When federal prosecutors last week charged a group of Eastern European hackers with stealing credit card data from a slew of high-profile companies — including Nasdaq, J.C. Penney and 7-Eleven — the case revealed a surprising detail about the underworld economy.
The crew accused of selling the data only collected about $10 for each stolen American credit card number, according to the indictment, while European numbers netted the hackers around $50 a pop.
So, why are American cards so much cheaper on the black market?
It’s a function of supply and demand and the structure of the online underground economy, according to Levi Gundert, a former Secret Service agent and current principal for threat intelligence at Team Cyrmu, a nonprofit internet-security research firm.
According to Gundert, the “real driver is primarily monetization potential — if you have individuals that have successfully monetized a specific type of card, there will be increased demand.”
But to understand how monetization works in this market, we need to dig a little into how the online underground economy is structured. Think of it like a pyramid, with criminal innovators and very technically gifted hackers on top. They are the ones compromising major databases, and are often Eastern European or Russian.
The hotshot hackers store the credit card information after they compromise databases, and sell it in batches to various vendors and middlemen, sometimes dumping info years after the initial breach. The middlemen then sell it to end users, who attempt to use the data in fraud. Those end users are frequently based in North America, where it’s easier to commit credit card fraud.
This is where a demand for European cards can come in. The professionals in this business are usually very adept at finding a specific monetization scheme, and they frequently need a specific type of card, or one attached to a specific bank, to pull it off. One of these schemes that was still working in recent years relied on the difference in technology between U.S. and European credit cards, as well as transcontinental lags in fraud protection.
Merchants in Europe use chip-and-PIN security measures on credit cards. The chip contains the same sort of information that’s in the magnetic strip on a U.S. card, and after you swipe it, you must also enter a PIN to complete the transaction, like you would with a debit card. U.S. merchants aren’t set up for the advanced security features on European cards. So when European cards are used in the United States, they fall back to the old-fashioned magnetic strips used here.
But some European banks and credit card providers have a delay in processing transactions over weekends. So fraudsters could clone European cards and go on weekend spending sprees, capitalizing on the delay while the transactions make it across the pond and through fraud analytics processing. The result: a wave of credit card fraud by American criminals targeting European victims.
Another factor in the low cost of U.S. credit cards in these criminal schemes: It’s easier to get them. “There’s an overwhelming amount of U.S. card supplies” on the black market, Gundert says. And that’s a direct result of database compromises like the one reported last week. U.S. companies are frequent victims of those compromises, according to Gundert, and “there are many more that haven’t been discovered or reported on yet.”
This flood of stolen American credit cards pushes down the price of American cards. Monetization schemes that only work with foreign cards push up the value of European credit cards. The result: Stolen European credit card credentials can be worth five times as much as American information.