Payment card data is perhaps the most well-known data type stolen and sold, according to Intel Security Group’s McAfee Labs. In the company’s latest Hidden Data Economy report, it found the average estimated price for stolen credit and debit cards ranges between $21 to $40 in Australia.
This is compared to $5 to $30 in the US; $20 to $35 in the UK; $20 to $40 in Canada; and $25 to $45 in the European Union.
For the report, McAfee Labs examined pricing for stolen credit and debit card data, bank account login credentials, stealth bank transfer services, online payment service login credentials, premium content service login credentials, enterprise network login credentials, hospitality loyalty account login credentials, and online auction account login credentials.
The researchers found a value hierarchy in how this stolen credit and debit cards is packaged, priced, and sold in the dark market.
A basic offering includes a software-generated, valid number that combines a primary account number (PAN), an expiration date, and a CVV2 number. Sellers refer to a valid number combination as a Random.
It claimed valid credit card number generators can be purchased or found for free online. Prices rise based on additional information that allows criminals to accomplish more things with the core data, including data such as the bank account ID number, and the victim’s date of birth.
This also includes information categorised as Fullzinfo, which comprises the victim’s billing address, PIN number, social security number, date of birth, the mother’s maiden name, and even the username and password used to access, manage, and alter the cardholder’s account online.
Intel Security Europe, Middle East, and Africa chief technology officer, Raj Samani, said like any unregulated, efficient economy, the cybercrime ecosystem has quickly evolved to deliver many tools and services to anyone aspiring to criminal behaviour.
“This cybercrime-as-a-service marketplace has been a primary driver for the explosion in the size, frequency, and severity of cyber-attacks. The same can be said for the proliferation of business models established to sell stolen data and make cybercrime pay,” he said.
Samani mentioned a criminal in possession of the digital equivalent of the physical card can make purchases or withdrawals until the victim contacts the card issuer and challenge the charges.
“Provide that criminal with extensive personal information used to verify the identity of a card holder, or even allow him to access the account and change the information, and the potential for extensive financial harm – to the individual and card issuer – goes up dramatically,” he added.
Other findings from the study include:
• Cybercriminals can purchase banking login credentials and services allowing them to stealthily transfer stolen funds across international borders. McAfee Labs found login credentials for a $2200 balance account selling for $190. This increased to $500 for a $6000 account balance and to $1200 for a $20,000 account balance.
• Online payment service login credentials were priced between $20 and $50 for account balances from $400 to $1000 and between $200 and $300 for balances from $5000 to $8000 respectively.
• Login credentials to hotel loyalty programs and online auction accounts are also offered for sale - a major hotel brand loyalty account with 100,000 points went for sale for $20, and an online auction community account with high reputation marks priced at $1400.