Data breaches have become the new normal with big-name companies like Global Payments — which services Visa and MasterCard — and online retailer Zappos disclosing hackers stole consumer credit card information in 2012. The breaches build on an equally active 2011, a year in which security software company Symantec estimates 232 million identities were exposed.
Fortunately, this doesn’t mean every affected consumer discovered fraudulent charges on his or her monthly credit card statement. What happens to account numbers following a data breach largely depends on who stole the information.
According to Stu Sjouwerman, CEO of network security firm KnowBe4 LLC in Clearwater, Fla., there are three major types of hackers. Digital delinquents will try to infiltrate big-name data sources such as national retailers or financial institutions for fun and recognition, while “hactivist” groups, such as LulzSec, target similar sources to prove the companies’ security systems are severely lacking.
“They’re trying to make a point,” Sjouwerman says.
They’re not necessarily looking to make money off of compromised consumer data, but there is always a chance it could fall into the wrong hands. However, that’s the top priority for the third type of hacker: seasoned criminals who digitally break into company databases to make a living.
But, while these masterminds are looking to monetize the massive amounts of data their breaches obtain, they aren’t going to rack up big bills with stolen credit card numbers.
A complex pyramid
Instead, the original hackers are going to make money by selling account information in bulk to other criminal third parties, says Chester Wisniewski, a senior security adviser at United Kingdom-based computer security firm Sophos.
After potentially trading hands a few times, “a lot (of card numbers) wind up being sold in Internet forums,” Wisniewski says. This allows the network of dealers to maximize profits while minimizing the risks of getting caught, especially since card forums have become increasingly difficult to enter. A “carder” is someone who buys, sells and trades stolen credit card data online.
“They’re a lot more underground than they used to be because a few big dealers got busted,” Wisniewski says, referencing the 2010 conviction of Max Ray Vision, the former computer security consultant who turned superhacker. “Now, you need to have multiple people vouch for you to get access.”
Those who do gain access to these forums will pay different prices for the data, depending on how much information was illegally obtained.
“Each piece of information stolen in a breach has a different value,” says John Harrison, group product manager for endpoint threat protection, security technology and response at Symantec, based in Mountain View, Calif.
For instance, a 2008 Symantec study on the underground economy found account numbers paired with expiration dates and card verification values, security codes on credit cards, ranging from 50 cents to $12, with packages ranging in size from five accounts to 500 accounts. Cards without these supplemental codes went for around 10 cents apiece.
Prices also vary depending on how close a card’s expiration date is, whether other personal information on the account holder is available and/or the reputation of the hacker/seller.
It’s important to note, even at this stage of the game, that the individual who buys the data may not use your credit card information. To add another level of security to their own dirty dealings, local organized crime groups or other career criminals will hire people to make purchases with the stolen data via advertisements on select jobs boards.
“These people are essentially mules,” Harrison says. In addition to simply purchasing the products, they may be asked to resell high-ticket items on online auction sites. These profits are then wired to the crime group minus whatever percentage the mule has been promised as payment. The role represents the final rung in a long and highly specialized supply chain.
What thieves are buying
Once the crime pyramid is complete, the stolen accounts can be used by either the mule or the thief to purchase virtually anything.
“It’s generally stuff that is easy to sell or has a high resale value,” Harrison says. This typically includes electronics, clothing and gift cards, which all net fast cash on the Internet. Some criminals also imprint gift cards with the stolen card numbers so the accounts can be used to buy merchandise at brick-and-mortar stores.
“You’re not going to ask for identification when a person is using a gift card,” Harrison says.
Thieves also are known to target retailers who have generous return policies as an alternate way of monetizing stolen accounts. But cautious consumers shouldn’t only be on the lookout for unfamiliar bulk buys.
“The first thing thieves will do is make a small purchase online or at a convenience store to determine if the card is valid,” Harrison says. These charges, which could be for something as small as a single music download or a pack of gum, may appear intermittently between larger purchases because fraudsters will continually check the status of the account to avoid getting caught red-handed.
What if your card is compromised?
If you discover your account was stolen in a data breach, you should immediately call your issuer and replace the card. You also should change usernames and passwords for all of your online accounts to prevent thieves from obtaining additional access now that you’re on their radar, Harrison says.
If a Social Security number has been obtained alongside credit card information, “you do need to put a fraud alert on your credit report,” Wisniewski says. You also may want to sign up for some type of credit monitoring since your identity may be shopped around alongside your credit card numbers.
Of course, the best line of defense is to minimize the chances of your card falling into the wrong hands. Wisniewski suggests limiting the number of credit cards you use to purchase items online. You also might want to look into services like Google Checkout, PayPal and Checkout by Amazon, which eliminate the need to share credit card numbers with every single seller you patronize online.
If you use one particular payment method, it might be good to “freshen” the data associated with that card.
“Once a year, I ask for a new credit card number,” Sjouwerman says, regardless of whether the account’s been involved in a publicized breach. “I tell them my card’s been lost and I need a new one.”