International Market for Stolen Credit Card Data

As consumers and businesses have come to rely on computers and the Internet to buy and sell, manage finances, and retain customer information, opportunities for financial data theft and fraud have skyrocketed. Recent evidence suggests that cybercriminals often buy and sell stolen credit card, bank and online account data through online discussion forums.

A Michigan State University study examined how cybercriminals use international Web forums as advertising spaces for buying and trading stolen financial information, especially credit cards. Researchers analyzed almost 2,000 discussion threads from 13 easily accessible Web forums, 10 of which use Russian as their primary language and three of which use English.

Findings

The study found that cybercriminals often group information from tens to hundreds of bank and credit card accounts into “dumps” that they then sell for an average of $100. Dumps were the most common product sold (44.7 percent), followed by CVV (card verification value code) data from credit cards (34.9 percent), and various forms of electronic data, such as eBay and PayPal account information (1.4 percent).

Most of the data came from continental European nations, but much also came from Canada, the United States and the United Kingdom. The more data available from a country, the lower the price. Bank account data from the European Union, for example, sold for about $4, whereas data from the U.S. sold for about $5.

The forums are particularly collaborative and social in nature, unlike traditional crime networks, such as the Italian Mafia or Yakuza. Participation costs little, and cybercriminals of various skill levels can find the products and services they want through a range of sellers.

The lack of hierarchy suggests that law enforcement attempts to target individual perpetrators would cause little disruption to the overall network. Instead, the study proposes that one of the most effective mechanisms to disrupt the sale of stolen data may be law enforcement investigation into the payment systems the criminals use, such as WebMoney and Liberty Reserve.

Policy Implications

The research indicates that any attempt to affect the illegal market must include a substantive law enforcement response, along with increased consumer awareness about the risk for victimization.

Strengthened extradition treaties and cooperative frameworks with international cybercrime agencies can help ensure that culprits are detected and brought to justice. Corporations and financial institutions need to be more transparent about the numbers of customers affected by data breaches; legislation to increase reporting requirements will encourage this transparency and help promote security.

In addition, consumers need to be educated about preventing electronic identity theft by using only secure online vendors, avoiding phishing emails and rogue banking applications, and regularly checking bank and credit card statements for suspect charges.

For more information, read an abstract and access the final report, Examining the Structure, Organization, and Processes of the International Market for Stolen Data, by Thomas J. Holt and Olga Smirnova.

Download a flyer based on the research.

Date Created: August 1, 2014