Prosecutors target credit card thieves overseas

Criminals from around the world buy and sell stolen credit card information with ease in today’s digital age. But if they commit their crime entirely outside the United States, they can be hard to prosecute.

Now, Justice Department officials are seeking a tougher law to combat overseas credit card trafficking, an increasingly lucrative crime that crosses national boundaries.

Authorities say the current law is too weak because it allows people in other countries to avoid prosecution if they stay outside the United States when buying and selling the data and don’t pass their illicit business through the U.S. The Justice Department is asking Congress to amend the law to make it illegal for an international criminal to possess, buy or sell a stolen credit card issued by a U.S. bank no matter where in the world the transaction occurs.

Though prosecutors have brought international cybertheft cases in the past year using existing tools, the Justice Department says a new law is needed at a time when criminals operating largely in Eastern Europe are able to gobble up millions of stolen credit card numbers and commit widespread fraud in a matter of mouse clicks. Companies and banks, too, have been stung by faraway hackers who have siphoned away personal information.

“It’s a very simple fix, and it makes perfect sense to fix it,” Assistant Attorney General Leslie Caldwell, the Justice Department’s criminal division chief, said in an interview. “This is a huge law enforcement issue when it’s our financial institutions and our citizens’ credit card data that’s being stolen … by overseas people who never set foot in the United States.”

The problem, though certainly not new, has evolved to the point that “a lot of these folks who are trafficking in these devices are overseas,” Caldwell said.

The issue is more than hypothetical, Caldwell told a Senate subcommittee, as law enforcement agencies have identified criminals in other nations who are selling large quantities of stolen credit cards without passing the business through the U.S.

Officials say the crime is facilitated by online marketplaces where participants, cloaked in the anonymity of the Internet and trading data with the ease of eBay commodities, advertise, buy and sell credit card information stolen in data breaches. The credit cards are valued at different prices, generally depending on the balance, and swapped on Web forums that often operate in foreign languages and are primarily hosted in non-U.S. countries.

The cards are sometimes used to purchase valuable goods and sometimes converted into gift cards, Caldwell said. Some schemes dispatch bands of criminals to make withdrawals from automated teller machines.

“It’s a well built-up and sophisticated marketplace,” said Chris Wysopal, a computer security expert and chief technology officer of the software-security firm Veracode.

The legislative request comes as prosecutors deal, more generally, with a growing cybercrime threat.

The Justice Department is hardly toothless in fighting the illegal sale of credit cards and has been able to make do with current statutes. Existing law covers, among other crimes, anyone abroad who hacks into a U.S. computer, uses a stolen credit card inside the U.S. or transfers money into the country. And prosecutors can still bring a conspiracy charge when they can prove the suspect is part of a broader operation that reaches into the U.S.

But authorities say the loophole surfaced in the case of Vladislav Horohorin, an international credit card trafficker arrested in France in 2010 for his role in the theft of more than $9 million from an Atlanta-based credit card processor. He was ultimately convicted for crimes committed in the United States, including selling stolen credit cards to an undercover agent, but the 2.5 million credit cards he had at the time of his arrest were not, by themselves, enough for a prosecution.

“The likelihood that a hacker in Russia can be brought to prosecution in the United States is very low,” said Thomas Holt, an associate professor and cyberhacking expert at Michigan State University. “Any mechanism that can be employed to improve the potential for prosecution is absolutely a necessity at this point.”