There are many potential buyers of stolen bank account data, including the banks themselves. But fraudsters are increasingly reluctant to sell their data back to its original owner. Security experts say the banks’ strategy of buying their stolen data is an effective and inexpensive way to determine the source of a breach and suppress criminal activity. But at the same time, the most sophisticated black-market “card shops” are getting less welcoming to outsiders.
In the mid-2000s, approximately 80% of black-market participants were unaffiliated with criminal organizations or groups, according to a report published by Rand Corp. Today, that number is closer to 20%. Fraudsters know that the only reason a bank would buy back its data is to investigate how it leaked and thwart future breaches.
In some of the more high-profile breaches of recent years, banks have bought back their customers’ credit and debit card numbers to see if they were all used within a certain time frame and at a certain retailer, or what security experts refer to as the common point of purchase.
Typically it’s law enforcement officials, such as the FBI or Secret Service, carrying out the investigation. But this process can be hit or miss, depending on what kind of intelligence the banks are able to obtain, said Brian Krebs, independent investigative reporter who runs the site KrebsOnSecurity. “There are a lot of variables that affect the value of the intelligence you may or may not get from this,” he said.
Earlier this year, an FBI agent reached out to Krebs to try to figure out why the agent had been locked out of a fraud site he was trying to access. After he bought several cards, a popup appeared on the site that said, ‘No pigs allowed.’ While Krebs said it’s possible the agent could have been more careful, the story illustrates how it’s getting harder for banks and law enforcement agencies to use the card shops to their advantage.
Higher-end crime rings are creating their own clubs, in which users need to have 1 or 2 people recommend them before they can gain access to sites where stolen information is bought and sold. There are also ratings systems, much like eBay uses, so that anyone can rate the experience of buying and selling to a particular party. In this manner, a cyber-criminal can build up a reputation. These precautions are important for the fraudsters to deter law enforcement as well as “rippers,” thieves who go into sites and rip off other criminals.
Security experts also report an increase in the use of ransomware which is used to hold information hostage by compromising the machine on which it is stored. Criminals use ransomware to encrypt data and hold it for ransom, promising to decrypt the data once the ransom is paid.
Whether paying a ransom or buying back stolen information, security experts warn that it’s never a good idea to provide thieves with any funds they can use to further support their criminal organizations. Terrorist groups, for example, have been known to rely on ID theft and breached card data to fund their activities.
The good news for banks is that they can get a lot of bang for their buck by buying only a dozen or so credit card numbers. Because the fraud shops have become more competitive with one another, they’ve also lowered their pricing. Cards typically range from $10 to $30 apiece, according to Krebs.
