Who's stealing your credit card data?
The superhacker who obtains your credit card information in a data breach is many steps removed from the 'mules' who use it to make fraudulent purchases.
This post comes from Jeanine Skowronski at partner site Bankrate.com.
Data breaches have become the new normal with big-name companies such as Global Payments -- which services Visa and MasterCard -- and online retailer Zappos disclosing that hackers stole consumer credit card information in 2012.
The breaches build on an equally active 2011, a year in which security software company Symantec estimates 232 million identities were exposed.
Fortunately, this doesn't mean every affected consumer discovered fraudulent charges on his or her monthly credit card statement. What happens to account numbers following a data breach largely depends on who stole the information.
According to Stu Sjouwerman, the CEO of network security firm KnowBe4 LLC in Clearwater, Fla., there are three major types of hackers. Digital delinquents will try to infiltrate big-name data sources such as national retailers or financial institutions for fun and recognition, while "hactivist" groups, such as LulzSec, target similar sources to prove the companies' security systems are severely lacking.
"They're trying to make a point," Sjouwerman says.
They're not necessarily looking to make money off of compromised consumer data, but there is always a chance it could fall into the wrong hands. However, that's the top priority for the third type of hacker: seasoned criminals who digitally break into company databases to make a living.
But, while these masterminds are looking to monetize the massive amounts of data their breaches obtain, they aren't going to rack up big bills with stolen credit card numbers. (Post continues below.)
A complex pyramid
Instead, the original hackers are going to make money by selling account information in bulk to criminal third parties, says Chester Wisniewski, a senior security adviser at United Kingdom-based computer security firm Sophos.
After potentially trading hands a few times, "a lot (of card numbers) wind up being sold in Internet forums," Wisniewski says. This allows the network of dealers to maximize profits while minimizing the risks of getting caught, especially since card forums have become increasingly difficult to enter. A "carder" is someone who buys, sells and trades stolen credit card data online.
"They're a lot more underground than they used to be because a few big dealers got busted," Wisniewski says, referencing the 2010 conviction of Max Ray Vision, the former computer security consultant who turned superhacker. "Now you need to have multiple people vouch for you to get access."
Those who do gain access to these forums will pay different prices for the data, depending on how much information was illegally obtained.
"Each piece of information stolen in a breach has a different value," says John Harrison, a group product manager for endpoint threat protection, security technology and response at Symantec, based in Mountain View, Calif.
For instance, a 2008 Symantec study on the underground economy found account numbers paired with expiration dates and card verification values -- the security codes on credit cards -- ranging from 50 cents to $12, with packages ranging in size from five accounts to 500 accounts. Cards without these supplemental codes went for about 10 cents apiece.
Prices also vary depending on how close a card's expiration date is, whether other personal information on the account holder is available and/or the reputation of the hacker/seller.
It's important to note, even at this stage of the game, that the individual who buys the data may not use your credit card information. To add another level of security to their own dirty dealings, local organized crime groups or other career criminals will hire people to make purchases with the stolen data via advertisements on select jobs boards.
"These people are essentially mules," Harrison says. In addition to simply purchasing the products, they may be asked to resell high-ticket items on online auction sites. These profits are then wired to the crime group minus whatever percentage the mule has been promised as payment. The role represents the final rung in a long and highly specialized supply chain.
What thieves are buying
Once the crime pyramid is complete, the stolen accounts can be used by either the mule or the thief to purchase virtually anything.
"It's generally stuff that is easy to sell or has a high resale value," Harrison says. This typically includes electronics, clothing and gift cards, which all net fast cash on the Internet. Some criminals also imprint gift cards with the stolen card numbers so the accounts can be used to buy merchandise at brick-and-mortar stores. "You're not going to ask for identification when a person is using a gift card," Harrison says.
Thieves also are known to target retailers that have generous return policies as an alternate way of monetizing stolen accounts.
