Banks are buying stolen credit card numbers on the dark web
BY KERRY TOMLINSON, AMPERE NEWS
September 1, 2021
You would probably be surprised to see a bank executive in dark alley, paying off a mugger for a batch of stolen wallets.
But that's happening now in the dark alleys of the Internet. Here’s why.
Watch here:
Illegal Markets
Buying and selling stolen credit and debit card numbers is big business.
In one raid in 2020, Russian federal agents said they arrested more than two dozen members of a card-selling ring, seizing more than $1 million in U.S. dollars. Analysts from security company Gemini Advisory believe the ring was behind a series of illegal card-selling markets earning up to $70 million in seven years.
Who buys these stolen card numbers on the dark web?
Not just criminals, but also the banks themselves, according to dark web analysts.
"In terms of financial risk, some banks decide it is worth paying $5 to $50 for one card, rather than that card falling into the wrong hands and becoming maxed out," said Charity Wright, cyber threat intelligence analyst with Recorded Future.
"If you consider it from a financial risk perspective, this tactic could save banks millions — or billions — of dollars," she told Ampere News.
In Demand
Many of the largest banks and credit card companies in the world buy stolen numbers to try to stop fraud, according to Wright.
Analysts go undercover on the dark web, looking for things like stolen card numbers, then alerting banks so they can choose to buy or pass up. If they want to buy, the analysts can simply ‘add to cart’ and pay the thieves in cryptocurrency.
But does buying the card number actually take it off the market and stop thieves from using it? What would keep underground sellers from simply selling it to someone else?
No guarantees, Wright explained, but she said the thieves' reputation could take a hit if they sold to more than one customer.
"Reputation reigns supreme in the criminal ecosystem," she said. "Just like the open, legal markets such as social media marketplaces, eBay, and peer-to-peer online markets, reputation can make or break your personal business."
Some criminal forums and buyers give reviews and reputation scores to their members.
"These people have little tolerance for being ripped off, scammed, or frauded," Wright said. "If a card is being used by multiple criminals, it is more likely to be flagged for fraudulent behavior and shut off. Nothing kills a criminal business faster than accusations of scams and poor results."
To Buy or Not To Buy
Once they get their hands on the card numbers, banks can identify the customers affected and issue new cards.
But banks buying stolen card numbers can be controversial, according to Wright.
"I know a lot of people question, "Are we feeding the problem?" by purchasing it from threat actors, but essentially your choices are limited," she said.
"I guess it's the same problem a lot of companies face with ransomware. Do we pay it and feed into the system and give them that incentive? It's a hard decision," she added.
Wright said she leaves the choice up to the banks to decide what to do. If it were her card, she said, she would buy it.
What can you do?
There are some steps you can take to protect your card numbers before they hit the dark web.
Security company Cyble recommends that you:
Don't share your financial info over the phone, in email or messages.
Watch your financial transactions for suspicious activity.
Use long passwords for money accounts.
Use multi-factor authentication (a second log-in step, like a code).
Turn on auto updates for your phone and computer so they're always quickly updated.
Verify links and email attachments before opening.
