Millions of Americans who trusted Equifax with sensitive personal and financial data, including social security numbers and credit-card information, are now nervously wondering whether they will be among the unlucky minority of affected customers whose identities are successfully “repurposed” by online criminal groups.
One researcher from security firm SecureWorks shared some details about today’s burgeoning marketplace for stolen data with Bloomberg, and the conclusion is clear: It is now easier – and cheaper – for criminals to access and abuse illicit data than ever before. In fact, a high-limit American express card with a high chance of working can be purchased online for less than $20. Criminals can buy files with thousands of low-limit card numbers for pennies on the dollar.
According to Bloomberg, “verified” high-limit credit cards from developed countries like the US, Japan, and South Korea are selling on the dark web for the bitcoin equivalent of about $10 to $20.
“Verified” means the seller has tested out transactions on the card and found it hasn’t been canceled yet. For scammers on a budget, there’s unverified stolen credit card data, which comes out to pennies a card when bought in bulk.
Here’s a screengrab from one dark-web marketplace.
Luckily for criminals, cards generally aren’t selling any cheaper on the dark web these days, said Alex Tilley, a researcher at Secureworks. Today’s buyers are more likely to get higher-quality cards, ones with sizable limits that can be used fraudulently with ease. It isn’t as hit-or-miss as it used to be, a welcome change for criminals, chilling news for most of us.
Criminals have even set up sophisticated “rating systems” to help value the data. Business cards are preferred, Tilley said, because they don’t have a limit. Those and high-end personal cards—say, a Platinum American Express that has been verified and has an 85 percent rating (judged by the seller to have an 85 percent chance of being successfully used in a fraud)—will go for $15 to $20. A regular Mastercard that doesn’t have a high limit might go for $9.
One underground hacker market inexplicably called Trump’s Dumps is selling full identities of individuals just like you for as little as $10 apiece. They’re called fullz, “dossiers that provide enough financial, geographic and biographical information on a victim to facilitate identity theft or other impersonation-based fraud.” Fullz can help a criminal get past those irritating “secret questions” that sites ask to verify your identity.
Recently, Secureworks’ researchers have seen more offers of bulk pre-verified card details, along with more identifying information about the owners. In some cases, offers even include the cardholder’s mother’s maiden name. Still, they cost just $10 to $12. Below is a fullz offer with a lot of personal identification on a Korean consumer.
In a massive breach like Equifax, hackers can easily walk away with hundreds of millions of dollars in profits from selling the data. Meanwhile, the identity thieves who purchased it can reap their own fortune running their scams.
Congress, the FTC and Equifax customers – enraged by both the company’s reluctance to initially disclose the breach and its carelessness (some would say tight-fistedness) concerning its cybersecurity defenses – have buried the company in lawsuits and official inquiries.
As USA Today revealed yesterday, hackers took advantage of an Equifax security vulnerability two months after an industry group discovered the coding flaw and shared a fix for it, raising questions about why Equifax didn't update its software successfully when the danger became known.
We’re looking forward to hearing the whole story from CEO Rick Smith when he testifies before Congress early next month. Whether Smith manages to hang on to his job remains to be seen - calls for his resignation after a 12-year-long scandal-free tenure are mounting. CNBC's Jim Cramer said last night that Smith "should be fired today."
But perhaps more worrying for Smith and his C-Suite companions are calls from North Dakota Sen. Heidi Heitkamp, who has demanded a criminal investigation into whether the company's executives - several of whom sold stock during the period between when the company first learned about the hack and when it disclosed it to the public - commited securities fraud.