- Buying stolen payment cards on the dark web is far cheaper than most people may realize, according to a Dec. 1 report released by the cybersecurity firm Nord Security, whose virtual private network has more than 14 million users.
- An analysis of about four million payment cards that belonged to citizens of 140 countries found that stolen American debit and credit cards could be purchased on average for $5.80, 40% below the average price for all cards of $9.70, the report said.
- The country with the most stolen cards circulating on the dark web was the U.S., accounting for about a third of the total, a press release Wednesday accompanying the report said. About 1.56 million of the stolen cards belonged to Americans, while Australia had the second most stolen, with 419,806 pilfered cards. Residents of Hong Kong ranked third, with 399,537 stolen cards.
"Even though the biggest number of card details found for sale were from these 3 countries, this doesn’t mean that they are the most vulnerable," said the release was issued under the company's NordVPN software brand. "The vulnerability depends on factors like the proportion of non-refundable cards (if a card is refundable, the owner can be reimbursed in case of being scammed)."
The analysis was based on data compiled in partnership with third-party cybersecurity researchers that the company didn't identify. "We do not operate with exact numbers of payment card details sold on the dark web, as NordVPN has only analyzed a set of statistical data provided by independent researchers," the release said.
Visa, the biggest U.S. card company, accounted for more than half (913,955) of all the stolen U.S. cards, followed by Mastercard (406,851) and American Express (143,836), the release from NordVPN said. Visa prepaid cards were twice as likely to be found on the dark web as the company's introductory level credit cards.
Mastercard had the opposite problem. NordVPN found three times more of its cards targeting affluent customers were hacked compared with prepaid offerings designed for people of more modest means.
“Since 2014, we have been seeing a constant growth in payment card fraud around the world," NordVPN Chief Technology Officer Marijus Briedis said in the release. "We decided to look into how much a payment card costs on the dark web and why there’s a booming underground black market for them. And the answer is that hackers can easily make a lot of money. Even if a card costs only $10 on average, a hacker can make ($40,000) by selling a single database."
Many of the stolen card numbers were hacked using a tactic cybersecurity experts call "brute-forcing," the report said. In brute-forcing, a computer tries to guess your password, testing a series of numbers until it gets it right, possibly in as few as six seconds. A computer is able to "make thousands of guesses a second,” Briedis said. “After all, criminals don’t target specific individuals or specific cards. It’s all about guessing any viable card details that work to sell."
Earlier this year, the Italian cybersecurity firm D3Lab found that a gang of hackers had posted more than 1 million stolen credit cards for free to promote a criminal marketplace called AllWorld[.]cards, according to CPO Magazine. AllWorld [.] cards has been operating since at least June and already has more than 2.5 million stolen cards selling between at between thirty cents and $14.40 apiece, CPO says.
Unfortunately, as NordVPN notes, short of abstaining from card use, "there is little users can do to protect themselves from this threat," the company said in the release. “The most important thing is to stay vigilant."
Among the suggestions, NordVPN has for consumers: review monthly statements for suspicious activity and report any concerns immediately. People should keep a small amount of money in any accounts connected to payments cards.