Where Does Stolen Credit Card Information in Data Breaches Go?
This year has witnessed a nonstop stream of cyberattacks on banks and retailers, resulting in the theft of millions of payment card credentials and other personal information. Even on the black market of the Dark Web, the economic laws of supply and demand take their toll. After a major breach, like the exposure of 56 million credit card numbers in the recent attack on Home Depot, the price of credit cards drops because the market is awash with “fresh” (newly stolen) credentials. The decline in price, far from deterring hackers, seems to be spurring hackers to launch ever more widespread and frequent cyberattacks.
A screenshot of credit cards for sale (10 for $70 + free shipping) on a Dark Web marketplace
The Dark Web is a vast area of the Internet, invisible on major search engines and accessible only through anonymizing routers like Tor. Dark Web marketplaces often peddle drugs, counterfeit money and documents, weapons, hacker-for-hire services, and stolen personal data like credit card information in data breaches, as you can see in the screenshot above. These marketplaces have many features that are curiously similar to the average, legal shopping site like Amazon or eBay: an “Add to Wishlist” option, the perk of free shipping, and the ability to “Report Item” or “Send a Message” to the seller.
The FBI and other law enforcement agencies are engaged in an endless battle against the users and maintainers of the Dark Web. Despite a recent takedown of Dark Web marketplaces, including Silk Road 2.0 (the original Silk Road was dismantled in October 2013), it is clear that cybercriminals will persist in replacing sites and leaders just as fast as law enforcement can take them down.
On the black market, freshness is the key selling point for stolen payment cards. Based on KrebsOnSecurity’s investigation after the December 2013 Target breach, newly stolen cards were selling for $20 to over $100 apiece. According to a RAND report, a newly stolen card usually sells for between $20 and $40, and this price drops to between $2 and $7 once the data becomes “stale,” or old enough that the cardholder has likely replaced his/her card.
In other words, it is a smart move to replace your debit or credit card in the event of a data breach at a store where you’ve swiped your card. Banks will often cancel your old card and reissue a new one for free or a small fee (although the price will spike if you need the new card in a hurry). For most people, this is well worth the peace of mind and protection from fraud or identity theft. Protect yourself from cybercriminals by rendering your stolen card number “stale” right away.
