For Sale: Payment Card Data from $5
A new report from Armor, the global cybersecurity software company has revealed that compromised payment card data is available to buy on the dark web for as little as $5.
The ‘Dark Market Report’ 2020 conducted by Armor’s security research team, the Threat Resistance Unit (TRU) details insightful information on the activities of cybercriminals and although the coronavirus has wreaked havoc on economies around the world, it seems to have created new opportunities for underground cyber markets, where as many as 1 million monthly visitors congregate to offer stolen credentials, malicious software, bullet-proof hosting and tools for financial fraud. Amazingly, a ‘Hacker University’ has opened its underground door and even a cybercrime service where online criminals offer to ‘Destroy a Competitor’s Business’.
Within the report, the TRU state that “There are countless ads offering to sell credit card dumps. These are credit card credentials that include the Track 1 and Track 2 data and pin code. The track data is contained on the magnetic stripe on the back of the credit card and includes such information as the Primary Account Number (the credit card number printed on the front or back of the card). It also contains the name of the card owner, card expiration date, service code, Pin Verification Key Indicator, PIN Verification Value, and Card Verification Value (CVV), or Card Verification Code (CVC). Using this data, criminals can clone the actual credit card. These card credentials today are selling between $110 and $150 per card, depending on the country in which the card was issued and the type of card”
It would also seem that European card data is the most desirable, with credit cards with Track 1 and Track 2 data currently averaging around $120, whereas US cards can cost just $70. Interestingly, this is cheaper than 2019, with the TRU team considering the possibility that the COVID-19 pandemic has forced some sellers to reduce their prices as economies across the world began to decline due to the coronavirus.
Dark market merchants also are peddling credit cards without Track 1 and 2 data. These credentials usually contain the card owner’s name, billing address, card number, expiration data, and CVV or CVC number. These cards, depending on the country location from which they are issued, range in price. Today, credit cards, complete with CVV or CVC number and issued from U.S.-based financial institutions, cost between $5 and $12 depending on the type of credit card (Visa, MasterCard, Discover, or American Express). The price for similar credit cards, issued from the EU, are priced between $18 to $35. Interestingly, digital accounts such as Paypal are also being offered for sale from as little as $50, complete with a $500 balance.
Jason Mace, CEO at Gala Technology commented ‘This detailed report from our security partners at Armor, highlights the need for organisations to better protect sensitive card information. Coupled with the fact that Verizon’s 2020 Payment Security Report found that only 27 per cent of organisations worldwide were in line with the full requirements of the PCI DSS, it is easy to see why an estimated 33% of the credit card industry’s chargebacks were due to criminal fraud. With card data complete with CVV being available from as little as $5 this becomes highly desirable because cybercriminals can simply sit behind a computer or telephone and use the stolen credit cards to purchase expensive, luxury items.
Whilst the European mandate of PSD2 is being introduced to try and protect merchants and cardholders from fraud related activity, there is a strong belief that securing e-commerce channels will simply funnel the fraud down the telephony/MOTO channel.
If merchants are only armed with a virtual terminal then they are becoming increasingly exposed to fraud, chargebacks, additional processing costs and complex requirements to adhere to PCI DSS.
We would echo Troy Leach, CTO of the PCI Security Standards Council who suggests businesses need to the limit the amount of cardholder data that you (organisations) have within their environment as this is likely to reduce the risk of a breach.
Technologies, such as our multi-award-winning payment solution, SOTpay, is a cost-effective way of removing card data from the merchant’s environment, helping to secure CNP payments, whilst reducing cost and negating fraud related chargebacks.