Analyzing 4 million payment card details found on the dark web

We all know that it’d be a disaster if a thief got their hands on your payment card information. But your details are safe as long as you know your card or your card data haven’t been stolen, right?

Wrong.

Not only is there a way to discover payment card numbers without breaking into a database, there’s also a booming underground black market for them. These numbers are being sold by the millions. We even know the average cost – about $10 USD per card.

NordVPN analyzed statistical data gathered by independent researchers specializing in cybersecurity incident research from markets where payment card numbers are being sold. Here’s what we learned.

Mapping payment card detail hack

The independent researchers discovered mountains of data on the dark web that helped us map out the statistical scope of payment card detail hacking online. Records revealed what types of cards’ details are sold the most in different countries, and the average cost of card data from different countries. This enabled us to assign risk indices to each country covered by the data. How does your country rank up?

Here are some of the researchers’ key findings – in addition to the data:

• An average hacked payment card’s data costs less than $10, and hackers have millions of these ready to sell;
• Visa cards were the most common, followed by Mastercard and American Express.
• Debit cards were more common than credit cards in the markets the independent researchers surveyed. Hacked debit cards put their victims at greater risk because there tend to be less protections in place for debit.
• The independent researchers found 1,561,739 sets of card details for sale on the dark web from the US during their research. This was far more than from anywhere else. But this does not necessarily mean people in the US are more at risk. Turkey, for example, had less than half the cards per capita that the US has, but the high proportion of non-refundable cards gives Turkey a higher Risk Index;
• The risk index is based on one card per person, so the more cards you have, the more likely it is that one of them could be hacked! This is particularly a problem in the US where there are more cards in circulation per person, but is also something that Europeans need to be aware of.

Hacked payment card numbers per US state

Theft without theft? Brute-forcing explained

Database breaches aren’t the only way to get hacked payment card details anymore. Increasingly, the card numbers sold on the dark web are brute forced. But how does this attack work?

Brute forcing is a little bit like guessing. Think of a computer trying to guess your password. First it tries 000000, then 000001, then 000002, and so on until it gets it right. Being a computer, it can make thousands of guesses a second. Most systems limit the number of guesses you can make in a short space of time to prevent these kinds of attacks, but there are ways to get around this. After all, they don’t target specific individuals or specific cards. It’s all about guessing any viable card details that work to sell.

Here’s how it works:

Clever hackers can significantly cut down how many numbers they need to guess and check to find your payment card number. In fact, researchers at Newcastle University estimate that an attack like this could take as few as 6 seconds.

Tips on how to stay secure

There is little that users can do to protect themselves from this threat short of abstaining from card use entirely. The most important thing is to stay vigilant. Review your monthly statement for suspicious activity and respond quickly and seriously to any notice from your bank that your card may have been used in an unauthorized manner.

Here’s what banks and other service providers can do to protect users:

• Stronger password systems: Payment and other systems need to use passwords, and those passwords need to be strong. Every extra step is one that will make it much harder for attackers to break in. To prevent inconveniences for users, banks could provide password managers, and there are already good consumer options available.
• MFA: Multi-Factor Authentication is becoming the minimum standard, so if your bank doesn’t offer it already, demand it or consider switching banks. Passwords are only one step, but verifying using a device, texted code, fingerprint or other security measure provides a huge step up in protection.
• System security and fraud detection: There are proven smart tools banks can use to detect and prevent these and other attacks. Fraud detection systems can detect situations where thieves have succeeded. Banks can use tools like AI to track payment attempts to weed out fraudulent attacks. Pressure is also put on payment systems or online merchants – who often bear the cost of fraud so have a big incentive to improve their systems.

Method

Data collection: The data was compiled in partnership with independent researchers specializing in cybersecurity incident research. They evaluated a database that contained the details of 4,478,908 cards in total, including details of the type of card (credit or debit), issuing bank, and whether it was refundable. The data NordVPN received from the third-party researchers did not contain any information that relates to an identified or identifiable individual (such as names, contact information or other personal information). We do not operate with exact numbers of payment card details sold on the dark web, as NordVPN has only analyzed a set of statistical data provided by independent researchers.

Analysis: The raw numbers only provide part of the picture. Population size and card usage vary between countries, and these are just two factors that can change the impact of these numbers.

We compared the statistical card data between countries with UN population stats and the number of cards in circulation by country or region from Visa, Mastercard and American Express. This allowed us to calculate a risk index to more directly compare how likely your card is to be available on the dark web by country.

We calculated the Risk Index using the following elements:

• Number of cards in the database per capita for that country;
• Number of cards in circulation for that country (based on country or regional data from Visa, Mastercard and American Express);
• The proportion of non-refundable cards in the database for that country, with reduced influence on the overall index;

We then logarithmically normalised these numbers to produce scaled ratings between 0 and 1.