A new report from NordVPN found that stolen Canadian payment card information costs, on average, just C$6.50 on black markets, cheaper than some fancy coffees.
That’s half the average global cost of stolen credit card information: C$12.
For the report, NordVPN analyzed data from 140 countries gathered by independent cybersecurity researchers. In total, it found nearly 4.5 million card data sets being sold on black markets.
More than 45,000 Canadian card details were found online–unexpectedly low as the country has the highest credit card penetration in the world, said the report.
In Canada, Visa credit card information was the most common, followed by Mastercard. Conversely, debit card information was more abundant in the U.S. The report explained that debit cards carry greater risk because they don’t have as many safeguards, such as chargebacks, as credit cards.
U.S., Mexico. Brazil, Turkey, Australia and E.U. countries were the most susceptible to credit card theft. The most valued cards are ones from Japan, listing for C$54 apiece on average.
When asked about what determines a card’s value, Marijus Briedis, chief technology officer at NordVPN, explained that hackers operate just like any other business and market principles.
“We can only speculate on how these sellers determine the price for each payment card, but common sense should tell us that the price reflects the price of goods themselves, the labour involved in getting them, profits that the sellers want to get, and of course demand should be a big factor in these prices,” Briedis said in an email statement to IT World Canada.
“The greater the demand, the more money criminals can charge for certain data they try to sell. In this case, the demand directly correlates with how easy it is to steal money from a card and how much money could be stolen. That is why the most expensive cards come from countries with a higher quality of life or poorer bank security measures. Some criminals also include other personal information details, starting from names and ZIP codes and ending with credit ratings with each payment card that they try to sell. This can drive up the price immensely.”
The card’s issuing country also plays a factor in setting its price. As an example, Briedis explained that since Saudi Arabia is a financial centre, hackers believe they can steal more money through their cards.
The study ranked the potential to fall victim to credit card theft via a Risk Index that ranged between 0 and 1. It calculated the figures based on how many credit cards a person owns on average; the more cards, the higher the risk.
While North Americans were particularly vulnerable given the high number of cards they often carry, Europeans were also shown to be at higher risk.
How hackers steal card information without data breaches
Hackers can now steal credit card information without breaching databases, according to the report. The number of brute force attacks is on the rise.
Brute force attacks involve the attacker using computers to guess the cards’ details. Attackers would select a card issuer and the issuer’s ID number that comprises the first six to eight digits. They then guess the rest of the card’s number using its specific card number format, followed by its checksum calculated by banks using a hashing algorithm. Finally, attackers guess the three-digit card verification value printed on the back of the card. It’s easy to guess due to its length.
Most payment portals block the user after a small number of incorrect attempts in a short time period, but some do not detect multiple invalid inputs originating from different websites, essentially allowing for unlimited guessing attempts. This enables the attacker to execute a distributed guessing attack, through which they focus on guessing the cards details through multiple websites.
Moreover, because different websites ask for different fields and respond to the inputs differently, attackers can cross-reference and piece together information even quicker.
Does it only take six seconds?
According to 2016 research by Newcastle University published in IEEE Security & Privacy, a skilled hacker can produce a valid card data set in as little as six seconds. All they need is an everyday laptop with an internet connection.
Mohammed Ali, the lead author of the research paper, broke down the numbers in a Newcastle University news post.
He noted that through distributed guessing attacks and the different ways websites structure payment information fields, generating the card’s information is “frighteningly easy.”
To produce a valid dataset, attackers need to obtain three key numbers: the card number, expiry date, and the CVV. Mohammad said that after acquiring the card number, either stolen or generated, hackers only need 60 attempts to guess the expiry date since most payment cards expire after 60 months. Following the expiry date, the CVV becomes the final defence, but it takes less than 1,000 guesses to crack a three-digit number. Spread the guesses over 1,000 websites and it would only take seconds to receive a verified response.
Although the study was published six years ago, Briedis warned that brute force attacks are still effective today.
“As businesses try to develop new techniques to defend themselves, hackers come up with newer ways how to overcome those,” said Briedis. “Unfortunately, there hasn’t been any more recent research on that [brute force attacks], but the results should be very similar. As security measures that banks or card issuers take develop together with the techniques hackers use. ”
How cardholders can protect themselves
Unfortunately, there isn’t much cardholders can do to stop the attackers from guessing card details, but they can take steps to harden their accounts.
A strong password makes guessing more difficult for attackers. Avoid using simple passwords like “123123” or “abcdefg” for any account. Also, do not use the same password twice. If the passwords become too cumbersome or numerous, try using a password manager service like 1Password or Bitwarden.
Another good practice is to enable two-factor and multi-factor authentication wherever possible. Moreover, payment institutions also offer tools to prevent attacks. It may be worth it to sign up for them.
Users should be vigilant in reviewing their transaction history and banking statements. Report any suspicious activity to their institutions immediately. Furthermore, they need to be wary of phishing attempts.
Lastly, do not publicize financial information on social media.