Target, Home Depot, Apple, eBay, Sony, Adobe, Heartland… What is common among all theses companies?
All of these have had a serious data breach incidents in the recent past - some included payments data while others included users personal data. In this article, I am highlighting how organized fraudsters use these stolen payment credentials.
In 2013-14, close to 100 million credit card numbers were stolen from the Target and Home Depot breaches alone through the use of sophisticated malware. So the question is how do these fraudsters make money out of such massive number of cards? Use millions of cards to make personal purchases? Yeah... that doesn't seem feasible.
The fraudsters actually divide the stolen data into multiple batches after such data breaches and then sell them to prospective buyers who are like the tier-2 fraudsters. This buying and selling happens anonymously over the black markets - online marketplace for fraudsters (often on deep web) which uses services such as Bitcoins. The price for one card usually varies between $1 - $10 and quite interestingly, some 3rd party sites also provide card testing tools to determine if the card is still active (once the banks learn that the card is being used unauthorized manner they block the cards).
The next question is how do the tier-2 fraudsters make money from these batches of stolen card data? The tier-2 fraudsters use these payment credentials to buy items that have high value and can be easily resold (for example jewelry, electronic goods, digital currency, etc.). Eventually, they make money by reselling these items for a cheaper price.
There are two major ways through which these fraudsters operate. First, they use the details of the stolen card to make counterfeit cards and use these to make offline purchases (think shopping malls, Walmarts, BestBuys). Second, the fraudsters use these cards online which are relatively hassle free and ensure better anonymity (think e-commerce sites). Sometimes, they even use these cards directly for high $ personal use; for example booking a vacation via American Airlines and AirBnB. As stated before, the banks block the cards as soon as they recognize data breach and hence acting fast is the key for these fraudsters. So, as soon as they receive the batches of stolen card data, they start attacking on the merchants forming a wave of fraud transactions.
This is a brief overview of professional online payment fraud. Please post any questions in the comments.