From breach to checkout, how stolen credit card data gets into your orders

From breach to checkout, how stolen credit card data gets into your orders

Once breached credit card data spills onto the dark web, it’s only a matter of time before some of that data trickles into your eCommerce site’s transaction volume. Nevermind that you’ve plugged all possible leaks in your payment process. Fraudsters will gleefully water down your order form with credit card data stolen from elsewhere. If you’ve ever wondered how that data flows from its rightful owner, across the depths of the dark web, and into your orders, then you need to listen to The Online Fraudcast’s Episode 8–What Happens to Stolen Credit Cards.

No time to listen? We’ve broken out the highlights for you.

How does credit card data spill onto the dark web?

“Credit card numbers get compromised by any number of methods”, says Brett Johnson, Consultant at AnglerPhish.com, and The Online Fraudcast’s co-host. It may be a large database hack, such as Target or Home Depot, a phishing attack targeting the easily deceived, or malware installed on brick-and-mortar stores’ POS systems. Or the data could be compromised on a smaller scale: card skimmers at gas stations, quick snapshots at restaurants, old-school theft of the mail, or fraudulent eCommerce sites (more on that later).

“The sad truth of it is that most of the time the people who are using stolen credit card data won’t be caught,” says Johnson, once known as the internet’s original godfather. “Credit card theft is probably the easiest crime for cyber criminals to commit. You don’t need a victim’s social security number, and there are more credit card numbers available on the dark web now than there ever have been. It’s no longer a problem that you can arrest your way out of.”

What happens to a credit card number when it’s stolen?

Its fate depends on whether it was part of a small- or large-scale breach.

In the case of small-time card skimmers or physical thieves, they’re likely to put the data up for sale within 24 to 48 hours. Ironically, because these numbers are breached piecemeal, it can take longer for the issuer to realize what’s happening. If the card’s owner isn’t vigilant, the useful lifespan of the card data can be longer.

Data lost in larger volumes takes longer to become available. A successful database breach or phishing campaign could yield millions of credit card numbers at a time. The perpetrators want to sell those numbers wholesale to distributors who will resell the data in smaller batches.

Before the distributors will buy the data, they need assurance that most of the numbers are valid. So, the breaching group will validate a small portion of the cards’ information. Non-profits’ donation forms are popular targets for validation, since the forms are designed to minimize the amount of friction for donors.

The validated data could appear for sale in as little as a week, or it could take months. It depends on whether an older batch of data has to sell first. Like your friendly neighborhood grocer, sellers want to move older product before making fresher batches available. Otherwise, they may not get any return on their work. Why?

“Large-batch data has a shorter lifespan because it’s sold to multiple different resellers who are selling it through many different channels,” says Johnson. “That data goes into use faster, and in multiple geographies. The card issuer is likely to notice the problem sooner and shut down all of the breached cards quicker.”

How many people are committing credit card fraud?

There’s no way to determine the absolute number of credit card fraudsters, but the dark web marketplaces offer some sense of scale.

By the time Johnson’s dark web forum, Shadowcrew, was closed down in 2004, he estimates the community counted 4,000 active members.

When Alphaay was shutdown in July, 2017 it was the largest criminal network on the internet with 240,000 members (most of whom used the marketplace to buy drugs). Of those, Johnson estimates that up to 60,000 were active fraudsters.

(In a later episode of The Online Fraudcast, Johnson discusses the closure of Wall Street Market, which boasted 1.15 million user accounts at the time it was shut down. If we apply Alphabay’s ratio of users to active fraudsters, that could mean over 250,000 people involved in credit card fraud.)

Big honeypots: one-day fire sales on no-name eCommerce sites

Remember the fraudulent eCommerce sites mentioned earlier? Here’s some public service announcement material for you; those sites harvest discount-chasing consumers’ credit card information. Karisse Hendrick, owner/principal consultant at Chargelytics Consulting, and Johnson’s co-host described pop-up scam eCommerce sites offering Black-Friday-like deals.

“I saw one site offering very expensive exercise watches with biometrics for a very steep discount, which wasn’t available anywhere else,” says Hendrick. “The site claimed to have just a few of each of these expensive items for ‘one day only.’ Aside from a few other items, it was a pretty sparse website. I’d never heard of the company before.”

This spurred Johnson to share how he would run such a scam, if he were still in the business of crime: “I would buy stolen credit card information to order high-value, in-demand items like those watches. Once I got those products in, I’d set up a merchant website and sell those products at a steep discount. It would take a little bit longer to monetize the stolen credit card data, but it would allow me to harvest all of my customers’ payment information. Plus, this preliminary phase would make my merchant website look more legitimate. Two months down the line I could buy more stolen credit card data, run that data through my merchant website, without needing any products, and cash out.”

eCommerce merchants caught in the middle

In this conversation, Hendrick is quick to point out that “Ecommerce merchants aren’t the ones losing their customers’ data, they just happen to be the platform by which criminals are monetizing stolen credit card data. There’s a big difference between where the data comes from and where the data is used.”

If you’re managing fraud in-house, then check out these timeless Fraud Prevention Tips Every eCommerce Merchant Should Know. There’s a good chance you’re spending more than is necessary to solve the problem. Find out how much fraud is costing your business.