What Happens to Stolen Credit Card Data?
By Eva Norlyk Smith, Ph.D.
July 27, 2011
If your credit card details were recently compromised, you may find them sitting on a website waiting to be bought by another criminal, say fraud experts.
In fact, compromised credit card details and other stolen personal information, such as names, addresses and passwords, are easily available online, according to Brian Krebs, a former Washington Post reporter who now works as an independent investigative journalist and runs his own blog, Krebs On Security. You just have to know where to look.
Credit card details for sale
Experts say that the vast amount of stolen credit card data and other sensitive financial information that is available online has spawned a large underground economy of black market websites, through which cybercriminals buy and sell their stolen wares.
“There are dozens of forums where fraudsters can go to sell this credit card data in bulk,” says Krebs. “Some hacker forums are more exclusive than others, but basically, anyone can get in somewhere. If you know the URL and Web address, you can create an account and then just go shopping, or ask for their best offer.”
There are two main types of stolen credit card information, Krebs explains. One type provides basic credit card details, like account numbers and expiration dates. The other type, known as ‘dumps,’ supplies card details captured by credit card skimming devices attached to a machine such as an ATM. Dumps provide more complete information because skimming devices capture all the information stored on the magnetic stripe of the card, including PIN numbers.
“With that information you can essentially create a counterfeit credit card with a magnetic stripe,” says Krebs. “So you can go straight to an ATM machine and withdraw money. Dumps are much more valuable because they are very easy to convert into cash.”
However, converting stolen credit card details to cash is often far more cumbersome and risky. In many cases, for example, fraudsters have to first buy something and then convert the goods to cash.
Popular items to buy include electronics, which can be easily converted to cash on the black market. Or, scammers may attempt to use the information to purchase gift cards, which can be used anonymously or sold for cash on the Internet at a discount. In some cases, fraudsters have also loaded stolen credit card details directly on to gift cards and used these for purchases.
A profitable black market
Stolen credit card details are not the only thing for sale on underground trading websites. According to the annual Internet Security Threat Report from Symantec, you can also purchase Social Security numbers, bank account and debit card information, email addresses and any other type of sensitive personal information that a criminal mind could find a use for. Among these, credit card information and bank account credentials continue to be the most popular items, accounting for a total of 38 percent of items advertised in 2010.
The cost of stolen credit card details on the black market ranges from pennies to more than a $100. Bank account credentials typically run higher, ranging from $10 to as high as $900, according to Symantec. The price of the stolen credit card data depends on numerous factors, including the credit limit on the card, the available balance, how old the card is and whether it’s a Platinum or a regular credit card. Card data with detailed identity information and card-specific information such as CVV2 numbers, PINs or passwords to online accounts command top prices.
A growing problem
Recent reports of large-scale hacking attacks at major companies such as Citi and Sony PlayStation have left many consumers wondering just how secure their own credit card information really is. And according to industry professionals, there is good reason to wonder, particularly now that we live in an increasingly interconnected world.
“There is a lot more data that’s breachable being put online every day, and there is no shortage of people looking to get at that data,” says Krebs.
In fact, Web-based attacks have nearly doubled from 2009 to 2010, according to the annual Internet Security Threat Report from the online security company Symantec. According to the report, average daily attacks reached close to 20 million by the end of 2010.
Attacks may be specific, targeting large businesses or organizations, or they may be more widespread, aiming at computer users with outdated browser software and insufficient virus protection. The U.S. continues to be the hardest hit by Web attacks and other malicious activities, accounting for 19 percent of total malicious activity.
How to protect yourself
Experts agree that consumers have the largest role to play when it comes to protecting against identity theft and credit card fraud. While virus protection software and Internet browsers are constantly updated to provide more protections, these are of little use if consumers never install the updates.
In addition to keeping virus software and Internet browsers up to date, Krebs advises consumers to follow basic safe practices for Internet use to guard against malware. This includes never opening attachments from people you don’t know or clicking on links in emails from senders you don’t trust. In addition, be careful of the software company you keep.
“If you didn’t go looking for it, don’t install it,” says Krebs. “A lot of what carries malware is the stuff that flashes on you online. Many people download it and don’t even realize that they have become infected.”
In addition, if you install software, be sure to update it regularly. It’s important to keep not just the operating system and Internet browsers up to date, but also third party software. If you don’t use the software longer, get rid of it, Krebs advises. Finally, don’t fall for pop-ups that tell you your computer is infected and you need to buy a particular software to fix the problem.
“People know not to download this, but tens of thousands download it anyway,” says Krebs. “And unfortunately you’re giving your credit card information away to the people most likely to defraud you.”