Report: Over 4m credit card details for sale on the dark web

December 02, 2021

undefined mins

The credit card details of millions of people are being sold to criminals on the dark web for an average of less than £8 ($10.60) each, finds NordVPN

NordVPN has released a new analysis that found over 4 million payment card details, belonging to users across 140 countries, being traded on the dark web. The hackers were found selling payment cards information for $10 on average per card.

Visa cards were the most common, followed by Mastercard and American Express. Debit cards were more common than credit cards in the markets the independent researchers surveyed. Hacked debit cards put their victims at greater risk because there tend to be fewer protections in place for debit.

How was the information found?

NordVPN found that most of the sensitive financial information traded on the dark web was harvested via brute-forcing, the technique is often used to guess passwords and penetrate targeted accounts.

Marijus Briedis, CTO at NordVPN explains, “This is a bit like guessing,” he said. “Think of a computer trying to guess your password. First it tries 000000, then 000001, then 000002, and so on until it gets it right. Being a computer, it can make thousands of guesses a second.

“After all, criminals don’t target specific individuals or specific cards. It’s all about guessing any viable card details that work to sell.”

The most affected places

The research found 1,561,739 sets of card details for sale on the dark web from the US. This was far more than from anywhere else. But this does not necessarily mean people in the US are more at risk. Turkey, for example, had less than half the cards per capita that the US has, but the high proportion of non-refundable cards gives Turkey a higher Risk Index.

The risk index is based on one card per person, so the more cards you have, the more likely it is that one of them could be hacked. This is particularly a problem in the US where there are more cards in circulation per person, but is also something that Europeans need to be aware of.

The second most affected nation was Australia, with 419,806, while Brits account for 134,607 of the compromised cards.

The research found that the price of payment card details varied between $1 and $12 in the US, with most about $4. The most expensive card details, which cost about $20, were in Hong Kong and the Philippines and the cheapest, some at just $1, originated in Mexico, the US and Australia.

How can you stay more protected?

One of the best things for users to do is to stay vigilant. Review monthly statements for suspicious activity and respond quickly to any notice from your bank that your card may have been used in an unauthorised manner.

Here’s what banks and other service providers can do to protect users:

Stronger password systems: Payment and other systems need to use passwords, and those passwords need to be strong. Every extra step is one that will make it much harder for attackers to break in.
MFA: Multi-Factor Authentication is becoming the minimum standard. Passwords are only one step, but verifying using a device, texted code, fingerprint or other security measure provides a huge step up in protection.
System security and fraud detection: There are proven smart tools banks can use to detect and prevent these and other attacks. Fraud detection systems can detect situations where thieves have succeeded. Banks can use tools like AI to track payment attempts to weed out fraudulent attacks.