Malicious actors sell hacked American payment cards for less than $6, while an average card is sold for close to $10.
Independent researchers found that data of over 4.4 million payment cards is for sale on the dark web, research by NordVPN shows. Citizens from 140 countries were identified as owners of the cards.
Researchers have found that 1.5 million payment card data belongs to Americans. Visa cards were the most frequent, with 913,955 found on the darknet, followed by Mastercard with 406,851 cards and American Express with over 143,836.
The credit card to debit card ratio shows that hackers do not prefer either as debit cards (52.05%) were marginally more frequently than credit cards (47.95%).
According to the research, Visa Prepaid cards were twice as likely to be found on the dark web than the Classic card version. Interestingly, researchers found three times more Mastercard Premium cards compared to Prepaid ones.
The price of American payment card details varied from $1 to $12, with the majority of the cards (350,090) cards costing $4. However, taking all data into account, the details for an average American card cost $5.81.
Researchers found that aside from the US, Australia and Hong Kong were the most affected places, with details on 419,806 and 399,537 cards found, respectively.
According to the research, a card’s vulnerability depends on the proportion of non-refundable cards, the country’s population, and the number of cards in circulation.
“For example, taking into account a large number of cards with refunds available, US cards may be more reliable. But there was still a big number of them found hacked on the internet because of the greater number of credit card users in this country in general,” Marijus Briedis, CTO at NordVPN, explains.
If a card is refundable, the victim will get compensated for the hacker-inflicted damage. Non-refundable cards provide no such respite.
“Another recommendation is to have a separate bank account for different purposes and only keep small amounts of money on the one your payment cards are connected to.”-Marijus Briedis
Considering these factors, researchers determined that Hong Kong was most vulnerable, followed by Australia and New Zealand. At the same time, the Netherlands was considered to be the least vulnerable to attacks like these.
The majority of the payment cards (914,072) cost $20 on the dark web. However, the average price of a payment card in the research stood at $9.70.
More than a half (2,524,142) of all the discovered payment cards were Visa, followed by Mastercard (1,602,248) and American Express (215,971). Comparing the number of credit and debit cards, overall, the difference wasn’t very big, with 52.5% of the discovered cards being debit and 47.5% being credit cards.
According to Briedis, the black market for card payment details has been steadily growing since 2014. Even if the cards sell for $10 on average, a stolen database with 4 million card details can sell for a whopping $40 million.
“A computer can make thousands of guesses a second. After all, criminals don’t target specific individuals or specific cards. It’s all about guessing any viable card details that work to sell,” Briedis is quoted in a press release.
He explained that there is no way to remove a threat of brute-forcing completely, but that does not mean users do need to do anything at all. One way is to stay vigilant and respond quickly to any notice from your bank on card use.
“Another recommendation is to have a separate bank account for different purposes and only keep small amounts of money on the one your payment cards are connected to. Some banks also offer temporary virtual cards you can use if you don’t feel safe while shopping online,” Briedis said.
How to protect yourself against phishing
- Use unique and complex passwords for all of your online accounts. Password managers help you generate strong passwords and notify you when you reuse old passwords.
- Use multi-factor authentication (MFA) where possible.
- Beware of any messages sent to you, even from your Facebook contacts. Phishing attacks will usually employ some type of social engineering to lure you into clicking malicious links or downloading infected files.
- Watch out for any suspicious activity on your Facebook or other online accounts.