What Happens to Your Stolen Credit Card Data? A Glimpse into Underground Markets

Everyone feels a nagging sliver of doubt when they hear about high-profile breaches like those of Target, Neiman Marcus or Home Depot. Is my data in the hands of thieves? Is it safely hidden in the sea of stolen data? So what really happens with the millions of stolen credentials?

Obviously, cyber-thieves prefer to target large numbers of users with a single attack rather than go after one at a time ” it saves them time and money. They also rarely view data as an end-goal; they often exchange it for other goods or cash.

Where is your credit card data “dumped”?

Trading CVV numbers, PIN numbers and other sensitive data takes place on online marketplaces, communities that act just like reputable ones, with verified dealers, vendors and sellers. Some sites are public and buyers can register for free. Other markets, such as the notorious Silk Road, are in the so-called dark web, which means they don`t show up in Google search results. Through Tor, buyers browse and make illegal purchases anonymously using electronic currencies, without facing the risk of being identified by authorities.

Typical of most card shops, the home page features the latest additions of stolen cards, as well as price discounts on older batches of cards. The marketplace is usually organized by the items available for sale, including CVV numbers, passwords, PayPal accounts, hacking tools and premium credit cards. Users can search for cards by city, state and ZIP number. If they don`t find what they`re looking for, they can place an order for a specific set of data.

Just as respectable retailers do, “black markets” have clear terms and conditions, refund and replacement policies. Some sites put it straight: “No money back. We are not a bank.” Others are more flexible: the batches of stolen cards, known as “dumps,” can be replaced within 48 hours if buyers complain the batch doesn`t include valid, active bank accounts. And you don`t have to be a hacker to test it – anyone can pick a CVV from a list and initiate an online purchase.

Bogdan Botezatu, Senior E-threat Analyst at Bitdefender says:

Some underground forums sell credit card information in bulk and even provide post-sales support, including replacements for terminated or otherwise invalid credit cards. They often provide faster and better support than financial institutions.

As for pricing, things are relatively simple: the more information in stock, the lower the price per item. And the newer the data, the more interesting. Higher-value cards, known as “VIP batches,” are retailed as “freshly hacked and good balance CC for VIP members,” which makes them more expensive. A good balance is usually 30% less than the credit card limit, which means more funds to spend for those controlling these premium accounts.

Payment methods are diverse and clearly stated on the site. Some sellers have firm demands:

“If anyone wants to do regular business with me, then you must have many bank accounts, Paypal, Moneybookers and fake IDs for Western Union (WU) because, after 2 or 3 transfers, your Paypal and WU IDs will be blacklisted and banned. So think before the deal.” Not surprisingly, Bitcoin is the currency of choice for transactions, as it preserves anonymity on both ends. After the payment transfer is complete, sellers are rewarded reviews and higher trust scores.

So your data now belongs to someone else. Someone who might use it to empty your account or sell it to others for an even higher price. You probably ask yourself:

How do I know I`ve been hacked?

You don`t. Usually not before the damage is already done.

Can I retrieve my credit card data?

No. But you can have your plastic card renewed upon request for a fee that varies from bank to bank.

Simple tips on how to stay safe

1. Report lost or stolen cards immediately.
2. Review your billing statements each month. Check your account activity as often as several times per week and notify your bank of any charge you didn`t make.
3. Activate an identity protection service to monitor your highly sensitive data, including credit cards, debit cards and bank account numbers, driving license, passport and National Insurance numbers, phone numbers, email and postal addresses, usernames and passwords. Bitdefender Total Security offers an ID protection module for its US customers.