Howmuch are your stolen details worth?
The hacked credit card details of New Zealanders sell for US$7 (NZ$9.75) on the dark web, a report from technology research company Comparitech says.
That price rises to about US$20 when the bare card details are accompanied by full personal information including the name, address, email address, date of birth, the card’s expiry date and security number. After a mass data breach, such information can be sold by auction to organised criminal gangs who then attempt to use it to steal money.
Comparitech researchers analysed the prices of stolen credit cards, hacked Paypal accounts and private personal information on more than 40 dark web marketplaces to work out how lucrative the trade was for cybercrooks. On average, New Zealanders’ credit card details were worth more to criminals than those of United States (US$1.50) and the United Kingdom (US$2.50) cardholders but were selling for the same price as those of Japanese people (US$7) but less than European cardholders (US$8), Comparitech said.
Fuller personal identity files – Fullz – were worth much more. Fullz of Americans sold for US$8, US$14 for Brits, US$15 for Australians, and US$25 for Japanese and European residents.
Fraud expert Bronwyn Groot said the low prices paid on the dark web for credit card details was the result of banks’ strong anti-fraud systems. ‘‘I really like the New Zealand banks’ credit card systems. Most of the time they are really quick on to fraud,’’ she said. ‘‘When they hear of a big data breach, they block the merchants and reissue cards.’’
Peter Bailey, general manager at Aura Information Security, said: ‘‘Four to five years ago credit card information was what people were buying and selling but as the banks clamped down, these groups realised your personal information was more valuable.’’
For while credit card data could be used at most once, or twice, for ‘‘card not present’’ payments, before being caught by banks’ security systems, personal information could be used to launch phishing attacks on individuals or for compiling coldcall lists, Bailey said.
If people’s passwords were compromised, criminals would see what they could do with it, he said. In some cases, people using the same passwords for multiple accounts could find crooks able to access their bank accounts and, in extreme cases, even their employers’ systems.
The criminal gangs could be very sophisticated, Bailey said, and looked a lot like legal corporate enterprises. This included organisations that placed ransomware on systems, often via email phishing, operating call centres to explain how to pay ransoms in untraceable crypto-currencies.