Americans are the most common target of payment card fraud, based on details for sale on the dark web, new research published this week by NordVPN shows. The company analyzed 4.5 million payment card details belonging to citizens of 140 countries that were found by independent researchers for sale on the dark web.
USA, Australia, Hong Kong take the popularity podium
The most popular country of origin was the United States at nearly 1.6 million detail sets at an average price of $5.80. Visa cards accounted for 913,955 of the cards, followed by Mastercard (406,851) and Amex (143,836). Australia was the second most popular country with more than 400,000 detail sets available, while Hong Kong sat third with 400,000. The average price of all detail sets was $9.70.
“Since 2014, we have been seeing a constant growth in payment card fraud around the world,” NordVPN CTO Marijus Briedis said. “We decided to look into how much a payment card costs on the dark web and why there’s a booming underground black market for them.”
“And the answer is that hackers can easily make a lot of money. Even if a card costs only $10 on average, a hacker can make $40 million by selling a single database, like the one that we analyzed.”
USA cards are also safer
Even though the biggest number of card details found for sale were from the USA, Australia and Hong Kong, this doesn’t mean that they are the most vulnerable, the researchers cautioned. Vulnerability depends on factors like the proportion of non-refundable cards (if a card is refundable, the owner can be reimbursed in case of being scammed), the country’s population, and the number of cards in circulation.
“For example, taking into account a large number of cards with refunds available, US cards may be more reliable,” Briedis suggested. “But there was still a big number of them found hacked on the Internet because of the greater number of credit card users in this country in general.”
NordVPN researchers compared the card data between countries with the United Nations’ population statistics and the number of cards in circulation from Visa, Mastercard, and American Express to calculate the risk index and compare more directly how likely people’s cards are to be available on the dark web by country.
America’s risk index was estimated to be 0.34. The most vulnerable country was found to be Hong Kong, with a maximum possible risk score of 1. The second most vulnerable was Australia (0.85), followed by New Zealand with a score of 0.8. The least vulnerable score is 0, and it was attributed only to one country — the Netherlands.
The prices of the discovered American payment card details varied between $1-$12. The vast majority (350,090) were priced at $4.
The most expensive cards are found in Hong Kong and the Philippines (around $20), while the cheapest belonged to Mexicans, Americans, and Aussies (prices starting from $1).
Comparing the number of credit and debit cards, overall the difference wasn’t very big, with 52 per cent of the discovered cards being debit and 48 per cent being credit cards. Visa Prepaid cards were twice as likely to be found on the dark web than the classic card versions. With Mastercard, there were three times more Premium cards found hacked than prepaid ones.
Brute force pays off
Technological persistence accounts for the majority of detail sets available.
“Increasingly, the card numbers sold on the dark web are brute-forced,” Briedis explained. “Brute-forcing is a bit like guessing. Think of a computer trying to guess your password. First it tries 000000, then 000001, then 000002, and so on until it gets it right. Being a computer, it can make thousands of guesses a second.”
“After all, criminals don’t target specific individuals or specific cards. It’s all about guessing any viable card details that work to sell. Researchers at Newcastle University estimate that an attack like this could take as few as six seconds.”
There is little users can do to protect themselves from this threat, short of abstaining from card use entirely. The most important thing is to stay vigilant, NordVPN suggested.
“Review your monthly statement for suspicious activity and respond quickly and seriously to any notice from your bank that your card may have been used in an unauthorized manner. Another recommendation is to have a separate bank account for different purposes and only keep small amounts of money on the one your payment cards are connected to. Some banks also offer temporary virtual cards you can use if you don’t feel safe while shopping online,” Briedis recommended.
The study also included some safety tips.
Stronger password systems: Keep passwords strong. Every extra step makes it harder for attackers to break in. Banks could provide password managers.
MFA: Multi-Factor Authentication is becoming the minimum standard, so if your bank doesn’t offer it already, demand it or consider switching banks. Passwords are only one step, but verifying using a device, texted code, fingerprint, or other security measure provides a huge step up in protection.
System security and fraud detection: Fraud detection systems can detect situations where thieves have succeeded. Banks can use tools like artificial intelligence to track payment attempts to weed out fraudulent attacks. Pressure is also put on payment systems or online merchants, who often bear the cost of fraud and so have a big incentive to improve their systems.