Credit cards with security chips have helped cut down on Dark Web sales of stolen card data, but the problem persists, especially in the U.S., says Cybersixgill.
Image: Adobe Stock
Stolen credit card data is always a hot item for sale on the Dark Web, particularly if the package includes not just the card number but the expiration date and CVV code. To crack down on fraud, card vendors have long since turned away from stripe-only cards to those with embedded security chips that not only use encryption to secure transactions but are more difficult to clone. A recent report from cyber intelligence provider Cybersixgill looks at the current state of credit card fraud on the Dark Web.
Facts and figures of credit cards on the Dark Web
Must-read security coverage
For its “Underground Financial Fraud H1 2022 report,” Cybersixgill found that more than 4.5 million stolen payment cards were up for sale on the Dark Web during the first half of 2022. Though this number is a significant drop of 68% from the more than 14 million such cards discovered during the last half of 2021, this still represents a substantial amount of fraud.
Almost half (45%) of the cards for sale on underground markets were issued in the United States. One likely reason is because the U.S. is home to more than 1 billion credit cards. An American consumer owns four credit cards on average, compared with citizens in the European Union who own one or two cards, according to Experian.
However, another factor may be the impact of EMV cards, or chip cards. Outfitted with an embedded security chip, such cards better protect consumers against theft and compromise than do cards with just a magnetic stripe. Research cited by Cybersixgill indicates that European countries are hit by less credit card fraud because they jumped on the EMV bandwagon earlier than their American counterparts.
On the other side of the fence, Russian credit cards are much less common on the Dark Web, with only around 5,400 cards seen for sale during the first half of 2022. The reason, says Cybersixgill, is that cybercriminals who operate in Russia often do so without much objection from the Kremlin as long as Russian citizens aren’t targeted.
SEE: Mobile device security policy (TechRepublic Premium
Cybercriminals rely on a few tactics to capture credit card information. Some will target e-commerce sites through data breaches or phishing attacks where they’re able to steal the necessary data. Others will physically install skimmers on ATMs, sales terminals and gas station pumps. After stealing the credit card details, the crooks will typically sell them on the Dark Web where other criminals will buy and use them to commit fraud.
Most of the stolen credit cards seen on the Dark Web during the first half of the year were issued by the four major networks. Some 49% came from Visa cards, 36% from Mastercard, 13% from American Express and 2.5% from Discover. Cards sold with CVV or CVV2 numbers are more lucrative and therefore more common on the Dark Web than are cards sold as dumps, which are electronic copies of the information from the magnetic stripe on the card but without the CVV data. Further, stolen cards with the CVV numbers may also include the user’s address, email and other sensitive information that can be used for identity fraud and account takeovers.
“Despite continued efforts by law enforcement agencies, credit card networks, banks, and retailers to improve security, fraudsters are expected to adapt and evolve their skills and techniques, finding new methods to exfiltrate sensitive payment credentials from cards being utilized both virtually and physically,” Cybersixgill said in its report.
How to make sure your credit card doesn’t end up on the Dark Web
To help consumers and businesses cut down on credit card fraud, Cybersixgill offers several tips.
Monitor your bank accounts
Scan your financial accounts for suspicious transactions or login attempts. Many banks will send you text or email notifications if suspicious activity is detected on your account.
Beware of shipping confirmation emails
If you receive an email claiming to confirm a purchase order or product shipment, don’t respond directly to the email. Instead, sign into the associated website directly to check your order status.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Don’t reuse passwords
Avoid relying on the same passwords across different websites and services. Instead, use a password manager to create complex and unique passwords for each account. Then enable multi-factor authentication to further protect your accounts from compromise.
Watch out for coupons and promotions
Be wary of offers for coupons and promotions sent to you via text or email. To follow up, look for these deals on the associated website and not through any links in the message.
For retailers, install chip-enabled point-of-sale systems
These systems can better protect the credit card data of your customers. Credit cards with chips are much more difficult for criminals to clone and use.