need to feel confident looking a cashier in the eye. They must be trained in what can go wrong at the register and how to deal with it. (The buyers are also frequently the ones who resell the merchandise.)

Step 3: Buy stuff

Once everyone is in place, it’s time to shop. Often criminals are using their stolen card numbers to buy items that can easily be flipped on websites like eBay. Luxury items, popular smartphones, or anything else with high resale value is appealing. The bosses running these operations want to get as much money out of the goods as possible so they can pay for the equipment and “employees” involved in the operation and then pocket the rest.



Step 4: Keep a low profile

The FBI and other law enforcement groups in the U.S. and abroad often work undercover, posing as potential card-number buyers in forums or offering to use numbers to buy goods. In this way, they can begin to get a sense of who is involved, but only at the level of employees who are buying and selling numbers. Sometimes low-level buyers also get caught if they use a fake card in a store and the cashier or bank identifies problems with the transaction. For example, fake cards often carry the stolen number on their magnetic strip, but have a dummy number on the card itself. To try to detect these types of fake cards, some stores require that the cashier enter the last four digits of the number on the card and flag the purchase if those four numbers don’t match the last four digits of the number being charged. In these schemes it can be difficult to identify the kingpin or group of leaders, but the criminals farther down the totem pole are at higher risk of being caught.

It doesn’t seem like large-scale credit card hacks are going to stop any time soon, so if you get that fateful call from your bank you’ll know that your card number is going down this rabbit hole.

