TAMPA, Fla.—Improvements in issuer fraud fighting tools are dropping the value of stolen credit card data on the Dark Web.
At the same time, the price for usernames and passwords on the black market is rising, CSCU reports.
“Credit and debit card numbers obtained by fraudsters through breaches at the POS used to fetch $5 and up on the Dark Web, to be used as counterfeit cards or used for fraudulent online purchases. But a recent webinar presented by the Aite Group, using data from Trend Micro, showed some eye-opening data, that a PAN with expiry and CVV is worth less than a quarter,” explained Lou Grilli, director of payments strategy, on CSCU’s The Payments Review blog. “Meanwhile a valid PayPal username and password is worth over $6, with Uber and Facebook username/password combinations going for around $3.”
What has changed?
The drop in the value of credit and debit card numbers is due to the ability for neural networks such as Fico’s Falcon Fraud manager system to detect potentially fraudulent card usage, combined with credit unions and banks becoming increasingly adept at shutting down breached cards, often before the true cardholder even knows that the card number is being used someplace else, explained Grilli.
Meanwhile, usernames and passwords have grown in value primarily due to laziness – all too many people use the same username and password across their email, banking, Amazon, Facebook, and other ecommerce and social media accounts, said Grilli.
“It is for this reason that hackers breached Yahoo’s user database to obtain half a billion accounts in 2013, and then went back for an additional billion accounts in 2014. The hackers don’t care about emails—their ambitions were much greater,” said Grilli.
As CUToday.info has reported, analysts have stated that improvements in fraud defenses, particularly the U.S. shift to EMV, is turning more crooks away from card data theft to stealing personal data to build fake account profiles.
“There are hackers that specialize in probing for openings in corporate networks, such as the breach of Sony, which exposed damaging insider chatter, Yahoo as mentioned above, the large Anthem medical records breach which exposed 80 million names, medical records, social security numbers and street addresses, Verifone’s corporate network which may have yielded point-of-sale terminal software information including design, source code, or signing keys,” explained Grilli. “There were many other similar breaches that have taken place over the last few years. Other hackers specialize in probing point-of-sale networks to insert malware to collect credit and debit card numbers over the course of months, holding on to the stolen card data for weeks or months to remain undetected as long as possible.”