The credit card details of millions of people are being sold to criminals on the dark web for an average of less than £8 ($10.60) each.
Research by VPN provider NordVPN of over four million credit cards for sale on the dark web found that credit cards from US citizens were the most common, with 1.6 million of the 4.5 million analysed being from the US. About 135,000 of the card details analysed belonged to UK citizens.
Marijus Briedis, CTO at NordVPN, said the details for sale on the dark web are increasingly acquired through brute-forcing. “This is a bit like guessing,” he said. “Think of a computer trying to guess your password. First it tries 000000, then 000001, then 000002, and so on until it gets it right. Being a computer, it can make thousands of guesses a second.
“After all, criminals don’t target specific individuals or specific cards. It’s all about guessing any viable card details that work to sell.”
Briedis said researchers estimate that an attack like this could take as little as six seconds.
The research found that the price of payment card details varied between $1 and $12 in the US, with most about $4.
The most expensive card details, which cost about $20, were in Hong Kong and the Philippines and the cheapest, some at just $1, originated in Mexico, the US and Australia.
NordVPN said there is little users can do to protect themselves from this threat apart from not using cards, but added that it is important to be vigilant.
“Review your monthly statement for suspicious activity and respond quickly and seriously to any notice from your bank that your card may have been used in an unauthorised manner,” said Briedis. “Another recommendation is to have a separate bank account for different purposes and only keep small amounts of money on the one your payment cards are connected to. Some banks also offer temporary virtual cards you can use if you don’t feel safe while shopping online.”
According to data released by researchers at Comparitech in September, stolen credit card data available on the dark web fetched an average of $17.36 or about $0.00033 per dollar of credit limit.
Paul Bischoff, cyber security expert at Comparitech, said at the time: “Credit cards can be sold as physical or digital items on the dark web. Credit card details used for online fraud are cheaper and can be sent in a text message. Physical cards are usually cloned from details stolen online, but can be used to withdraw from ATMs.”