The plethora of password breaches in the last two years has helped cybercriminals diversify their products and services by adding a variety of new stolen credentials for sale. However, the business of credit card fraud is still a thriving operation in the black market, complete with an entire ecosystem which offers trading of stolen credit cards and carded items, carding tutorials, carding services and much more.
Compromised cards are categorized in fraudster communities into two groups: 'CVV2' and 'dumps' depending on how they were compromised, and as a result, the type of data that was harvested.
'CVV2', in the fraudster community, refers to card data compromised through cyber attacks targeting online transactions or e-commerce, and thus includes CVV2 - the three digits on the back of a card. The data harvested also includes card number, full name, expiration date and billing address. The term 'Dumps' refers to card data compromised through skimming point of sale machines or ATMs and includes the card's dump information which is stored on the magnetic stripe. This data can later be used to clone a physical card using an MSR device and plastic card blanks.
Making the Purchase
Cybercriminals often advertise their card data in forum posts, fraud groups and chat rooms, and it is a common practice to share CVV2 data as 'freebies' in order to increase their reputation in the fraud community and attract potential buyers. Since the underground is flooded with compromised data, and in order to facilitate the trading, fraudsters utilize online stores to buy and sell in bulk. These stores, for the most part, look and feel exactly like legitimate e-commerce sites with buyers able to simply add their merchandise to a shopping cart and check out.
Online stores that sell CVV2 card data display previews which typically include BIN, expiration date, card holder's first name and address. Once a card is purchased, the full card details will be provided. Occasionally, this information includes additional details such as the cardholder's full PII, online login information to the account associated to the card and answers to security questions. Due to the nature of these previews, the partial information presented upfront for the compromised data is often enough for card issuers to be able to identify the affected cardholder.
Dump stores present similar previews, however, as opposed to CVV2 data, they do not reveal the card holder's first name and address. This is due to the type of information embedded into the magnetic stripe. After purchase, the buyer will receive full Track 2 information and potentially also the card's PIN code. Dumps allow fraudsters to physically clone the card and use it in card-present transactions, raising less suspicion during the transaction. As such, dumps are more expensive as a rule than CVV2 data.
Social media sites are another conduit supporting cybercrime activity and the sale of stolen data. A study by RSA on the prevalence of fraud occurring on popular social media platforms found that 53% of all fraud-related forums, groups and conversations were related to carding and carding activity.
The Price Tag of Stolen Identities
When it comes to compromised cards, there is no typical going rate. The price of card data varies greatly and is influenced by a range of criteria which contributes to the card's success rate including:
Base: the base refers to the source from which the cards were obtained. In cases where the hackers are hired by the store, they will price the cards according to the amount of work needed to obtain the card data. The base also indicates when the cards were obtained and what information is available.
Expiration date: Cards with a longer potential life are more valuable.
Additional PII details available: The more PII available, the more options the fraudster will have for cashout. Additional PII data includes SSN, DOB, phone number, email address and more.
Refund policy: Some cards may be refunded if they are not "live" depending on the store and the base from which they were obtained.
Card security: Cards will cost more if their BINs are not part of the Verified by Visa or MasterCard SecureCode two-factor authentication security systems.
Card level: Premium cards typically hold more potential for high financial gain and are therefore sold at a higher price.
Country: Price is often influenced by how scarce other cards from the same country are and how wealthy the country is perceived to be.
The map below displays the average card prices per country based on the top 20 countries with the highest number of cards for sale in 2017.
New online credit card stores are introduced on a regular basis, and cybercriminals are utilizing different techniques to obtain the card data and protect their stores such as the use of blockchain-based domains.
On the positive side, security mechanisms are proven to deter fraudsters. BIN lists are often circulated in fraud forums with the purpose of alerting other fraudsters about BINs that are protected with Verified by Visa or MasterCard SecureCode. Such mechanisms lower the value of these cards and make them less desirable to fraudsters. The move by issuers to the 3D Secure 2.0 protocol will likely have an even greater impact as it will be that much harder for fraudsters to conduct card-not-present transactions.
# # #
Early detection is critical in the battle against credit card fraud. It is valuable to have insight into compromised cards that may be for sale in the wild in order to identify fraud before it even occurs. However, as this insight is not always possible, embracing the 3D Secure 2.0 protocol offers yet another layer of security for issuers and merchants to prevent the rise of card-not-present fraud. Learn more about the benefits of 3D Secure 2.0 and why it pays to be ready.