The second half of 2020 marked a steady trend in the number of credit cards for sale on the dark web at approximately 45 million. Following a major crackdown by Russian law enforcement on these markets, the digital underground for stolen credit cards has yet to recover from its nearly 40% plummet in the first half of 2020.
To a certain extent, that’s good news, but our latest analysis on financial fraud on the dark web shows that cybercriminals are shifting tactics in response to regulation, law enforcement, COVID-19 and security measures.
Stolen credit cards sold on the dark web come in two forms. The first consists of the unencrypted data found on the magnetic stripe of a card. These are sold in large batches and referred to online as “dumps.” To use them, cybercriminals need to make a physical clone of the stolen card, and use them in physical locations. The second form includes the CVV code found on the back of the card - a requirement for online retail.
For the first time ever, the proportion of cards sold with a CVV fell to an all-time low, just 21 percent. Typically, CVV cards represent about 60 percent of stolen cards offered for sale.
Distribution of dumps vs. CVV In H2-2020
The reasons for this shift aren’t entirely clear, especially in light of the coronavirus lockdowns and changing consumer habits. The pandemic has seen more consumers turn to online shopping, which, in theory, would make CVVs. What we could be witnessing is a modest success among online retailers, who heightened security measures in the wake of the Magecart attacks.
At the same time, the overwhelming availability of dumps reflects the state of credit card security in the United States, where the vast majority of breached credit cards come from. Over 80 percent of stolen cards for sale on the dark web originate in the United States, which has been slow to shift away from the encrypted EMV chips that are resistant to physical cloning.
Distribution of compromised cards by country of origin In H2-2020
For a bit of indirect confirmation of this theory, credit card fraud in India is a great example. The percentage of stolen cards originating from Indian banks dropped sharply, from 16 percent of cards in the first half of 2020, to 0.18 percent in the second half. The improved numbers reflect the success of the Reserve Bank of India’s directive to replace magnetic-strip cards with more secure EMV cards. Between October 2018 and January 2019, over 67 million magnetic-strip cards were taken out of circulation, and this seems to correlate with a massive drop in credit card fraud in the following months.
Compromised credit cards originating from India for sale on underground markets in 2020
We also saw a rise in the proportion of American Express cards available on the dark web. In the first half of 2020, about 6 percent of stolen cards were issued by American Express. In the second half, that figure jumped to 38 percent. A possible explanation has to do with the demographics of card users. American Express customers tend to be wealthier and they tend to spend more. The company has also said that online spending by its card members grew by more than 20 percent in 2020. High income consumers have not been impacted by the pandemic to the same extent as those less fortunate. It appears that American Express users may be more susceptible to having their card data stolen because they use their cards more often.
Segmentation of compromised cards by card network in H2-2020
The market for stolen credit card data in the second half of 2020 will surprise many close observers. The over-representation of U.S. cards and the decline of cards issued in India may reflect the success of the transition to EMV chips. The decline of the number of stolen CVV cards may require future investigation.
It’s possible this shift merely reflects the volatility of the underground and furtive nature of its participants. While there was a clear change in the types of credit cards sold, there was also a shift in the popularity of certain underground markets. In fact, one underground site regained its place as the dark web’s market leader for stolen credit cards, accounting for nearly two-thirds of the stolen credit cards offered for sale in our review period. In the first six months of 2020, that same site had held a 1 percent market share of stolen credit cards on the dark web.
However, while the underground card market continues to show significant volatility, there are some pretty clear trendlines. Cybercrime and fraud are crimes of opportunity, and opportunity is growing quickly. Just as threat actors have been able to mobilize in response to the pandemic by running vaccine scams, for example, we believe that the shift to a digital economy will continue to create incentives and opportunity for financial fraud.