Stolen or illegally acquired credit and debit card details have always been available for purchase. However, a new report about the easy availability of the most common and popular financial products on the Dark Web reveals some interesting and disturbing details. The report also indicates how the organized, systematic and massive the illegal trade of credit card information goes on, and how simple it is for interested buyers to acquire such details. The most vulnerable victims to credit card information’s theft and trade are citizens of the United States, while the least vulnerable appear to be Russians. But the reasons for the unusually high disparity are quite different.

Cyber-security firm Sixgill has just released a detailed report that offers some fascinating and disturbing details about trends and trades taking place in the Dark Web. The Underground Financial Fraud report specifically chronicles the details about stolen financial data. It reveals how the network exists and works with multiple parties and agencies that collect, collate, sort and even offers other services to ascertain the quality, origin and even estimated worth of the illegally acquired credit card information. Some of the shocking revelations include the absurdly high number of victims from particular regions.

23 Million Credit and Debit Cards Were On Offer in Underground Forums In The First Half Of 2019

The research team that conducted the study and published the findings indicate there were about 23 million credit card and debit card details available for purchase in the Dark Web. Incidentally, the biggest portion of the stolen or illegally acquired financial information originated from the Americas. The report states that nearly two out of every three credit or debit cards belonged to an America. In other words, the U.S. alone accounted for roughly two-thirds of stolen information. In short, the U.S. leaves all other countries far behind, and Americans are by far the most vulnerable to credit card fraud.

According to the report, from the 23 million stolen credit and debit cards, U.S. victims alone, accounted for 64.49 percent. The second most susceptible group of citizens, whose credit and debit card details were easily available to third parties for purchase in bulk were from the U.K. However, except for the U.S. no other country’s citizens accounted for anywhere near 10 percent. Collectively, the entire affected UK population accounted for just 7.43 percent. Just 3.78 percent of Indian citizens had their credit and debit card information available for purchase despite a vast population actively using them after the demonetization drive and push towards cashless transactions after 2016.

Over 23 million stolen credit cards are being traded on the Dark Web

— ZDNet (@ZDNet) July 25, 2019

Interestingly, the least vulnerable country to the financial fraud through stolen credit and debit card information was Russia. With just 0.0014 percent of the information belonging to Russian citizens, the country appears to be the safest to own and use a credit or debit card. Actual numbers indicate only 316 cards from 23 million belonged to Russians. However, the report claims there are at least a couple of reasons for the absurd disparity.

The report suggests that the majority of the organized hacking groups that go after such information, seem to originate from Russia. The biggest deterrent to criminals stealing their own countrymen’s financial information is the severe punishment that awaits them if caught. The inability of other countries to extradite criminals involved in cybercrimes originating from Russia offers a sufficient impetus. The second most prominent reason for the shockingly low number of stolen Russian credit and debit cards is the country’s economic position and the relatively low amount of accumulated and traded wealth, claims the report.

“Russia’s financial straits are nothing new — its GDP per capita is $11,000, a sixth of America’s $62,000. With such staggering economic disparity between the two countries, we can certainly expect a sizable difference between the number of American and Russian cards offered for sale in underground markets.”

Simply put, American citizens and their financial information offer a much more lucrative and financially rewarding prospect as compared to all other countries. U.S. citizens deal a lot more with credit cards than other countries. Hence the sheer volume offers a much bigger chance of earning well through financial fraud. Statistically speaking, U.S. citizens collectively use their credit and debit cards more than 123 billion times every year. Transactions are conducted using about a billion payment cards. Essentially, the American credit and debit card segment is the biggest target for cybercrime and fraud.

What Type Of Stolen Credit or Debit Card Are Available On The Internet and How Much Do They Cost?

The three largest card issuers, VISA, MasterCard, and American Express, have collectively issued 5.1 billion credit and debit cards around the world. The American market alone accounts for 20 percent of these payment cards. Annually, there are about 270 billion credit card transactions taking place, indicates VISA.

While 23 million from 5.1 billion credit and debit cards might seem a rather insignificant number, the quantum of potential money to be made from these cards is considerable. On average, credit and debit card fraud cost American businesses and consumers approximately $12 billion annually. In other words, theft, trade, and illegal usage of stolen credit and debit card information are one of the biggest international businesses that surpass several popular retail and online businesses by a wide margin.

Over 750,000 debit and credit cards for sale found on the deep web #Bank #Security #infosec #DarkWeb

— Bank Security (@Bank_Security) February 24, 2018

From the three dominant credit and debit card companies, American Express appears to be the least preferred by thieves. While AMEX has a 22 percent market share in the U.S, only 12 percent of the stolen card details belong to this company. The most vulnerable brand of credit and debit cards appear to be VISA with 57 percent of stolen financial records, followed by MasterCard at 29 percent.

The report also claims sellers are charging as low as $5 per stolen credit card information. However, the charges vary as per the information and its quality. Lower prices are usually applicable to large “dumps” containing potentially thousands of numbers usable in the creation of clone cards for physical purchases. The most valuable or expensive commodities are records also containing CVV numbers. The inclusion of this additional three-digit security code found on the back of payment cards makes the collection quite valuable and instantly usable. Combined with the name, card number, CVV code, and expiry date, the illegally acquired credit card information is indecipherable from a legally used card. These details can allow fraudsters to make purchases online as well as in person.

How Are Credit And Debit Card Stolen And Sold On The Dark Web?

Stealing credit and debit card information has been one of the fields that use multiple techniques and technologies. Criminals place “skimmers” over the card readers that are extensively used at gas pumps and ATMs. Retail workers and restaurant employees use simple yet powerful devices to quickly copy the credit card swipes when they take a card for payment. Hackers infect computers and other devices with malware to record payment information when their owners buy from eCommerce sites. There have been many instances wherein cybercriminals have successfully infiltrated the networks of large companies and simply stolen millions of financial records in a single heist.

Interestingly, sellers and buyers of such information have been improving the quality of illegal credit and debit card information. Buyers use services found on Internet Relay Chat sites to quickly check the veracity of cards. Usually, a very small payment successfully executed through the credit or debit confirms the usability of the same. One IRC channel even had an automated bot that was able to quickly validate stolen cards. The report indicates it was used more than 425,000 times in the first half of 2019. Apart from these techniques that ensure quality, buyers who have been fooled with bogus data quickly post messages pointing out the fraudsters.

The Dark Web has always been a popular destination for selling and buying such illegally acquired credit and debit card information. Moreover, illegal trading posts and marketplaces were preferred techniques too. However, law enforcement officials and cyber-crime agencies have been going after such platforms and forcing their closures. Alphabay, Hansa, and Silk Road were quite popular with hacking groups. However, these platforms have been successfully shuttered. Undeterred, criminals have evolved. They keep exploring and finding newer channels to continue their illicit trade.

Since traditional channels and marketplaces are increasingly risky and uncertain, buyers and sellers of stolen information are quickly moving to other platforms. The report indicates agencies are moving outside traditional website-based markets and adopting Instant Relay Chat and encrypted Telegram channels. These platforms often offer end-to-end encryption and hence have strong protection against eavesdropping by law enforcement officials. In essence, the market and techniques are quite flexible and difficult to catch and close, the report indicated.

The centralization of fraudulent activity in a handful of markets mirrors similar economic and commercial patterns in real-world financial markets. This phenomenon may seem like a ripe opportunity for law enforcement agencies to effectively shut down a sizable portion of cybercriminal activity; however, as we’ve seen in the past with the shutting down of markets like Alphabay, Hansa, and Silk Road, threat actors quickly migrate their activities to other markets.”