Network News

X My Profile
View More Activity

Glut of Stolen Banking Data Trims Profits for Thieves

A massive glut in the number of credit and debit cards stolen in data breaches at financial institutions last year has flooded criminal underground markets that trade in this material, driving prices for the illicit goods to the lowest levels seen in years, experts have found.

For a glimpse of just how many financial records were lost to hackers last year, consider the stats released this week by Verizon Business. The company said it responded to at least 90 confirmed data breaches last year involving roughly 285 million consumer records, a number that exceeded the combined total number of breached records from cases the company investigated from 2004 to 2007. Breaches at banks and financial institutions were responsible for 93 percent of all such records compromised last year, Verizon found.

As a result, the stolen identities and credit and debit cards for sale in the underground markets is outpacing demand for the product, said Bryan Sartin, director of investigative response at Verizon Business.

Verizon found that profit margins associated with selling stolen credit card data have dropped from $10 to $16 per record in mid-2007 to less than $0.50 per record today.

According to a study released last week by Symantec Corp., the price for each card can be sold for as low as 6 cents when they are purchased in bulk.

"[Cyber thieves] now have their hands on a tremendous amount of data, and there's certainly no scarcity of it out there right now," said Alfred Huger, vice president of development at Symantec. "Given all that we've seen in the past year, we're not sure why we haven't seen even more of a drop in pricing, but it could be that the people doing the selling have sewn up the market and no longer have to worry about being undercut by other sellers."

Steve Santorelli, director of investigations at the private security research firm Team Cymru, said his group's monitoring of cyber criminal forums appear to support Huger's hunch: Many forums are simply restricting the registration of new "verified" members. Getting verified involves successfully conducting a number of transactions with other members to demonstrate that the new entrant is not merely a "ripper," someone who will abscond with the money or goods before a transaction is completed.

"The rate of new additions allowed into the miscreant verified lists is very low," Santorelli said.

What's more, Santorelli said, thieves in possession of huge troves of stolen credit and debit card data appear to be hoarding the credentials, releasing them onto the market in smaller chunks in an effort to control the overall supply of card data available at any one time.

"This results in lower average prices for buyers and some sellers stockpiling products to restrict supply in a bid to keep prices inflated," he said.

Sorting Good Stolen Cards From Bad Stolen Cards

Crooks who deal in stolen credit and debit cards and hacked online banking credentials have long used shadowy online forums and chat rooms to broker sales with other thieves who try to convert those goods into cash.

But recently, several commercial Web sites have sprung up and created a brisk business helping thieves check the balances and limits on stolen cards, with discounts for customers who check hundreds or even thousands of card numbers at a time.

The services are advertised on Internet forums that facilitate identity theft, and cater to criminals who wish to buy large numbers of stolen credit and debit cards. Using such services, the would-be buyers can quickly verify whether a random sampling of the cards is still active, and -- for an additional fee -- the available balance on each card. In
most cases, the only barrier to new customers signing up at these services is the ability to speak and read Russian, and the ability to pay with one of several virtual currencies, such as Webmoney.

Lawrence Baldwin, a security consultant in Alpharetta, Ga., has been working with several financial institutions to help infiltrate illegal card-checking services. Baldwin estimates that at least 25,000 credit and debit cards are checked each day at three separate illegal card-checking Web sites he is monitoring. That translates to about 800,000 cards per month or nearly 10 million cards each year.

"And those are estimates just for the card-checking sites we know about," Baldwin said. "There are almost certainly many other services exactly like these."

Baldwin said the checker sites take advantage of authentication weaknesses in the card processing system that allow merchants to conduct so-called "pre-authorization requests," which merchants use to place a temporary charge on the account to make sure that the cardholder has sufficient funds to pay for the promised goods or services.

Pre-authorization requests are quite common. When a waiter at a restaurant swipes a customer's card and brings the receipt to the table so the customer can add a tip, for example, that initial charge is essentially a pre-authorization.

With these card-checking services, however, in most cases the charge initiated by the pre-authorization check is never consummated. As a result, unless a consumer is monitoring their accounts online in real-time, they may never notice a pre-authorization initiated by a card-checking site against their card number, because that query won't show up as a charge on the customer's monthly statement.

In fact, in most cases when banks are alerted to the card-checking activity, it is because a credit card customer is regularly checking their online statement or has signed up with their bank to receive e-mail alerts each time a charge is initiated against their account.

The crooks have designed their card-checking sites so that each check is submitted into the card processing network using a legitimate, hijacked merchant account number combined with a completely unrelated merchant name, Baldwin discovered.

One of the many innocent companies caught up in one of these card-checking services is Wild Birds Unlimited, a franchise pet store outside of Buffalo, N.Y. Baldwin said a fraudulent card-checking service is running pre-authorization requests using Wild Bird's store name and phone number in combination with another merchant's ID number.

Danielle Pecoraro, the store's manager, said the bogus charges started in January 2008. Since then, she said, her store has received an average of three to four phone calls each day from people who had never shopped there, wondering why small, $1-$10 charges from her store were showing up on their monthly statements. Some of the charges were for as little as 24 cents, and a few were for as much as $1,900.

