Millions of payment card details found on dark web

New analysis has observed over 4 million (4,481,379) payment card details, belonging to users across 140 countries, being traded on the dark web.

The hackers were found selling payment cards information for $10 on average per card. The highest number of card details found for sale were from the US, Australia, and Hong Kong.

The researcher’s revealed hackers have discovered a way to find card numbers without breaking into a database, and there’s also a booming underground black market for them.

The attackers are able to pull this off because the digits on most cards follow a fixed pattern, and can be deduced.

For instance, the first couple of digits indicate the financial service provider, while the sixteenth is a checksum, and so on. Furthermore, the CVV is made up of three digits, which also helps with the guesswork.

Numbers game

Crunching the available data, NordVPN says that of the 4,481,379 stolen cards, the maximum (1,561,739) belonged to US citizens. By comparison, only 134,607 cards for sale on the dark web belonged to UK residents.

Also, the researchers discovered that debit cards were more common than credit cards, which is particularly worrisome since debit cards don’t have the same level of protections as credit cards.

Visa cards were the most common, followed by Mastercard and American Express.

“Clever hackers can significantly cut down how many numbers they need to guess and check to find your payment card number. In fact, researchers at Newcastle University estimate that an attack like this could take as few as six seconds,” note the researchers, adding that an average hacked card’s data costs less than $10.

Card Numbers are Brute-forced

NordVPN found that most of the sensitive financial information traded on the dark web was harvested via brute-forcing. Brute-force technique is often used to guess passwords and penetrate targeted accounts. The passwords are guessed using dictionaries or common word combinations.

“Increasingly, the card numbers sold on the dark web are brute-forced. Brute-forcing is a bit like guessing. Think of a computer trying to guess your password,” explains Marijus Briedis, CTO at NordVPN.

“First, it tries 000000, then 000001, then 000002, and so on until it gets it right. Being a computer, it can make thousands of guesses a second. After all, criminals don’t target specific individuals or specific cards. It’s all about guessing any viable card details that work to sell.”

“There is little that users can do to protect themselves from this threat short of abstaining from card use entirely,” note the researchers, suggesting that users should keep an eye out for suspicious entries in their statements.

Key Findings  

• The independent researchers found 1,561,739 sets of card details for sale on the dark web from the US during their research. This was far more than from anywhere else.
• 1,561,739 out of 4,481,379 payment card details found by researchers for sale belonged to Americans.
• More than half of all the discovered payment cards coming from the US were Visa, followed by Mastercard (406,851) and American Express (143,836).
• The second most affected nation was Australia, with 419,806 card data researchers discovered for sale on the dark web. And 399,537 hacked payment cards belonged to people from Hong Kong.
• Comparing the number of credit and debit cards, overall, the difference wasn’t very big, with 52.05% of the discovered cards being debit and 47.95% being credit cards.
• Debit cards were more common than credit cards in the markets the independent researchers surveyed. Hacked debit cards put their victims at greater risk because there tend to be fewer protections in place for debit.