According to the Bureau of Justice Statistics' Victims of Identity Theft report, about 16.6 million U.S. residents ages 16 and older were victims of at least one incident of identity theft in 2012. The direct financial loss from identity theft was about $1,000 per person, and the total direct and indirect losses was about $24.7 billion.
The reselling of stolen credit card data has become a big business, and unfortunately the enforcement of offenders has been slow. Several underground entrepreneurs were operating for months on YouTube before their activity was unearthed. Though each card number may only sell for $10 or $15, the database of even a mid-sized business can fetch tens of thousands of dollars. The black market supply chain portion of the underground economy is the most lucrative to those who take part.
How Are Numbers Collected?
There are three primary ways credit card information can be collected online by hackers: Information mining via Trojans, Point of Sale (POS) device/database attacks, and phishing emails. The most frequently used method is information mining via a Trojan which hibernates on a local system, waiting for the user to input his credit card in an ecommerce site and steal the number, the user’s full address, CVV number and any additional security information.
Less frequent than Trojan attacks, but more devastating if successful, are attacks against a Point of Sale (POS) device such as an online cash register. By infiltrating a POS device, the hacker can grab thousands of credit card numbers at once. The online version of a POS infiltration described above is a breach of an online retailer’s database. In these attacks, a simple SQL injection on the online storefront of the site may allow the hacker to get database access and copy the tables with all credit card numbers.
Finally, phishing attacks are becoming rarer due to their low success rate, but they do still exist. In such an attack, individuals are sent an email which looks to be from their bank or their credit card company and asked to confirm their identity or account. What the recipient doesn’t know is that clicking the link in the email actually takes them to a phishing website which sends their entered information to the hacker.
Despite the popular image of the lone hacker tucked away in a dark corner, credit card data collection, use, and resale are actually the result of a black market supply chain. Likewise, all of the actors involved stand to gain financially from the attack, hence their continued popularity. Who profits may depend on the method of attack, but here are multiple parties that profit as a result of an attack. Take for example a standard credit care attack:
- Malware and exploit kit developers who created the tools that are sold to the individual or groups who conduct the attack. In the recent breaches at retailers, a malware kit called BlackPOS was reportedly for sale on the black market and used in those attacks.
- The main attackers then target the organization and work to actually steal the credit card data and other valuable information. Once stolen, they turn around and sell these records on underground forums and other channels to yet another set of criminals.
- Next, another group of cyber criminals buy the records with the goal of using them to commit fraud and identify theft. This group typically works to produce fraudulent cards that can be used in person or make purchases online that can then be sold.
- “Cash-out” Services are then hired by the attackers that purchased the records to either serve as middle men to launder fraudulent attained money or even go into stores to shop for goods that are then sold for cash.
This added sophistication and specialization in the hacker black market helps attackers be more efficient in their attacks, ultimately putting more pressure on companies trying to keep this information safe. It is a clear indication that companies must remain vigilant in its defense.