Three and a half years ago, DaniWeb was reporting how stolen credit cards could be purchased online for as little as $10 per card, complete with a guarantee that the accounts behind the cards were active, when purchased in larger volumes. So how has the market changed since the start of 2008?
It should come as no real surprise, given the number of high profile data breaches which have resulted in the loss of credit card information from online databases, that the underground cybercrime marketplace has become pretty saturated with credit cards for sale. And whenever a market gets saturated with goods, the cost of those goods comes tumbling down. Stolen credit cards do not escape from the bondage of the basic economic rule of supply and demand. This is proven, in part, by another previously reported story here at DaniWeb from four years ago. Back in September 2007 I was writing about how an online identity auction site was selling stolen credit card data for as little as $0.50 per card. Yet current values are nowhere near as low as that, so what is actually happening? Simple, in 2007 there had been another flood of card information onto the black market but the demand to buy wasn't as great as it is now. So although there was perhaps a little less data floating around, there were fewer buyers to sell to. That has certainly changed within a relatively short space of time, and now there are plenty of buyers with plenty of compromised card accounts to fulfil that demand.
So let's take a look at the current value of stolen credit cards to the online black market. Security specialists Imperva has reported that it's found stolen card for as little as $2 for a Visa card, climbing up to $6 for a Discovery card. The particular site selling these details is not, I would argue, at the cheap end of the market. I have been able to find black market sites dealing in stolen credit card information that would be happy to take $1.50 for Visa or MasterCard, and just $3 for American Express and Discovery cards if I purchase at least 50 at a time. The chap selling these particular cards was even happy to boast about his ability to accept PayPal as a payment method. Talking of which, the same chap was also selling active and mature (three months old) stolen PayPal accounts for $18 a time. Naturally all my information regarding the seller has been passed on to both PayPal and the relevant law enforcement agencies.
Oh, and the bad news for online bankers is that compromised bank accounts are also hitting the market in some numbers, although these still attract something of a premium. Mind you, that's not surprising when you consider that for $300 you can get access data for an account with a balance of $8000, and for $1000 that balance goes up to $28,000. Why is the seller not emptying the accounts and raking off a greater profit? That's another golden rule coming into play: the greater the risk the greater the reward. Selling account details is less risky than actually defrauding the account using those details, much less chance of getting caught...
