Financial data is a valuable commodity on the digital underground, with payment card information constituting one of the more common items listed for sale. The data maintains a crucial role in the cybercrime ecosystem, as sellers are able to easily monetize the stolen information for buyers to utilize for various fraudulent activities. Stolen payment card details find themselves on the deep and dark web in number of ways, including but not limited to; targeting e-commerce sites with credit card sniffers, through data breaches and phishing scams, as well as physical hacking tools such as skimmers and shimmers, which are placed on POS (point-of-sale) terminals, ATMs, and gas stations.
Within this lucrative underground market, during the first six months of 2021 (H1 2021), there were 28,934,392 compromised payment cards offered for sale on underground credit card markets. This marks a ~36% decrease compared to the number offered for sale in H2 2020, 45,130,117. The decline could be the result of several factors, including the closure of credit card markets (due to law enforcement or threat actor “retirement”), ongoing trends towards contactless payments accelerated during the pandemic, as well as the reduction of credit cards being issued (more stringent lenders).
While numbers declined overall, some trends remain fairly consistent. For example, we examined the two predominant forms of compromised cards offered for sale, those offered as ‘dumps’ and those including CVV/CVV2 information. In H1 2021, cards with CVV/CVV2 data accounted for 58% of compromised cards being advertised, compared to 42% for dumps.
Figure 1: Distribution of Dumps vs. CVV/CVV2 in H1 2021
Cards from dumps are used physically (cloned cards) and contain segments of data related to Track 1 and Track 2, located on the card’s magnetic strip. This includes the cardholder’s name, account number, expiration date, BIN, as well as other validating data points used by banks to verify purchases. Cards with CVV/CVV2 data are more valuable, as it is not stored in the magnetic strip or on the EMV chip. It’s the 3-4 digit code on the back of the card, and isn’t transmitted when swiped, tapped, or inserted into a POS system. It’s a security feature used to prevent unauthorized use of a card for ‘card-not-present’ transactions, typically required for online or phone purchases.
The H1 2021 percentage breakdown is in line with similar figures witnessed in previous iterations of this report, with a typical ratio of between 35%-42% dumps to 58%-65% CVV/CVV2.
Figure 2: Distribution of Dumps vs. CVV/CVV2 from 2019 – H1 2021
The H2 2020 outlier as reflected in the chart above may be attributed to an increase in dumps flooding the market following the easing of pandemic restrictions. The resulting sudden increase in physical transactions likely created opportunity for more cards to be targeted. Several alternative factors may also viably account for the H2 2020 anomaly, however, the typical ratio of between 35%-42% dumps to 58%-65% CVV/CVV2 can be explained in several ways.
Conducting in-person fraudulent activities carries a significantly higher risk to threat actors when compared to the anonymity afforded by an online purchase. Conducting ‘card-not-present’ transactions are thus more attractive and in higher demand, as they carry less risk. Additionally, CVV/CVV2 cards can be utilized immediately, in contrast to dumps, which could require the creation of a fake card. Moreover, cards with CVV/CVV2 information can also include other additional valuable details, including home address, email, and other personally identifiable information (PII). Utilizing this data can be further exploited by threat actors and can be used for identity fraud, account takeovers, and other criminal activities.
Click here to download the full report and read about additional trends, including the geographic distribution of compromised cards, financial fraud by payment network, and an analysis breakdown by credit card market.