Data breaches, such as the massive payment card breaches at Target and Neiman Marcus, are some of the costliest crimes on the Internet. The Target breach has already cost the CEO and CIO their jobs and the financial costs may reach as much as $18 billion once all is said and done. These costs stem from a variety of sources such as replacing customer credit cards, credit monitoring for victims, lost business, declining stock prices, lawsuits and fines.
On average these costs amount to around $200 per compromised record. When such a breach occurs, the natural instinct is to analyze the breach itself.
- How was it orchestrated?
- Where was the critical weakness and how can we make sure it doesn’t happen again?
All sensible questions, but they are not the only ones.
Unlike the victims, whose pain and costs are locked in at the time of the theft, the profit to criminals is largely determined well after the theft based on how well they can navigate the criminal underground. This is important because the skills needed to infiltrate a network and steal data are very different from the skills needed to turn stolen data into cash. The former requires technical skills, while the latter requires connections to organized crime or the criminal underground. Much like in the physical world, just because someone can steal an item does not mean that they can fence it. Given that criminal profit depends on monetizing stolen data, it is just as important to understand this process as it is to understand how the breach occurred in the first place.
The Life of a Stolen Credit Card Number
Stolen payment card data is a highly perishable asset, as banks and consumers will rush to deactivate cards as soon as a breach is recognized. As such, criminals are often in a race against the clock to extract as much money as possible as quickly as possible. For Target, the thieves had merely a few weeks to use stolen credit card data before Target customers rushed to call and cancel their bank cards. Brian Krebs, who first broke the news of Target breach, was able to show the quickly diminishing value of cards that were observed in the breach. His analysis showed that in the two months following the disclosure of the breach, the advertised price of the exposed cards had dropped by as much as 70 percent. As a result, the monetization of stolen card data tends to happen very fast. So how do criminals convert stolen data into cash?
First, the card data is sold in bulk to other criminal outfits in a complex underground economy, often on websites or forums exclusively for cybercriminals. Once the data is passed on, the next owners can either use it for themselves, or resell again in smaller batches. In this phase of selling and reselling of card data, a variety of factors will influence the price. From experience, one of the most important factors is the percentage of cards that are still valid. This is typically determined through a process called “carding”. Carding services represent yet another layer of the criminal food chain focused on determining if stolen cards are still active. These carders will take a batch of stolen credit cards and attempt to use them to make small low-value purchases to verify the card works without raising suspicion. Additionally, the more a criminal knows about the owner of a stolen card, the more valuable the card is. For example, if you know where the victim lives and where the card is typically used, then the card is more valuable because the criminal can then use the card in a way that will blend in with a victim’s normal buying behavior.
Eventually, the card data ends up in the hands of a group that uses the cards to directly commit fraud. To do so, the gang uses the card data to create physical payment cards that can be used to make purchases in stores. Armed with these stolen cards, the outfit employs individuals who use them to buy goods that are easily resold and hard to trace, such as gift cards or popular consumer electronics. Once those goods are sold, the fraud of the card is complete and the value of the card is realized. All of the intermediate reselling of card data in the supply chain hinges on this process ultimately being completed.
The Feedback Loop of Underground Markets
Sophisticated organized crime rings will often control all phases of the supply chain for stolen credit cards, and as a result, can maximize the profit from the crime. But quite often, these hackers may have the technical background to steal the data but no sales skills to actually sell it.
These attackers have to resort to selling their data anonymously on underground forums where trust is very hard to come by. Microsoft researchers analyzed these underground markets in terms of them being “markets for lemons”. This term refers to markets where sellers have much better information about the quality of a good than the potential buyer, like when selling a used car. In the case of underground markets for payment card data, buyers have very little insight into whether or not the cards are valid, and have even less recourse if they are scammed.
This lack of trust, combined with the need to sell card data quickly, leads to stolen data being heavily discounted and used primarily by the less sophisticated criminals who have no other options. The research also proposed that security companies have unintentionally driven even more criminals into this lower tier of the criminal market by sensationalizing and overestimating the actual profits of data theft. This has the potential to create a staggeringly expensive feedback loop of cybercrime.
And of course, the cost to the victims remains high regardless of the profit achieved by the criminal. Unfortunately, as more and more opportunistic criminals enter the market, card breaches could begin to look less like an Ocean’s 11 style of heist, and more like opportunistic vandals who are willing to burn down your home in order to steal the copper plumbing inside.
This article was written by Frontline from Forbes and was legally licensed through the NewsCred publisher network.