All this talk of stolen credit cards and “skimming.” Then what? What happens after you’ve swiped your card through a tampered-with ATM, gas pump, or bank entry door?

A kid, a computer, and a clever scam that games the system—that’s all it takes to make big bucks, without leaving home. For credit card fraudsters like the teenager who calls himself “d0g,” it’s simply online shopping. He doesn’t handle merchandise, cash checks, or visit drop spots. His butt never leaves his chair, his fingers never leave his keyboard, his eyes never leave his screen.

How fraud with a stolen credit card works

It’s all about shopping, according to Patrick Lambert, who poked around the underground “carder sites” that sell the information from stolen credit cards. Buy one for a few dollars and just go shopping! Well… not quite.

What’s a credit card fraudster to do: buy expensive goods online and have them shipped to his home? Certainly not. In his Interview with a malicious hacker making over $10,000 a week, [Edit 7/8/13: Lambert has taken down his fascinating and instructive article.] Lambert reports how easy it is to find and use these carder sites, and how to turn the hot credit card into hard cash:

So finally, the last question I had was how they manage to get actual, physical goods using that stolen credit card, without having to divulge their address. The way I was explained is that all he has to do is post ads on eBay for popular items that he doesn’t actually have. Then, when someone buys it, he turns around and buys that same item from some online store with the bought CC numbers, and puts the eBay buyer’s address as the shipping location. He makes those stores send the products directly to his buyers, and gets clean cash for them, which he can spend any way he wants. It’s a type of online money laundering. And apparently, the reason why these stolen numbers are sold so cheaply is because a vast majority of them are either already canceled, or maxed out.

Now I’m wondering about the wide-format pro printer I sold on Craig’s List: did I unwittingly sell it to an ID thief and obediently ship it to the innocent third party who supplied the thief with clean money? It could have worked that way, at least if I were a store that accepted credit card payments. In my case, I was paid via PayPal, and the funds cleared. Can a thief fund PayPal with a stolen credit card? I’m not sure…

You can see how this three-way scam works. An innocent and unsuspecting buyer of goods provides clean money in return for real items, and is none the wiser. A merchant sells items and is paid with a stolen credit card. d0g sits in the middle pulling strings and catching the money. Easy!

There’s much more to it though, Lambert learned from d0g. “Doing the crime, getting rich with stolen identities, is really easy. The hard part is covering your tracks, and 90% of the things these people do are for the sole purpose of covering themselves.”

That would include subscribing to a VPN (a secure and anonymous web tunnel), and funding an anonymous online payment system.

This sort of “hacking” (which is not what I would call it) can be done on a large or very small scale, but either way, easily, and causing serious financial damage. If it’s true that one credit card fraudster (like d0g, the teenager) can net over $10,000 a week with a low risk of getting caught, it’s clear that the vocation would attract legions of practitioners. It’s clear, too, that our payment system needs fixing.

* * *

12/22/15 Note to HACKERS: I appreciate when you contribute additional knowledge in the hundreds of comments below, but please realize that this post will not function as a message board for contacting each other. Check it out: all email addresses in the comments below have been deleted. This is done by a human (me), not a robot. So please save yourself (and me) the trouble. Do comment on credit card hacking, but don’t look for business here. Thanks —BV

Later note: Alas, I had to close comments on this post due to soliciting. However, there’s really interesting stuff below. Thanks for all the contributions!

Even later note: Looks like skimmers’ days may be numbered, thanks to the Skim Reaper, a credit card-sized detection device that we can dip into an ATM or POS before using it to determine its safety. Well, we won’t be using it any time soon, at a cost of almost $500, but let’s say maybe bank branch managers will check their machines periodically, and police can check random ATMs.