"They're for different, random amounts every time," she said.

Pecoraro said that after a few months of this, she complained to her state attorney general, but was told that the state could do nothing for her because she had not experienced a financial loss from the incidents. What's more, the people who do notice the bogus charges on their online statements find the pending transactions expire after a few days, and eventually dropping off of their statements completely.

"Most people I talk to are understanding when I tell them we're just as much of a victim as they are, but some people get really irate and accuse us of stealing their money," Pecoraro said.

Baldwin said the thieves running the card-checking sites are counting on the fact that companies that operate different parts of the financial processing system -- including issuing and acquiring banks, and the merchant -- traditionally do not share fraud data with one another, or even signs of unusual activity.

"The problem is that the detail of each individual entity's perspective at a transaction level is restricted or filtered," Baldwin said. "But if everyone involved shared this pre-authorization transaction information, these guys would not be able to do these card checks, because the patterns are ridiculously obvious when you can see all of the components at once."

By Brian Krebs  |  April 15, 2009; 10:42 AM ET
Categories:  Fraud , Latest Warnings , U.S. Government  | Tags: data breaches, data theft, hackers 2008, symantec, team cymru, verizon  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft Fixes 23 Software Security Flaws
Next: Hackers Test Limits of Credit Card Security Standards


Using one web browser for your credit card and other financial transactions only, and using another different web browser for general purpose web surfing can greatly reduce one's exposure to these data losses.

But simply running a PC without admin rights is not enough to snuff out keyloggers that get "dropped" into "My Documents" or another part of user-space. One needs a security product to supplement the familiar anti-virus software, which is limited to stopping known/old malware attacks.

As for socially engineered attacks, where PC users are tricked into revealing sensitive things, well, ultimately, ordinary folk need to grow more cyber-savvy: 'don't talk to strangers' and 'people aren't always who they say they are'.

Posted by: eiverson1 | April 15, 2009 5:13 PM | Report abuse

It is about time that the card companies add security and require that those who answer their phones follow instructions by their customers. Twice in three years I have not been notified by telephone that my card had been compromised after being notified of additional phone numbers. Either incompetent employees or rules. Now I am awaiting new cards that are already overdue. One more incident and the card company will no longer be used. Never have an unpaid balance.

Posted by: quapaw12000 | April 16, 2009 10:03 AM | Report abuse


I don't know much about "pre-authorization checks", but is it possible for the merchants to block specific phone numbers or IP ranges from whence these massive scans are originating? To have hundreds/thousands of "checks" all coming through at once, it would seem like something fishy is going on, and maybe it could be blocked from sending a response. Or, if there is a known set of phone numbers or IP addresses where the "checks" are coming from (Russia), maybe there is a way to configure the systems to ignore those requests. At any rate, the system definitely needs some re-working...

Posted by: wilson7 | April 16, 2009 11:59 AM | Report abuse

@wilson7 -- without going into too many details at this point, the checks appear to all be routed through compromised systems, and there do not appear to be a shortage of those proxies available for the people running these card-checking systems.

Posted by: BTKrebs | April 16, 2009 1:09 PM | Report abuse

Great story Brian, that is amazing. The cost of this kind of card fraud which is passed on to the consumer has got to be astronomical.


Posted by: panama1 | April 17, 2009 7:39 AM | Report abuse

One easy thing the credit card companies could do would be to let customers set up alerts that would notify us when small purchases (under $5.00) are made with our cards. At present, most of the credit card companies let us set up email notifications for big purchases, but not small ones.

Posted by: Heron | April 17, 2009 2:45 PM | Report abuse

They need to seriously get a grasp of this problem. My guess is consumers are going to have to continue to protect themselves for a long time until those not directly effected manage to step up and take action. Thanksfully, sites like are out there that are informational but don't require 10 years of IT experience to derive value from it.

Posted by: funkmasterflex57 | April 21, 2009 12:24 AM | Report abuse

Brian, thanks for the wonderful article. I just recently had to give up blocking the proxies in my block lists to concentrate more on the malware and trackers. There isn't enough time to block the malware and handle the proxies too. Every fall students flocking into school join the pros and swell the numbers of the proxies considerably. Right around March we have what I call March Badness Madness where the students drop the proxies like mad. So in addition to this activity you mention of how proxies are used, proxies are also used to bypass school security which is blocking more than content. It is also illegal. I don't know how to legally classify proxies use to circumvent filters at work. I do know that Norton and the others are secondarily in the business of blocking content but primarily in the business of protecting machines. So now people know how Conficker and other stuff like that spreads. Proxies just allow them right on through the protective filters designed to protect the machines. The proxies turn the blocking portion of the protection off. The bots / worms funnel the credit card infomation out and the cycle continues. Please send SANS the information you have because they somehow cannot see how proxies are misused as part of the bigger picture. Thanks.

Posted by: hhhobbit | April 21, 2009 5:42 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company