Payment Card Fraud & the Future of Cybercrime

By Jeff Aldorisio

Posted on Apr 24, 2019

Security and compliance often appear to go hand-in-hand these days. Problematically, many companies start with compliance then reverse-engineer security in a nearly futile attempt to protect data. In the payment card industry, the Payment Card Industry Security Standards Council (PCI SSC) established PCI Data Security Standard (PCI DSS) which sets the “gold standard” for compliance. Meanwhile, despite meeting the compliance standard, cardholder data (CD) remains a primary target for cybercriminals. By understanding the seedy underbelly known as the Dark Web and the way Cybercrime-as-a-Service (CaaS) works, merchants and payment card processors can better secure CD.

What are the data breach statistics?

The statistics indicate that while overall fraud decreased in 2018, evolved threat methodologies continue to undermine merchants and vendors’ attempted data security.

  • New account fraud increased from $3 billion in 2017 to $3.4 billion in 2018
  • Mobile phone account takeovers increased from 380,000 in 2017 to 679,000 in 2018

Thus, while merchants, vendors, and payment card processors attempt to protect cardholder data, they continue to find themselves at the mercy of cybercriminals.

Why is payment card information so valuable?

Cardholder data is defined as the primary account number (PAN) in conjunction with either the cardholder name, expiration date, and/or service code. Considered personally identifiable information (PII), the data that cybercriminals extract from breaches can allow them to create fraudulent accounts, engage in fraudulent purchases, or steal identities.

How do cybercriminals obtain PII and CD?

To obtain PII and CD, cybercriminals can use in-person or digital strategies.

In person strategies

Hardware skimming requires an individual to have physical access to a device. Whether an ATM or a point-of-service (POS) terminal, the person needs to be able to insert a Bluetooth enabled device.

Digital Strategies

These strategies include SQL injections, malware infections, unprotected backups, and vulnerable third parties.

What is the Dark Web?

Browsers like Chrome, Firefox, and Safari access the layer of internet data that traditional search engines such as Google, Bing, and Yahoo access. These browsers and search engines use indexes to find information.

To access the dark web, users need specific browsers that can overcome the limitations of traditional browsers and search engines. These specialized browsers incorporate encryption and multiple server locations to maintain anonymity primarily because users can search for illicit information such as historical medical records or forums trading in illegal information.

What is the value of PII and CD on the Dark Web?

PII and CD remain valuable underground commodities because they are low cost and high impact. According to Privacy Australia, different information levels have different values:

  • Credit Card Details:
    • With CVV: $5
    • With Bank Identification Number: $15
    • With Fullz Information: $30
    • Untested Card: $10-20
  • Online Payment (i.e. PayPal) Login Information: $20-$200

The different types of information bought and sold on the Dark Web can enable different levels of fraud. CVV, the three-digit code on the back of a credit card, allows the cybercriminal to access funds or buy items for resale later. Meanwhile, online payment login information often links to bank accounts or social media accounts which can enable cybercriminals to not only engage in fraudulent purchases, but identity theft and other login/password information as well.

What are the tools of the Dark Web?

As CaaS becomes more popular, cybercriminals no longer need to be highly technical. On the Dark Web, cybercriminals can purchase tools that simplify data breach attacks.

For example, account checkers are software that can be purchased on the Dark Web to validate a username. Meanwhile, phishing kits are a downloadable tool that contains prebuild code so that cybercriminals can more easily deploy an attack. Additional tools include merchant checkers, automated attack scripts, and leaked shop scripts.

How does the Dark Web work?

Dark web forums and social websites act as brokerages for sales of credentials. Cybercriminals know which forums to seek out, build their reputations, and share their wares. Although downloading dark web browsers may be easier in 2019, the 2018 article “Plug and Prey? Measuring the Commoditization of Cybercrime via Online Anonymous Markets” explains “Commoditization allows these entrepreneurs to substitute specialized technical knowledge with “knowing what to buy” - that is, outsourcing parts of the criminal value chain.” The dark web provides criminals with the connectivity of the surface web and the anonymity of the back room.

How SecurityScorecard protects organizations from Dark Web activities

SecurityScorecard not only monitors for financial crime malware but also tracks dark web forums and websites to monitor for leaked credentials - both customers and employees. One of the thirteen factors used in our security ratings is “hacker chatter.” A lower score for that factor sheds light on the dark web conversations about an organization.

For financial institutions, merchants, and retailers, visibility into the supply chain can protect customer information. A single weak link in the supply chain can compromise data across the ecosystem. Thus, the valuable insights from SecurityScorecard’s platform not only protect data securityamong business partners but provide assurance to customers as well.

Security Research in your Inbox

Thanks for siging up for the newsletter!

No waiting, 100% Free

Get your personalized scorecard today

Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.

Get Your Free Score

Get In Touch

Thank you for contacting us!

Request a Demo

Thank you for requesting a demo!