Image: Spy © Photodisc Green-Getty Images

Related topics: banking, financial privacy, credit cards, debit cards, identity theft

How difficult is it for cybercriminals to steal your credit card data? Shockingly easy, according to data-security and payment-care industry experts.

Online payment card fraud is on the rise, according to a January 2011 report issued by Panda Security called "The Cyber Crime Black Market: Uncovered" (PDF file). The cyberworld has sophisticated marketing, sales and distribution systems churning out newer and better ways for their clients -- hackers and thieves -- to obtain your credit card and banking data and profit from it.

The most common way they get credit card data is by embedding spyware programs on computers. These programs log and track keystrokes and capture user names, passwords and PINs and send the information to hackers who sell it on the black market for surprisingly little money. A working credit card number, for instance, fetches as little as $2.

Here are some examples of black market services and what criminals pay for them:

  • Credit card details for $2 to $90: Pirated credit card details can include the cardholder's full name, mailing address, phone number, Social Security number, date of birth, the card type, card number, expiration date, security number, PIN and bank name. The more details, the more it costs. Armed with this information, thieves can make online purchases or clone fake cards for use at ATMs.
  • Physical credit cards for $180, plus the cost of the details: These are counterfeit plastic credit cards that have been replicated down to the bank hologram. They are available in white plastic or color printing at additional cost. The stolen credit card details, such as the card number, PIN and security number, are not included in the price of the card. Minimum order: five cards.
  • Card cloners for $200 to $1,000: These machines allow you to print or clone phony credit cards, complete with magnetic stripes and embossed numbers. Thieves obtain the information needed to clone cards through skimmers or fake ATMs that capture and copy the card data. Several cloner models are available. All can make multiple copies of the same card.
  • Fake ATMs for $80 to $700: There are two basic types: devices called skimmers that fit over the card intake slot on a regular bank ATM or a full replica of an ATM console. When people insert their credit or debit cards into the machine, it copies the card data and tells users there was an error and the transaction was aborted.
  • Bank credentials for $3,500: User names and passwords for customer bank accounts, plus any other credentials, such as answers to security questions, that you may need to log in to the accounts. Thieves may obtain this information from malicious software that captures keystrokes. When bank customers access their online accounts, the programs copy the information and send it back to the cyberthieves.
  • Money laundering for 10% to 40% of the amount laundered: Bank transfers and check cashing services are available to move stolen money from victims' accounts into untraceable accounts. This service can include using stolen bank credentials to hack accounts and transfer money to "money mules," who are paid to transfer the money to legitimate accounts using money transfer services.

Cybercriminals often one step ahead of banks, law enforcement

Banks and other financial institutions do what they can to keep hackers at bay, but they have limits. Many cybercriminals take advantage of lack of coordination between international law enforcement organizations and never operate in the countries where they reside. The cybercriminals hire talented computer programmers and develop programs to thwart bank security measures as quickly as they are installed.

The criminal operations have grown to resemble their legitimate counterparts, with specialized niches for workers and increasingly sophisticated markets. "These types of markets operate in line with the normal laws of supply and demand," the Panda report says. "There are competing prices, additional services are offered, free trials, money-back guarantees if the data 'don't work (or if the account doesn't have a guaranteed minimum balance) ... even anonymous shopping by third parties."

"If there are vulnerabilities, fraudsters will find them and modify their behavior and exploit them. This has the effect of keeping the payment industry on its toes," says David Fish, a senior analyst at Mercator Advisory Group, a payment card industry research company, which issued a report on the changing dynamics of credit card fraud prevention. Fish says the use of chip and PIN technology embedded in credit cards in Europe has thwarted many criminals who try to use stolen or cloned credit cards at brick-and-mortar stores. That leaves the United States a more attractive target, because that technology is not available in the U.S., and may not be for years.

Cybercrime experts say consumers often can't tell if their credit card information has been copied.

"If your computer is compromised, that means that even if you change your password, they will have the real one as soon as you type it in," says Luis Corrons, technical director at Panda.

Consumers worried about losses from cybercrime can be reassured that federal laws and the major card networks, such as Visa and MasterCard, have rules in place to protect credit and debit card users. Federal law limits credit card and debit losses from fraud to $50 if consumers report losses in a timely manner. The card networks have zero-liability policies, but also require timely notification.

Click here to become a fan of MSN Money on Facebook

Banks and merchants are logging major losses from cybercrime. According to the CyberSource 2011 Fraud Report, online revenue losses due to fraud in North America were $2.7 billion in 2010, down from $3.3 billion in 2009.

Experts advise that consumers closely monitor their account activities for suspicious or unauthorized activity. Other security precautions include:

  • Keep antivirus and firewall protection and Web browser programs up-to-date on your home and work computers.
  • Avoid accessing banking or personal email accounts when using free Wi-Fi services because it is easy for criminals to capture your personal data over wireless connections.
  • Don't use ATMs that have devices over the card insert slot. Be suspicious of machines that look like ATMs, but don't distribute cash. Notify your bank if you think your card's information has been stolen.

This article was reported by Connie Prater for CreditCards.com.