Three and a half years ago, DaniWeb was reporting how stolen credit cards could be purchased online for as little as $10 per card, complete with a guarantee that the accounts behind the cards were active, when purchased in larger volumes. So how has the market changed since the start of 2008?
It should come as no real surprise, given the number of high profile data breaches which have resulted in the loss of credit card information from online databases, that the underground cybercrime marketplace has become pretty saturated with credit cards for sale. And whenever a market gets saturated with goods, the cost of those goods comes tumbling down. Stolen credit cards do not escape from the bondage of the basic economic rule of supply and demand. This is proven, in part, by another previously reported story here at DaniWeb from four years ago. Back in September 2007 I was writing about how an online identity auction site was selling stolen credit card data for as little as $0.50 per card. Yet current values are nowhere near as low as that, so what is actually happening? Simple, in 2007 there had been another flood of card information onto the black market but the demand to buy wasn't as great as it is now. So although there was perhaps a little less data floating around, there were fewer buyers to sell to. That has certainly changed within a relatively short space of time, and now there are plenty of buyers with plenty of compromised card accounts to fulfil that demand.
So let's take a look at the current value of stolen credit cards to the online black market. Security specialists Imperva has reported that it's found stolen card for as little as $2 for a Visa card, climbing up to $6 for a Discovery card. The particular site selling these details is not, I would argue, at the cheap end of the market. I have been able to find black market sites dealing in stolen credit card information that would be happy to take $1.50 for Visa or MasterCard, and just $3 for American Express and Discovery cards if I purchase at least 50 at a time. The chap selling these particular cards was even happy to boast about his ability to accept PayPal as a payment method. Talking of which, the same chap was also selling active and mature (three months old) stolen PayPal accounts for $18 a time. Naturally all my information regarding the seller has been passed on to both PayPal and the relevant law enforcement agencies.
Oh, and the bad news for online bankers is that compromised bank accounts are also hitting the market in some numbers, although these still attract something of a premium. Mind you, that's not surprising when you consider that for $300 you can get access data for an account with a balance of $8000, and for $1000 that balance goes up to $28,000. Why is the seller not emptying the accounts and raking off a greater profit? That's another golden rule coming into play: the greater the risk the greater the reward. Selling account details is less risky than actually defrauding the account using those details, much less chance of getting caught...
I'm a hacker turned writer and consultant, specialising in IT security. I've been a freelance word punk for over 20 years and along the way I have seen 23 of my books published, produced and presented programmes for TV and radio, picked up a bunch of awards and continue being a contributing editor with PC Pro - the best selling IT magazine in the UK .
Day before yesterday i got an alert on my mobile for a transaction of $25 on my VISA credit card. Since i was traveling i got suspicious may be someone has stolen the card. Once i realized the card was with me only i had to call the bank to get the card blocked. Later i came to know someone has used the card to register some domain on godaddy.com. Since i blocked the card,now i have to pay to get a replacement card with tax.
I worked for an on-line, after-market auto supply store - what we sold was mostly add-on glitz like head units, speakers, lights and so on. This is an extremely high fraud market place so we had verify every card and over a certain amount, we had to call and speak with the cardholder. On one call, I contacted the cardholder about a $12,000 order; she had no idea about the order so I went over the fraud steps. I was fired for this call because a co-worker overheard the call and reported me as having called the cardholder to tell her about the fraud rather than calling to verify the order.
Here in the UK, credit card thieves used to use pay-by-card petrol pumps to verify if a stolen card had been reported as such yet or was still active and usable. Made for a relatively risk-free method of checking. The introduction of C&P to most such pumps here has put a stop to that.
Stolen cards aren't the only problem, I got my card 'cloned' when I went to an ATM in Rome a few years ago. When I tried to get money out in Assisi the next day, my account was emptied (luckily it was a rechargable cash card - not a debit/credit card) - but unfortunately I had to wait three weeks until after my hols to get my money back. Oh, how I wish I could get my hands on the little shits.
How about getting convicted fraudsters to give up both hands to the axe? Now that I would give my credit card to see. :)
I got my card 'cloned' when I went to an ATM in Rome a few years ago.
this is a new problem at one of my jobs. They take an extra glance to catch, because their "real" card matches their real name on their real ID. With some trickery, even the CID/CCV matches. only way to catch it it to verify with the receipt.