Security and compliance often appear to go hand-in-hand these days. Problematically, many companies start with compliance then reverse-engineer security in a nearly futile attempt to protect data. In the payment card industry, the Payment Card Industry Security Standards Council (PCI SSC) established PCI Data Security Standard (PCI DSS) which sets the “gold standard” for compliance. Meanwhile, despite meeting the compliance standard, cardholder data (CD) remains a primary target for cybercriminals. By understanding the seedy underbelly known as the Dark Web and the way Cybercrime-as-a-Service (CaaS) works, merchants and payment card processors can better secure CD from fraud and theft.
What is payment card fraud and why is card information so valuable?
Payment card fraud, also known as credit card fraud, is defined as the unauthorized use of a credit card, debit card, or similar payment tool. Cybercriminals often fraudulently utilize payment data to steal money or property from their victims. Credit and debit card numbers can be taken from unsecured websites or can be obtained via identity theft schemes like phishing or social engineering.
Cardholder data is defined as the primary account number (PAN) in conjunction with either the cardholder name, expiration date and/or service code. Considered personally identifiable information (PII), the data that cybercriminals extract from breaches can allow them to create fraudulent accounts, engage in fraudulent purchases, or steal identities.
Payment card fraud statistics
The statistics indicate that while overall fraud decreased in 2018, evolved threat methodologies continue to undermine merchants and vendors’ data security measures.
- New account fraud increased from $3 billion in 2017 to $3.4 billion in 2018
- Worldwide payment card fraud losses reached $27.85 billion in 2018 and are forecasted to reach $35.67 billion in five years and rise to $40.63 billion in 10 years
- The U.S. accounted for $9.47 billion in fraud losses in 2018
- The United States lead fraud losses reporting 38.6 percent of global losses
- Credit card fraud accounted for 35.4 percent of all identity theft fraud in 2018
- Mobile phone account takeovers increased from 380,000 in 2017 to 679,000 in 2018
- Data breaches resulting in record exposure increased 54 percent year over year in 2019
Thus, while merchants, vendors, and payment card processors attempt to protect cardholder data, they continue to find themselves at the mercy of cybercriminals.
Types of credit card fraud and ways cybercriminals obtain PII and CD
Cybercriminals and identity thieves use many tactics to obtain your information and commit payment card fraud. To obtain PII and CD, malicious criminals can use in-person or digital strategies.
In-person card theft strategies
- Physically stealing a credit card
- Finding and utilizing a lost or misplaced card
- Making counterfeit cards using skimmer technology to steal legitimate card information and create duplicate cards
Digital payment theft strategies
- SQL injections
- Malware infections
- Social engineering attempts
- Phishing schemes
- Leveraging unprotected backups
- Targeting vulnerable third-parties for purposes of a data breach
- Account hacking and account takeover
- Committing identity theft using fraudulent credit applications to apply for new credit in the victim’s name using stolen data
What is the Dark Web?
Browsers like Chrome, Firefox, and Safari access the layer of internet data that traditional search engines such as Google, Bing, and Yahoo access. These browsers and search engines use indexes to find information.
To access the dark web, users need specific browsers that can overcome the limitations of traditional browsers and search engines. These specialized browsers incorporate encryption and multiple server locations to maintain anonymity primarily because users can search for illicit information such as historical medical records or forums trading in illegal information.
Dark web forums and social websites act as brokerages for sales of credentials. Cybercriminals know which forums to seek out, build their reputations, and share their wares. Although downloading dark web browsers may be easier in 2019, the 2018 article “Plug and Prey? Measuring the Commoditization of Cybercrime via Online Anonymous Markets” explains “Commoditization allows these entrepreneurs to substitute specialized technical knowledge with “knowing what to buy” - that is, outsourcing parts of the criminal value chain.” The dark web provides criminals with the connectivity of the surface web and the anonymity of the back room.
What is the value of payment card data on the Dark Web?
As CaaS becomes more popular, cybercriminals no longer need to be highly technical. On the Dark Web, cybercriminals can purchase tools that simplify data breach attacks.
For example, account checkers are software that can be purchased on the Dark Web to validate a username. Meanwhile, phishing kits are a downloadable tool that contains prebuild code so that cybercriminals can more easily deploy an attack. Additional tools include merchant checkers, automated attack scripts, and leaked shop scripts.
PII and CD remain valuable underground commodities because they are low cost and high impact. According to Privacy Australia, different information levels have different values:
- Credit Card Details:
- With CVV: $5
- With Bank Identification Number: $15
- With Fullz Information: $30
- Untested Card: $10-20
- Online Payment (i.e. PayPal) Login Information: $20-$200
The different types of information bought and sold on the Dark Web can enable different levels of fraud. CVV, the three-digit code on the back of a credit card, allows the cybercriminal to access funds or buy items for resale later. Meanwhile, online payment login information often links to bank accounts or social media accounts which can enable cybercriminals to not only engage in fraudulent purchases but identity theft and other login/password information as well.
How SecurityScorecard protects organizations from Dark Web activities
SecurityScorecard not only monitors for financial crime malware but also tracks dark web forums and websites to monitor for leaked credentials - both customers and employees. One of the ten factors used in our security ratings is “hacker chatter.” A lower score for that factor sheds light on the dark web conversations about an organization.
For financial institutions, merchants, and retailers, visibility into the supply chain can protect customer information. A single weak link in the supply chain can compromise data across the ecosystem. Thus, the valuable insights from SecurityScorecard’s platform not only protect data security among business partners but provide assurance to customers as well.