Symantec Report on the Underground Economy – Goods and Services Advertised
The online underground economy has evolved into a full-fledged marketplace where participants advertise and traffic stolen information, provide services to aid in the use of this information, and perform other illegal activities. Like any market-based economy, it is governed by the laws of supply and demand and, given enough supply, the goods available for purchase are virtually limitless.
As stated in the Symantec Report on the Underground Economy, credit card information was the most popular category of goods and services available for sale, accounting for almost one-third of the total observed. This category included credit card numbers, CVV2 numbers, expiry dates, and credit card dumps. (The CVV2 number is a three- or four-digit number on the credit card and is used for card-not-present transactions, such as Internet or phone purchases. This number helps to verify that the person completing the transaction is, in fact, in possession of the card. A credit card dump is the information contained within the magnetic stripe on the back of a credit card and contains the account number, expiration date, and may contain additional information such as the cardholder name.)
Credit card information is relatively easy to obtain and also easy to use. Some methods for obtaining this information include phishing schemes, using card skimmers to copy the magnetic stripe information, and hacking into databases that contain this sensitive information. The frequency of credit card usage may also contribute to increases in the rate of this type of theft, as it gives criminals more opportunity to steal the information. For example, in 2006 there were 22 billion credit card transactions in the United States alone.
Once obtained, it is often very easy to fraudulently use this information to generate a profit; individuals can make online purchases and then fence the goods acquired. Many online retailers are improving protections for their customers against these fraudulent transactions by instituting more security measures, such as requiring the CVV2 number when making a purchase. However, credit card numbers with corresponding CVV2 numbers, while more expensive than credit card numbers alone, are also available for purchase in the underground economy. Prices for credit card numbers ranged from $0.10 to $25 USD per number, depending on the country of issue of the card, sizes of bulk/discounted packages, and whether or not extra value items such as the CVV2 number or PIN were included.
Another popular category advertised on underground economy servers was bank account information. While this information may be trickier to use than credit card information, the ultimate payouts can be much larger. The average credit card limit advertised was $4,000 USD, whereas the average bank account balance advertised was a somewhat staggering $40,000 USD.
One added appeal of bank account information over credit card numbers is that the added step of having to fence the purchases to realize a profit is not required because true currency can be withdrawn directly from the account. Prices for bank account information ranged from $10 to $1,000 USD per account, depending on the amount of funds available, the location, and the type of account. Advertised corporate and business accounts were more expensive, as they usually have higher advertised balances.
Symantec determined that the total potential worth of credit cards and bank accounts observed on the underground economy amounted to $7 billion USD. This value was based on the use of the goods, such as making fraudulent credit card purchases or cashing out bank accounts. Symantec used the median value for credit card fraud, average bulk purchase sizes, and average advertised bank account balances to calculate this potential worth.
It is evident that the online underground economy is a rapidly growing sector of the criminal world, and consumers and enterprises should be extremely vigilant in protecting their personal information and being aware of any breaches to their data. Criminals may be getting smarter but there’s no reason why we can’t be as well.