What is a breached credit card number worth?

What is a breached credit card number worth?
Posted: Apr 13, 2017
Comments: 0
Author: Lou Grilli

As it turns out, a lot less than your username and password.

Credit and debit card numbers obtained by fraudsters through breaches at the POS used to fetch $5 and up on the dark web, to be used as counterfeit cards or used for fraudulent online purchases. But a recent webinar presented by the Aite Group, using data from Trend Micro, showed some eye-opening data, that a PAN with expiry and CVV is worth less than a quarter. Meanwhile a valid PayPal username and password is worth over $6, with Uber and Facebook username/password combinations going for around $3. What has changed?

The drop in value of credit and debit card numbers is due to the ability for neural networks such as Fico’s Falcon Fraud manager system to detect potentially fraudulent card usage, combined with credit unions and banks becoming increasingly adept at shutting down breached cards, often before the true cardholder even knows that the card number is being used someplace else.

Meanwhile, usernames and passwords have grown in value, primarily because of laziness – all too many people use the same username and password across their email, banking, Amazon, facebook, and other ecommerce and social media accounts. It is for this reason that hackers breached Yahoo’s user database to obtain half a billion accounts in 2013, and then went back for an additional billion accounts in 2014. The hackers don’t care about emails – their ambitions were much greater.

Fraud has become a very sophisticated and very lucrative business.

There are hackers that specialize in probing for openings in corporate networks, such as the breach of Sony, which exposed damaging insider chatter, Yahoo as mentioned above, the large Anthem medical records breach which exposed 80 million names, medical records, social security numbers and street addresses, Verifone’s corporate network which may have yielded point-of-sale terminal software information including design, source code, or signing keys. There were many other similar breaches that have taken place over the last few years. Other hackers specialize in probing point-of-sale networks to insert malware to collect credit and debit card numbers over the course of months, holding on to the stolen card data for weeks or months to remain undetected as long as possible.

These hackers are paid by selling the data obtained in the breaches on the “dark web”, a common term for a closed network used by hackers to share, buy, and sell information. Downstream fraudsters then purchase and use the data. The stolen card numbers are purchased by counterfeiting rings that often try several cards at a time at gas pumps, out of sight of the store clerk -- not buying gas, just validating if the card is still active or has already been shutdown. This is why credit unions should look for authorization requests with no settlement files, as this often indicates fraud-about-to-happen. After sifting the cards to the ones still open, the still working cards are then sold for a mark-up to counterfeiting rings who specialize in going on rapid shopping sprees, purchasing gift cards or electronics that can be easily sold for cash, using each card number until it is shutdown and cycling through to the next card number.

The fraudsters who purchase the username and password data have become even more supplicated. They employ coders who develop and maintain software bots which try each username and password on every major banking site, on PayPal, Amazon, facebook, Venmo, and many other sites that can be used to obtain funds. If the bot gets a return result other than “incorrect username/password combination” from each respective site, that combination is set aside to be used by fraud specialists who set up bill pay payees and transfer money out of accounts, or set up fake purchases on facebook messenger and PayPal, or fake persons for P2P payments on Venmo, all done anonymously and with very little left for law enforcement to trace.

Some particularly clever fraudsters got into several bank accounts for banks that enable cardless cash via mobile, changed the mobile number in the user’s profile, downloaded the mobile banking app, verified the identity, withdrew the maximum amount using the mobile cardless cash at the ATM, then went back into the account to delete the phone number, covering their tracks.

In other cases, fraudsters set up a new bill pay biller, which was a prepaid debit account at Metabank set up using stolen identification. Once the maximum amount allowed by bill pay was transferred, the fraudsters drained the prepaid account, leaving nothing for law enforcement to trace.

It’s nearly impossible to stop the breaches; as long as there is value in what’s being stolen, there will be hackers who will find a way to steal the data. The best thing an individual can do is use a different password for every login, even if it means writing them down on a piece of paper (some corporate policies do not allow this, but for personal accounts it’s better than reusing passwords across multiple sites.)
Rate this article:
Lou Grilli

Lou GrilliLou Grilli

Lou is the AVP of Product Development & Thought Leadership at Trellance. In this role, he is responsible for managing the organization’s product portfolio, as well as providing leadership on industry trends related to data analytics and payments.

Other posts by Lou Grilli

Full biography , Contact author

Please login or register to post comments.


Featured Stories