Security experts at the InfoSecurity Europe conference are drawing attention to "data supermarkets" that sell stolen credit card numbers for a fixed price. According to a BBC story, "credit card details are cheap" on the black market while "the logfiles of big companies can go for up to $300." How much is my credit card number worth on the Internet?
As little as a few cents. Reliable statistics about data theft are notoriously hard to come by, and reports of cheap cards for sale are nothing new. Researchers who track the Internet Relay Chat servers where this sort of business is often done, however, are reporting that the lowest advertised prices of credit card numbers has been falling during the past two years. Symantec—a firm that sells security software to both consumers and businesses—reported earlier this month that credit card numbers were now selling for anywhere between 40 cents and $20. (Credit cards from Europe or smaller card companies typically cost up to twice as much as standard-issue American numbers, presumably due to their relative scarcity within the market.) By comparison, Symantec researchers found bank account numbers going for anywhere from $10 to $1,000, and "full identities"—which include date of birth, address, and social security and telephone numbers—selling for between $1 and $15 a pop.
How many card numbers are up for sale at a given time? A group of academics found (PDF) that in a set of IRC channels they were able to access in 2006, 402 valid card numbers were appearing a day simply as teasers to attract new business. (The researchers couldn't tell, of course, if the cards were actually used or whether the linked accounts were active.)
The demand for very basic credit card information appears to be shrinking—in large part because those data are often not very valuable. Credit card companies foot most of the bill when your card number is pilfered: By law, a consumer is liable for only $50 when a stolen card is used, and most companies waive even that. As a result, the companies have stepped up their efforts to cut down on fraud, reducing the potential benefit from accessing a stolen card number. As opposed to bank accounts, for instance, it is far more difficult to use credit cards to quickly (and anonymously) take out cash before an account is shut off.
In addition, the market for stolen data has become segmented. The available statistics on the price of pilfered data is based on information found on public channels. More sophisticated data likely sells at higher prices in more restricted venues. Simple credit card numbers are often sold in bulk—Symantec found sales of 500 for $200—while more specialized products go for a good deal more. The big money now appears to be in a host of value-added services, as more sophisticated criminals have gotten in the business of validating data, compiling more complete dossiers of information or selling "bots" that allow the buyer to collect data himself. The more expensive credit card numbers have often been field-tested already, with a seller placing a small charge on the account to see whether it goes through and if the owner detects any fraud. And a file that includes passwords, the answer to a user's security questions, and his mother's maiden name—along with the credit card data—might go for a few hundred dollars.
Got a question about today's news? Ask the Explainer.