But cautious consumers shouldn't only be on the lookout for unfamiliar bulk buys. "The first thing thieves will do is make a small purchase online or at a convenience store to determine if the card is valid," Harrison says. These charges, which could be for something as small as a single music download or a pack of gum, may appear intermittently between larger purchases because fraudsters will continually check the status of the account to avoid getting caught red-handed.
What if your card is compromised?
If you discover your account was stolen in a data breach, you should immediately call your issuer and replace the card. You also should change usernames and passwords for all of your online accounts to prevent thieves from obtaining additional access now that you're on their radar, Harrison says.
If a Social Security number has been obtained alongside credit card information, "you do need to put a fraud alert on your credit report," Wisniewski says. You also may want to sign up for some type of credit monitoring since your identity may be shopped around alongside your credit card numbers.
Of course, the best line of defense is to minimize the chances of your card falling into the wrong hands. Wisniewski suggests limiting the number of credit cards you use to purchase items online. You also might want to look into services such as Google Checkout, PayPal and Checkout by Amazon, which eliminate the need to share credit card numbers with every single seller you patronize online.
If you use one particular payment method, it might be good to "freshen" the data associated with that card.
"Once a year, I ask for a new credit card number," Sjouwerman says, regardless of whether the account's been involved in a publicized breach. "I tell them my card's been lost and I need a new one."
More on Bankrate.com and MSN Money:
VIDEO ON MSN MONEY
We have one credit card that is used only for online purchases, so we can monitor it more easily. Despite trying to be very careful about whom we shopped with, the card got hacked. Fortunately the issuing bank is very good and spotted the fraudulent activity quickly, contacted us, and killed the card. Other than doing a little paperwork and returning some fraudulent items we have had to do little to clear this up, and have not had to pay for any of it. So far our other accounts have been clean, but we did change user IDs and passwords as the article suggests, and we check them frequently. To replace the hacked card we are getting a card that has a $500 limit so our exposure will be much smaller. Since we do need to buy online, and we suspect that credit cards will continue to get hacked, we try to limit our risk with a low limit card and frequent account monitoring.
Took months to fix this. They just kept honoring the canceled card, and changed the billing address to the idiot in Alabama. We'd call. He'd call. We'd call. He'd call. The **** credit card company kept changing the card information! He used three different addresses. So our credit report now has four different home addresses in the past year! Took about 40 points of the credit score.
The bank wound up eating the $10,000 and the crook got away scott free.
Someone tried to buy stuff from a hacked account but the joke was on them. My spouse had already maxed out the card. Of course If a thief did it i might have got my money back.
CC users have to keep a close relationship with their CC issuers. Telling them if a transaction might've put the account on a risky position, in danger of being abused and to change the acct. number
Ask the issuer of the card to contact you when purchases are over a certain amount or if purchases are not typical. These are only several defenses we can use to protect our card, I know that nowadays we don't have to pay for fraudulent purchases but it takes a long time to clear one of those...better not to let them happen
Global Payments is not an issuer. They don't issue credit cards to consumers. They process the transactions when a purchase is made, that is they move the funds from the cardholder's account to the merchant's account. That's where the breech took place. The issuer had nothing to do with this breech.
I posted my comment before I meant to. I was not criticizing your comment. Your point is a good one and well taken.
Life is GREAT! I only have a Visa debit card and lousy credit - I never worry about ID theft.
Give up, people. The crooks and deadbeats have won. Like all addicts, America has to hit rock bottom before things will improve. I'm doing my part. After the civil war, I'll try again.
Copyright © 2014 Microsoft. All rights reserved.
Fundamental company data and historical chart data provided by Morningstar Inc. Real-time index quotes and delayed quotes supplied by Morningstar Inc. Quotes delayed by up to 15 minutes, except where indicated otherwise. Fund summary, fund performance and dividend data provided by Morningstar Inc. Analyst recommendations provided by Zacks Investment Research. StockScouter data provided by Verus Analytics. IPO data provided by Hoover's Inc. Index membership data provided by Morningstar Inc.
RECENT ARTICLES ON CREDIT CARDS
CareerCast has released its list of jobs that really aren't as glamorous as they seem.