US authorities say they’ve cracked the single largest and most complex identity theft case on record, leading to charges against 11 people, including three Ukrainians

n’s Eleven. But authorities say these real-life perpetrators, including three Ukrainians, surpassed the classic on-screen robbery plot by cracking credit and debit card codes instead of casino vaults.

U.S. authorities dubbed it the single largest and most complex identity theft case on record. Three people from the United States, three from Ukraine, two from China, one from Estonia and one from Belarus are charged with the theft and sale of more than 40 million credit and debit card numbers. One more defendant has not been caught and is only known by his nickname.

The indictment alleges that a Miami man, Albert Gonzalez, drove around with a laptop hacking into wireless computer networks of major retailers, including TJX Companies, BJ’s Wholesale Club, OfficeMax, Barnes and Noble, and Forever 21 among others.

Once inside the networks, the “Gonzalez Eleven” installed “sniffer” programs that would capture card numbers together with passwords and account information. “Carders,” the name used by law enforcement agencies to describe credit and debit card con men, allegedly sold the stolen data to other criminals in the United States and Eastern Europe. The latter cloned them into fake plastic to cash out at ATMs later.

“On a global scale, it’s gigantic. It’s a whole industry. And it’s all because counterfeiting and stealing cards doesn’t require a lot of effort. They have a weak security system,” said a 25-year old carder from Ukraine who agreed to speak to the Kyiv Post only via e-mail.

He called himself Michael – that was the only personal information he would disclose. He sells cloned cards without pin codes for up to $200 apiece and sometimes he can sell 1,000 duplicates per day. “If there’s enough information about a card (a pin code is available), no one would resell it. It’s very easy to use it yourself.”

A source in Ukraine’s State Security Service (SBU) said that tracking people on the dark side of the Internet is very difficult because “they foul on a foreign land.” Attending international conferences on tackling cyber crime, he noticed that hackers from Ukraine and Russia became household names among security experts worldwide.

He said that technical universities in Ukraine grow plenty of young talent who end up swindling cards on a bet for a beer.

The agent warns that credit card fraud is rampant in the world, estimated to be in the tens of billions of dollars in the United States alone, and people should be wise about using their plastic. He is hoping that constant update of security systems will reduce some of the more popular types of identity theft, both online and off, that fraudsters are employing at large.

Skimming is a process in which a device is used to copy a magnetic stripe data from a card – one reason card holders are cautioned against dodgy-looking ATM machines or passing a card to a waiter in a restaurant.

Phishing refers to e-mail messages sent out to trick customers into disclosing banking information. These fraudulent emails pretend to be from well-known companies like E-bay, National Lottery, International Olympic Committee, etc.

The so-called Domain Name System (DNS) poisoning scams send chills down the spine of the entire net. They enable hackers to redirect users from popular banking or shopping web pages to bogus sites that attempt to install spyware on visitors’ computers.

“When a server is in America, a bank in the Baltic states, a client in Thailand and a cash machine in Ukraine, it’s a challenge to chase those behind the fraud,” said the security agent, expressing his frustration with a carders’ chain. Arresting them is half the battle, however. Then come extradition proceedings and tons of forensic evidence which can take forever in court.

On top of this banks make things worse by withholding information from law-enforcement agencies. “Which bank is going to release information that its system has been hacked? Their clients will run away from them the next day,” says Volodymyr Holubev, director of the Computer Crime Research Center based in Zaporizhzhya.

Carder Michael says that he does not feel 100 percent immune in his business. Yet virtual trading, which does not require any physical contact with his clients, minimizes the risk of being caught.

He says that the carder planet website was the most useful source to find clients to sell stolen data. It was run by Dmytro Golubov, a 22-­year­-old Ukrainian who was considered one of the godfathers of Eastern European carding rings.

The suspect was nabbed three years ago in connection with theft and international trading of millions of credit and debit card numbers that resulted in multimillion­dollar losses to banks and merchants. He did not remain in prison for long, however. About six months after his arrest, two Ukrainian politicians took him out on bail. Golubov argued that he was a victim of identity theft. Prosecutors are still moving with the case, whereas the alleged top carder formed a political party on the Internet.

“He’s like a Ukrainian Robin Hood. Sometimes authorities refuse to extradite or prosecute hackers like him to America because they want to use their talent,” says Yegor Anchishkin, the chief technical officer at Viewdle, a hi­tech company that designed its own face recognition technology.

According to Anchishkin, they are ideal informants for intelligence services helping to ferret out the real people behind online criminal nicknames.

In the case with “Gonzalez’ Eleven,” however, this practice has failed. Helping the U.S. Secret Service hacking investigation, the alleged Miami ring leader was double­dealing to save fellow carders.

As a result, the ring stole in the “tens of millions of dollars,” said Michael Sullivan, U.S. Attorney in Boston, in an interview with Reuters.

Anchishkin says that consumers, banks, restaurants and shops suffer most from carding fraud because payment systems are not always liable for fraud. “Competition among Visa, Master Card and American Express is not strong enough to make them invest more into modernizing infrastructure. Merchants compensate them for their losses and little changes”. In the Gonzalez case, TJX retail chain agreed to pay more than $60 million to credit card networks.

Banking experts and security agents reassure that Ukrainians are less prone to carding fraud as most of it happens abroad.

Ironically, carder Michael says that he also keeps his money in a bank. Nevertheless, he advises to set withdrawal limits on a card. Keep a constant eye on it and never trust it to anyone, even a waiter who can have a simple skimming machine under a table. Ask for two cards in the bank – one for small transactions and the other for saving purposes. Mobile banking is useful to track the time and the amount of a withdrawal. “And beware of the Internet. If the secret service databases get hacked, your computer is no effort at all”.