Glut of Stolen Banking Data Trims Profits for Thieves
A massive glut in the number of credit and debit cards stolen in data breaches at financial institutions last year has flooded criminal underground markets that trade in this material, driving prices for the illicit goods to the lowest levels seen in years, experts have found.
For a glimpse of just how many financial records were lost to hackers last year, consider the stats released this week by Verizon Business. The company said it responded to at least 90 confirmed data breaches last year involving roughly 285 million consumer records, a number that exceeded the combined total number of breached records from cases the company investigated from 2004 to 2007. Breaches at banks and financial institutions were responsible for 93 percent of all such records compromised last year, Verizon found.
As a result, the stolen identities and credit and debit cards for sale in the underground markets is outpacing demand for the product, said Bryan Sartin, director of investigative response at Verizon Business.
Verizon found that profit margins associated with selling stolen credit card data have dropped from $10 to $16 per record in mid-2007 to less than $0.50 per record today.
According to a study released last week by Symantec Corp., the price for each card can be sold for as low as 6 cents when they are purchased in bulk.
"[Cyber thieves] now have their hands on a tremendous amount of data, and there's certainly no scarcity of it out there right now," said Alfred Huger, vice president of development at Symantec. "Given all that we've seen in the past year, we're not sure why we haven't seen even more of a drop in pricing, but it could be that the people doing the selling have sewn up the market and no longer have to worry about being undercut by other sellers."
Steve Santorelli, director of investigations at the private security research firm Team Cymru, said his group's monitoring of cyber criminal forums appear to support Huger's hunch: Many forums are simply restricting the registration of new "verified" members. Getting verified involves successfully conducting a number of transactions with other members to demonstrate that the new entrant is not merely a "ripper," someone who will abscond with the money or goods before a transaction is completed.
"The rate of new additions allowed into the miscreant verified lists is very low," Santorelli said.
What's more, Santorelli said, thieves in possession of huge troves of stolen credit and debit card data appear to be hoarding the credentials, releasing them onto the market in smaller chunks in an effort to control the overall supply of card data available at any one time.
"This results in lower average prices for buyers and some sellers stockpiling products to restrict supply in a bid to keep prices inflated," he said.
Sorting Good Stolen Cards From Bad Stolen Cards
Crooks who deal in stolen credit and debit cards and hacked online banking credentials have long used shadowy online forums and chat rooms to broker sales with other thieves who try to convert those goods into cash.
But recently, several commercial Web sites have sprung up and created a brisk business helping thieves check the balances and limits on stolen cards, with discounts for customers who check hundreds or even thousands of card numbers at a time.
The services are advertised on Internet forums that facilitate identity theft, and cater to criminals who wish to buy large numbers of stolen credit and debit cards. Using such services, the would-be buyers can quickly verify whether a random sampling of the cards is still active, and -- for an additional fee -- the available balance on each card. In
most cases, the only barrier to new customers signing up at these services is the ability to speak and read Russian, and the ability to pay with one of several virtual currencies, such as Webmoney.
Lawrence Baldwin, a security consultant in Alpharetta, Ga., has been working with several financial institutions to help infiltrate illegal card-checking services. Baldwin estimates that at least 25,000 credit and debit cards are checked each day at three separate illegal card-checking Web sites he is monitoring. That translates to about 800,000 cards per month or nearly 10 million cards each year.
"And those are estimates just for the card-checking sites we know about," Baldwin said. "There are almost certainly many other services exactly like these."
Baldwin said the checker sites take advantage of authentication weaknesses in the card processing system that allow merchants to conduct so-called "pre-authorization requests," which merchants use to place a temporary charge on the account to make sure that the cardholder has sufficient funds to pay for the promised goods or services.
Pre-authorization requests are quite common. When a waiter at a restaurant swipes a customer's card and brings the receipt to the table so the customer can add a tip, for example, that initial charge is essentially a pre-authorization.
With these card-checking services, however, in most cases the charge initiated by the pre-authorization check is never consummated. As a result, unless a consumer is monitoring their accounts online in real-time, they may never notice a pre-authorization initiated by a card-checking site against their card number, because that query won't show up as a charge on the customer's monthly statement.
In fact, in most cases when banks are alerted to the card-checking activity, it is because a credit card customer is regularly checking their online statement or has signed up with their bank to receive e-mail alerts each time a charge is initiated against their account.
The crooks have designed their card-checking sites so that each check is submitted into the card processing network using a legitimate, hijacked merchant account number combined with a completely unrelated merchant name, Baldwin discovered.
One of the many innocent companies caught up in one of these card-checking services is Wild Birds Unlimited, a franchise pet store outside of Buffalo, N.Y. Baldwin said a fraudulent card-checking service is running pre-authorization requests using Wild Bird's store name and phone number in combination with another merchant's ID number.
Danielle Pecoraro, the store's manager, said the bogus charges started in January 2008. Since then, she said, her store has received an average of three to four phone calls each day from people who had never shopped there, wondering why small, $1-$10 charges from her store were showing up on their monthly statements. Some of the charges were for as little as 24 cents, and a few were for as much as $1,900.
"They're for different, random amounts every time," she said.
Pecoraro said that after a few months of this, she complained to her state attorney general, but was told that the state could do nothing for her because she had not experienced a financial loss from the incidents. What's more, the people who do notice the bogus charges on their online statements find the pending transactions expire after a few days, and eventually dropping off of their statements completely.
"Most people I talk to are understanding when I tell them we're just as much of a victim as they are, but some people get really irate and accuse us of stealing their money," Pecoraro said.
Baldwin said the thieves running the card-checking sites are counting on the fact that companies that operate different parts of the financial processing system -- including issuing and acquiring banks, and the merchant -- traditionally do not share fraud data with one another, or even signs of unusual activity.
"The problem is that the detail of each individual entity's perspective at a transaction level is restricted or filtered," Baldwin said. "But if everyone involved shared this pre-authorization transaction information, these guys would not be able to do these card checks, because the patterns are ridiculously obvious when you can see all of the components at once."
April 15, 2009; 10:42 AM ET
Categories: Fraud , Latest Warnings , U.S. Government | Tags: data breaches, data theft, hackers 2008, symantec, team cymru, verizon
Save & Share: Previous: Microsoft Fixes 23 Software Security Flaws
Next: Hackers Test Limits of Credit Card Security Standards
Posted by: eiverson1 | April 15, 2009 5:13 PM | Report abuse
Posted by: quapaw12000 | April 16, 2009 10:03 AM | Report abuse
Posted by: wilson7 | April 16, 2009 11:59 AM | Report abuse
Posted by: BTKrebs | April 16, 2009 1:09 PM | Report abuse
Posted by: panama1 | April 17, 2009 7:39 AM | Report abuse
Posted by: Heron | April 17, 2009 2:45 PM | Report abuse
Posted by: funkmasterflex57 | April 21, 2009 12:24 AM | Report abuse
Posted by: hhhobbit | April 21, 2009 5:42 AM | Report abuse
The comments to this entry are closed.