Is there anything scarier than an underground shop of dark web criminals sharing stolen financial data? How about one of them sharing your stolen financial data?
As data breaches become more common, and scammers grow more sophisticated, this is a reality many people are having to contend with.
In 2020, 115 million stolen debit and credit cards were posted to dark web marketplaces — 87 million of which came from the U.S.— according to an annual report by Gemini Advisory, a cybersecurity firm that tracks underground marketplaces and forums.
With stolen payment cards, a cybercriminal can immediately make purchases under your name, or even drain your bank account. And what's worse, this shady corner of the internet is only getting bigger.
“At this point, it’s not a matter of rogue criminal agents,” says Christopher Thomas, intelligence production lead at Gemini Advisory. “It’s a full-fledged economy.”
A growing underground network
The internet is made up of three tiers: the surface web (public sites — anything you can Google, essentially), the deep web (often password-protected, like private Facebook groups) and the dark web, which requires a special browser like Tor to access.
You may have never been to the dark web — but there's a chance your credit card information has.
Carding forums — where cybercriminals chat about stealing card information, share tips for how to hack into websites and more — and marketplaces, where card data is actually bought and sold, are prolific on the dark web, Thomas says. And those participating make some serious (illegal) cash.
One of the largest known underground shops, Joker’s Stash, generated more than $1 billion before getting shut down in February, according to Gemini Advisory. A 2019 data leak of another shop, BriansClub — which appears to have been by a competitor, according to Threatpost —shows how pervasive this trend has become.
BriansClub added just 1.7 million card records for sale in 2015 compared to 7.6 million between January and August of 2019, reported Brian Krebs, an independent investigative reporter writing about cybercrime at Krebs on Security and, funnily enough, the inspiration for the name BriansClub.
How do stolen credit card numbers end up in these markets?
A few different ways. Sometimes hackers will commit "card-present fraud" by breaching the point of the sale at a physical store. Or they'll commit "card-not-present fraud," by hacking a website and stealing the online card information that gets entered into the checkout page.
After hackers collect this info, they post it to one of the dark web marketplaces where it can be sold. The leaked data from the BriansClub hack showed that stolen cards from U.S. residents made criminals about $13 to $17 each, while those outside the U.S. sold for up to $35.70, Krebs reported. When hundreds or thousands are bought at once, that becomes a lucrative crime.
Using the stolen information is usually pretty straightforward: criminals just type in the stolen card numbers when they want to buy something online, according to Gemini Advisory's Thomas. Though it's a bit trickier for card-present fraud, which involves taking a blank credit card and imprinting the stolen data onto that card via the magnetic stripe on the back. After that, they can just walk into any business and swipe that cloned card, paying with the victim’s money, Thomas says.
Some of the more sophisticated underground shops even have a money-back guarantee on some of the data they sell. This often includes a "checker service," a compromised merchant account they use to run dinky charges through to see if the card is still valid, Krebs says. If someone agrees to use the shop’s checker service instead of a third party, the shop will give a guarantee that at least a portion of the cards are usable for a certain period of time. If they aren’t, the buyer can get a refund on the cards.
Can I stop this from happening to me?
Unless you live the rest of your life only paying with cash, you'll never be totally impervious to payment fraud. But there are some steps you can take to reduce your risk.
Many financial institutions help you do this proactively: At Chase, for example, you can set up texts or email alerts for when a large transaction takes place, and require approval before it’s processed.
When possible, using a credit card instead of a debit card is a good move too.
Unlike a credit card, a debit card is connected directly to your checking account, allowing fraudsters to immediately drain your account. Even if you report the fraudulent activity quickly and limit your losses, you may still face the issue of bounced checks or being late on payments, Krebs says.
If you can, use an online wallet like Apple Pay or Google Pay, says Pascal Busnel, a director with ACA Group, a provider of risk, compliance and cyber solutions. This type of payment uses tokenization, which replaces your sensitive card data — like the expiration date and card verification value (CVV) — with a unique, random token. If the company you’re buying from doesn’t have your sensitive card information, neither will hackers that hit that merchant with a data breach.
You can also limit your risk by being picky about your ATMs, where criminals sometimes install card skimming devices. These are hard to detect, but only using ATM machines inside banks or other physical buildings offers some protection, Thomas says.
General cybersecurity tips apply here too: Use strong passwords and don’t repeat them, use multi-factor authentication on your financial accounts and avoid clicking links or downloading attachments from any fishy sources.
“The most important thing is for people to keep an eye on their transactions and report any fraud immediately,” Krebs says.