American credit and debit card data is disproportionately found in illicit markets in which cyber criminals buy and sell them.
We recently examined underground markets on the dark web for stolen credit card information and found over 23 million stolen credit card and debit card numbers offered for sale in the first half of 2019. Nearly two out of every three stolen cards, more than 15 million, were issued in the U.S. No other nation accounted for more than 10 percent of stolen card numbers. After the U.S., the largest source of stolen card data came from the U.K.
Our researchers also found that:
The number of stolen cards from Russia amounts to virtually zero - just 316 cards out of 23 million.
American Express cards, as well, seem to represent a lower share of stolen cards. The “don’t-leave-home-without-it” brand has a 22 percent market share in the U.S., but represents 12 percent of stolen cards.
Threat actors are moving outside traditional website-based markets, turning to Instant Relay Chat and encrypted Telegram channels instead. One IRC channel hosts a bot that is able to quickly validate stolen cards. It was used more than 425,000 times in the first half of 2019.
Americans use their credit and debit cards more than 123 billion times every year. They do so with roughly one billion payment cards. It should come as no surprise then, that American credit card users are an outsize target for cybercrime and fraud.
For perspective, the three largest card issuers, Visa, Mastercard, and American Express, have issued 5.1 billion credit and debit cards globally. In terms of the sheer number of cards issued, U.S. card users make up approximately 20 percent of the market. Worldwide, there are approximately 270 billion credit card transactions annually, according to Visa.
While 15 million stolen cards might seem insignificant when we discuss a world with billions of cards, consider this: credit and debit card fraud costs American businesses and consumers approximately $12 billion annually.
Credit Cards on the Dark Web
Fraudsters have a number of illicit methods they use to steal card data. They place “skimmers” over the card readers on gas pumps and ATM machines. Retail workers and restaurant employees use devices to copy the swipes when they take a card for payment. They infect computers and other devices with malware to record payment information when their owners buy from ecommerce sites. Hackers infiltrate the networks of large companies and simply steal millions of records at a time.
Compromised credit card information is sold on dark web markets for as little as $5, and comes in two classes. “CVV” information is sold with the three-digit number on the back of the card, which tend to be used in schemes in which criminals order things online. “Dumps,” which contain all of the information on the magnetic strip necessary to swipe, are used to replicate physical cards and make in-store purchases. Cards with CVV numbers were more popular, in part because the ability to fabricate new cards to be used in-person is far more difficult than using an ecommerce site.
One question we often get about stolen credit card data is whether criminals are honorable enough to trust each other. In theory, there is little to stop one threat actor from selling phony data, or old data to other hackers. When transactions are anonymized, there is very little chance of repercussions.
In practice, dark web markets are self-correcting. Sophisticated buyers use services found on Internet Relay Chat sites to quickly check the veracity of cards, usually through very small payments. Buyers are quick to post on message boards when bogus data is sold.
So, what can financial institutions and consumers do about it?
Continuously monitoring dark web markets represents one of the best opportunities to intercept the data used in fraud, so that consumers can be protected. Financial institutions can prevent a significant amount of fraud by looking at the same information that the threat actors use, and major companies, including Fortune 500 banks and insurance firms, are already doing so to protect consumers proactively.
Consumers can protect themselves by setting up banking alerts that notify them when suspicious activity is detected, and by monitoring their accounts on a regular basis. They are also encouraged to contact credit reporting agencies (like Experian, Equifax, or TransUnion) if they suspect their information has been compromised.