Hacker Sells Stolen Payment Cards and Credit Card Data Worth $38 Million

The coronavirus pandemic was disastrous for many brick-and-mortar businesses. However, it was a boon for ecommerce and the ability to sell goods and services online. According to one estimate, consumers spent a massive $861.12 billion with U.S. merchants online in the year, marking an astonishing 44% increase year-over-year. This was the highest jump in annual ecommerce growth in upward of two decades, and close to triple 15.1% jump seen one year earlier, in 2019.

Credit cards have helped facilitate the boom in ecommerce. Without them, spending cash online would be exponentially more difficult. While credit cards existed in the pre-online era, they seem tailor-made for a world in which physical cash has given way to digital payments. They make spending money with online retailers far more straightforward and seamless than it would be otherwise.

Unfortunately, whatever innovation makes life easier for regular, legitimate customers can also frequently be exploited by bad actors. That’s exactly what has happened with credit cards, whose details online thieves now set out to steal in ever-more unwantedly ingenious and underhanded ways.

To help battle online fraud, major credit card companies — including American Express, Discover Financial Services, JCB International, and MasterCard, and VISA — created the Payment Card Industry Data Security Standard (PCI DSS) by establishing a minimum level of security to be met by all merchants that store, process, and transmit cardholder data. But the challenges don’t stop there.

Safeguarding customers

The establishment of PCI DSS guidelines helps safeguard customers. However, this has by no means solved the problem of hackers trying to steal card information online. Attackers still look for ways to steal credit card information — whether this is hacking merchants with credit card data on file, installing malware on the computers of users that can monitor keystrokes or take screenshots of sensitive information, or phishing scams that try and fool unwitting individuals into entering card details on fake websites or fraudulent emails. Once this information has been stolen, it may then be sold on hacker forums or used to make unauthorized purchases, such as large quantities of gift cards which are difficult to trace.

Earlier in 2021, it was reported that a hacker had sold approximately 895,000 gift cards and details of 330,000 stolen cards used for payment on a dark web forum. The information, worth a reported $38 million, was supposedly stolen from the online discount gift card shop called Cardpool.com in a 2019 breach. The gift cards originally came from a variety of companies, such as Airbnb, Amazon, Marriott, Nike, Target, Walmart, and others. 

It included information on card numbers, expiration dates, issuing bank names, billing addresses and more — although, due to PCI DSS requirements, it did not include cardholders’ names and Card Verification Value (CVV), which merchants are barred from storing. The “threat actor” who sold the information has made multiple sales since 2010 — including credit cards, personally identifiable information (PII), databases, and more.

Solving the problem

Stolen card information from a couple of years back is not guaranteed to work. However, hackers who carry out credit card stuffing or “carding” fraud can rapidly sort through large datasets of stolen card details, using high-speed bots to test numbers to find legitimate ones. These can then be used illegally.

Although such fraud is worrying for customers, it is downright disastrous for vendors. That’s because they often wind up having to pay double for fraud: paying to ship out goods that are purchased by stolen credit cards, and then having to reimburse credit card companies so they can return the cash to the genuine card owner.

There is no one-size-fits-all solution to this problem. Merchants wanting to defend against such attacks should invest in tools like Web Application Firewalls (WAF), which can detect and block attacks that go after vulnerabilities known to be being exploited by cyber attackers. Cyber security experts can additionally assist mechants to achieve PCI DSS compliance, using techniques that range from device fingerprinting and browser validation to machine learning-based behavioral analytics for seeking out bots executing carding scams.

Ecommerce is here to stay

The (hopeful) beginning of the end for the COVID-19 pandemic doesn’t mean that ecommerce is going to begin to decline. The extra convenience it has introduced is very challenging for traditional, brick-and-mortar retailers to replicate in many cases. While customers are still spending their hard-earned dollars online, bad actors are going to continue trying to find ways to steal this information. For merchants who do business online, it’s therefore essential to make sure that they are properly protected — not just from the attacks themselves, but the damage to reputation and regulatory fines (for instances in which data is not properly protected) which can result.

PCI DSS compliance isn’t optional. Nor, for many businesses, is ecommerce. So make sure you choose the right options when it comes to safeguarding both yourself and your customers. The potential damage of failing to do so is so severe it isn’t worth considering.

Was it worth reading? Let us know.