Symantec Global internet Security threat report
Counterfeit credit cards made using data dumps can add a sense of legitimacy to fraudulent transactions by allowing criminals to make purchases in person. By immediately acquiring purchased goods during the transaction instead of waiting for delivery, the scammer does not have to worry about the credit card company noticing the purchase and freezing the account because the goods are already in the scammer’s possession. However, it is reasonable to assume that even when using counterfeit cards, some scammers will employ a third party to make in-person transactions, thereby reducing personal exposure to surveillance systems that could be monitoring the fraudulent purchase.
Credit card information can be obtained through a variety of means such as monitoring merchant card authorizations or breaking into databases. Data breaches can be very lucrative in the underground economy. For example, the previously mentioned security breach of the credit card payment processor in January 2009 resulted in the exposure of more than 130 million credit card numbers. Even using the lowest advertised price-per-card number in 2009, this breach represents over $110 million in potential profit.
Credit card dumps are harder for underground economy sellers to acquire because they can only be obtained by using skimming machines that physically scan the magnetic stripe of the legitimate card.196 Because of this, and the pseudo-legitimacy that dumps can provide through counterfeit cards, dumps are rarer and are often advertised at higher rates than credit card information.
the prices of credit card information advertised in 2009 ranged from $0.85 to $30 per card number, a slight change from 2008 when prices ranged from $0.06 to $30. the difference in prices may be a further indication of higher availability in 2008; the low-end price observed in 2007 was $0.40. this is a reflection of simple supply and demand, where higher bulk availability results in lower prices. there were three main factors that influenced the prices: the amount of information included with the card, rarity of the card type, and bulk purchase sizes. Credit cards that bundled in personal information—such as government- issued identification numbers, addresses, phone numbers, and email addresses—were offered at higher prices. Cards that included security features such as CVV2 numbers, pins, and online verification service passwords were also offered at higher prices.
the value of credit card information is also influenced by the location of the issuing bank as well as the type and rarity of the credit card. Credit cards issued in regions such as Asia, the Middle East, and some European countries are often advertised at higher prices than those in other regions because the availability of information in these regions is lower. in 2009, for example, credit card information from countries such as italy and France was commonly listed for $6 to $10 each, while cards issued from the United Kingdom, Canada, and the United States were commonly listed at $5 or less per card.
While the maximum advertised price per card number remained the same in 2009 as the previous year, the minimum price of $0.06 was higher than the 2008 minimum price per card number. the primary reason for the rise in minimum price per card number is that there was a notable lack of bulk pricing in advertisements observed in 2009. the bulk rates that were advertised applied to smaller lots of card numbers than has been previously observed. For example, the largest advertised bulk quantity observed by Symantec in 2009 was for 100 credit cards, as opposed to 5,000 credit cards in 2008.
Magnetic stripe skimming devices are small machines designed to scan and retain data contained in the magnetic stripes on credit and debit cards.