Think of it as sort-of a smorgasbord. For one dollar, a thief can purchase a stolen credit card number. He could buy it from another thief in one of hundreds of online, international chat-rooms set-up for that purpose. For three dollars, he could buy the credit card number with the three-digit security code. For five dollars, he could also acquire the pin number for that card, and for, maybe, ten dollars, he could buy the cardholders’ social-security number and mother’s maiden name.
“The majority of stolen credit cards come from hacked ecommerce sites,” says Dan Clements, CEO of CardCops.com, a Los Angeles-based security firm that monitors the dishonest chat rooms and reports the stolen data to banks and other companies. “The chat rooms are themselves hard to find, but, once located, we’ll monitor them continuously for stolen data.”
Clements continues, “The international market for stolen data is robust and thriving. The prices for the stolen data are somewhat uniform and predictable.”
Say a thief hacks into an ecommerce site and steals a credit card.
Thousands of thefts daily
“Happens thousands of times per day,” says Clements. The credit card is much more valuable if the maiden name of the cardholder’s mother accompanies the sale. That’s because many cardholders use their mother’s maiden name as a standard security question, which an issuing credit- card bank could ask before the bank releases information to the cardholder. So, armed with the mother’s maiden name, a thief can frequently penetrate computer systems or coax a callcenter operator to release even more data.
“Mothers’ maiden names are easy to obtain,” says Clements, “Because that name is printed on most birth certificates. Birth certificates are public information and any number of list providers sells the information, legally, from the certificates. So, if a thief steals a credit-card number and knows the cardholder’s name, it’s a snap to get the maiden name of the cardholder’s mother.” Birth certificates aren’t the only piece of publicly available data that can assist a thief. Legal filings, such as divorce proceedings, are publicly available and, according to Clements, those filings frequently contain social security numbers.
“We call these legal filings ‘breeder documents,’” says Clements. “They can assist a thief to obtain even more information about an individual.”
Clements’ firm, CardCops.com, isn’t the only one monitoring the dishonest chat rooms, of course. Law enforcement officials monitor them, too, but, according to Clements, most of the chat rooms are operated outside of the United States. Frequently, there’s little that local law enforcement authorities can do to apprehend and prosecute the crooks.
“It’s similar to online gambling operations,” Clements explains. “Online gambling is illegal in the United States. But, many of the gambling companies are located outside the country and there’s little that authorities can do to shut them down.”
Clements’ firm sees 5,000 to 10,000 new, stolen credit card numbers per day offered for sale on illegal chat rooms. He sees upwards to 30,000 pieces of other confidential data, such as social-security numbers, a mother’s maiden name or a cardholder’s birth date. That’s per day.
All of this other data has value in the international market.
“A cardholder’s stolen birth date?” asks Clements. “It’s worth about ten dollars.”