Breach Concerns: Stolen Card Data Still Survives Five Years Later

How fraudsters use credit card information to commit fraud. Riskified teamed with IntSights to follow an actual breached card from its dark web debut to its continued use five years later.

The study, “A Step-By-Step Breakdown: How Fraudsters Steal Your Identity and Shop Online With Your Money,” by Israel/New York-based Riskified, which offers an e-commerce fraud prevention solution; and New York-bsed IntSights traced how personal information is stolen, sold by dealers and fraudsters, and then used in a fraudulent order with e-cards.

The revealing study starts with one individual’s personal information and credit card credentials first appearing on multiple dark web forums in 2014. The person’s details, including social security card number, became part of a free sample package of stolen credit cards used to promote the cybercriminals’ vendor status, and the quality of their goods, according to the blog from Riskified’s Sangwon Yoon, who laid out the analysis.

Yoon pointed out the near impossibility to pinpoint exactly how a hacker originally stole the card details. “He could have swiped his card on a compromised gas pump, ATM, or point-of-sale device, where skimmers are installed to copy customers’ information from the magnetic strip or EMV chip.” Or someone could have stolen his bank statement off his porch or mailbox. “Or what’s more likely is that his email account, account with the merchant’s mobile app or e-commerce website were compromised in a major hack or data breach.”

To this day, as many as dozens of failed fraud attempts using variations of this individual’s name and the card number appear across the 1,600-plus Riskified merchant clients.

Security breach incidences have increased more than eight-fold in just over a decade with the number of breaches surging to more than 1,200 per year from just 157 in 2005, according to the Identity Theft Resource Center.

In a recent “Retail Threat Landscape Report” fraud update, in which Riskified and IntSights also teamed, they found a 297% spike in the number of fake retail websites designed to phish for customer credentials from July to September in 2018, compared to the previous year.

Yoon wrote, “Data breaches have now become almost a fact of life. Hackers can now grab your social security number, bank account number, as well as banking login, literally within minutes,”

As with all data breaches and/or events, especially involving payments, the risk could extend to credit unions and other financial institutions.

Dark web trends and tools evolve constantly, Yoon pointed out. “In order to maximize their take, fraudsters use sophisticated, automated, and tailored tools to commit fraud against retailers.” One example is account checkers, which automatically work through a roster of breached username and password pairs, or credential stuffing lists, to inject each of them into the login form fields, to systematically cross-check whether any of them will unlock fraudulent access to user accounts with retail sites.

“The golden age of e-commerce is just beginning: online sales account for only 12-13% of total retail sales worldwide! Fraudsters are constantly innovating to try to exploit merchants, especially those busy optimizing their omnichannel strategies,” Yoon wrote.