Digital Transactions Authoritative, insightful and timely information for payments professionals
Criminals can purchase more than just stolen card account numbers on the so-called dark Web.
A recent study by virtual private network provider NordVPN reveals that 51.5% of cards on the dark Web came with addresses, 39.8% came with phone numbers, and 28.7% came with an e-mail address. In addition, 2.5% of cards came with a date of birth, and 1.8% with Social Security numbers. NordVPN analyzed 6 million stolen cards on the dark Web, an online bazaar for stolen credentials.
Overall, 62.8% of the cards came with some form of additional information, indicating hacking, while up to 37.2% were guessed through brute-force attacks, meaning that the majority of stolen card details were obtained via hacking, NordVPN says.
“In the past, experts linked payment card fraud to brute-forcing attacks — when a criminal tries to guess a payment card number and CVV to use their victim’s card,” Adrianus Warmenhoven, a cybersecurity advisor for NordVPN says in a statement. “However, most of the cards we found during our research were sold alongside the e-mail and home addresses of their victims, which are impossible to brute force. We can therefore conclude that they were stolen using more sophisticated methods, such as phishing and malware.”
Of the cards analyzed, 58.1%, or 3.5 million, belonged to Americans, making the United States the most affected country globally. The average price of American cards on the dark Web is $6.86 per card. In comparison, stolen cards overall on the dark Web sell for an average of $7.01, although many are leaked for free, according to the report.
Two million of the cards for sale included their American owners’ home address and telephone number, while 1 million cards included email addresses, and about 100,000 cards included their owners’ date of birth and even SSN. American payment cards are also prone to fraud. According to NordVPN’s card fraud risk index, on a scale from 0 to 1, America’s payment card fraud risk index is 0.79.
Cards from Denmark commanded the highest average price at $11.54 per card, followed by cards from Japan, Portugal, and Ukraine, all of which commanded prices of $11 on average. In comparison, cards from Argentina and New Zealand were the cheapest, averaging less than $2.50. “Considering the amount of damage that can be caused with stolen card data and any bundled personal information, this is a shockingly small amount, suggesting that the use of stolen cards could itself be relatively scalable even by those who have obtained the details second-hand from the dark Web,” the report says.
Some 2.5 million cards were sold on dark Web marketplaces, according to NordVPN. If criminals were to sell the six million cards analyzed for the study, NordVPN estimates they could net more than $18.5 million.
Weighing the risks posed by credit card theft and related cyberattacks to consumers in 98 countries, Malta, Australia, and New Zealand ranked the highest according to NordVPN’s risk index, with the U.S. coming in fifth. On the other end of the spectrum, Russia had the lowest risk score, and China was third from last. “These findings seem to confirm prevailing hypotheses regarding the location of large-scale hacking operations and the purposeful targeting of Anglo-European countries,” the report says
