You’ve heard about data thieves, but have you wondered what they do with it once it’s stolen? Here’s how crooks convert your info to their cash.
Turns out, it’s not so easy being a data crook. The processes criminals have to use to turn your information into money are specialized and comlex.
“If you think of the Mafia from the ’60s and ’70s, credit card information theft could be compared to the same type of operation in terms of the intricacies and the networking,” said Jeff Tjiputra, academic director for cybersecurity at the University of Maryland University College.
Cybercriminals today work in large groups and many of the largest, most-complex networks have skills and technology resources that rival Fortune 500 companies, according to Greg Wooten, CEO of fraud prevention technology corporation SecureBuy.
“In general, about a half a million data resources being breached each day,” he says. “The hackers extract the data, house it themselves and analyze it using analytics to match up information the best that they can and then monetize for the highest value possible when they go to wholesale it. This is a job for them, and they are very resourceful.”
They aren’t after nibbles of data, either. Big chunks put more money in their pockets.
“That’s what makes these recent larger breaches so dangerous, they are getting account numbers and personal information,” Wooten adds. “There’s just so much out there.”
Whether they are after a new line of credit or a spending spree, those looking to turn your sensitive information into an income have options. These are four of the favorite ways crooks turn your data into their cash.
1: Selling information on the black market
Once a cybercriminal, or a group, has a mass of stolen information they have to move quickly in order to make a profit and that often starts by going to an illegal online marketplace.
The black markets are well established, operating both nationally and internationally, and can cater to the needs of whatever type data criminals have to offer, whether it’s financial, identity, or credential-based information.
Credit card data markets in particular are set up for high traffic flow and quick processing, according to John Biggs, an editor for the information technology website TechCrunch.
“You can share millions of credit cards in a second,” he said. “It used to be a trickle, now it’s a torrent.”
The monetization process starts when the data is put into a database and numbers are bundled together for bulk sale. Selling credit card numbers in groups gives options. Within a group of cards there could be bad data or cards that have already been flagged as fraudulent and no longer hold much useable value.
Credit card data worth is determined by a variety of factors, including the cards limit and how reliable it is according to Nicolas Christin, an assistant professor and cybersecurity researcher at Carnegie Mellon University.
The exact selling values vary, ranging anywhere from a few dollars for a few unchecked card numbers to upward of a $100 for a single card’s complete data set. Numbers stolen in last fall’s Target data breach were selling for around $135 each, according to Krebs On Security, because of just how much card information was included with each number.
If a hacker wants to make a larger profit off stolen information, he or she needs to compile complete data sets. These sets, also called fullz, typically contain an individual’s name, Social Security number, birthdate, account numbers and other piece of financial data. The bigger the fullz, the more it can be sold for.
“An email address by itself has almost no value,” Christin said. “Likewise, a valid Social Security number, absent any other information, is not particularly valuable. However, if you have a name, address, and Social Security number grouped together, then you can start using that information right away without more digging, and the value increases.”
At this stage buyers and sellers can either stay in this information exchange arena to make money, or they can take the information they have and build profits in other ways.
2: Counterfeiting cards
In this scenario, all a crook needs to access and spend your money is the information stored in the magnetic strip on your debit or credit card.
This information, also known as track data, is transferred to any card with a magnetic strip using equipment that only costs fraudsters about $100.
Since counterfeit cards will only work as long as the hacked account has not been flagged, frozen or closed due to suspected fraud, criminals have to move quickly to get what they can from the card before it no longer works.
Within a couple of hours of receiving information, fraudsters can duplicate a card and be out spending it on whatever they please. Common purchases are gift cards or prepaid debit cards, since those can be used as clean money even after the counterfeit card no longer works.
Right now this kind of activity, also known as card present fraud, is a $120 billion-a-year industry but as financial institutions and credit card issuers change their security measures, its popularity among criminals is expected to decrease, according to Wooten.
“It’s relatively easy to do card duplication right now,” he said. “The U.S. is the largest ecosystem left in the world that has not widely implemented EMV, which are very expensive cards to duplicate. When EMV kicks in, I think we can expect to see a tidal wave of more card-not-present fraud cases.”
3: Performing online commerce transactions
One example of a card-not-present fraud is the use of e-commerce sites such as eBay and Craigslist to make online transactions that result in a clean profit for the cybercriminals. Targeted e-commerce schemes accounted approximately 54 percent of cases last year, according to the 2014 Global Security Report by the data security company Trustwave.
To cover their tracks and successful get away with this type of scam, thieves often take out employments ads in their community looking for an assistant whose job is to act as a third party shipping and receiving destination. In exchange for their work, the assistants typically receive a small percentage of the criminal’s final profit.
Once that third party is established, the process can begin.
“Let’s say I’m a criminal, I have a stolen credit card, go to eBay, find an iPad and buy it with that card,” Tjiputra said. “I then have it shipped to my assistant’s home address and at the same time I put another advertisement on eBay selling that iPad for what appears to be a very attractive lower-than-market-value price, like $250.”
But there’s a catch: Instead of using a secured payment service such as PayPal, the criminal requests a direct wire money transfer as their only accepted form of payment. They figure that since the price for the item is such a good deal, prospective buyers won’t blink at the unusual request. According to Tjiputra, they are usually right.
“Once someone buys my posted item, I ask my assistant to mail that iPad to the person who sent me the $250,” he said. “That way, when eBay tries to chase it down, my assistant will be the one they go after for buying an iPad with a stolen credit card number based on where it was shipped, but I was the one who used the the stolen card and ended up with a clean $250 profit.”
4: Opening new accounts
Exact card and bank account numbers are temporarily useful, but the more personal information a fraudster can get about you, the deeper and more inconspicuous damage they can do.
“Personal information is the holy grail,” Tjiputra said. “Social Security number and date of birth can get you anything — car loan, house mortgage, credit cards, you name it. Cellphone numbers, addresses and account passwords are even more helpful when all added together.”
Fraudsters know it, too. Nearly half of all 2013 data thefts did not involve payment card information, according to Trustwave’s report.
In addition to lines of credit and loans, criminals can also open utility accounts, such as electricity, cellphones or satellite TV, using your information without you, or anyone else, even knowing.
By putting their own addresses and contact information on the new accounts, cyber criminals can get away with spending the fraudulent lines of credit and using the services until the next time to check your credit report.
“It’s much more difficult to detect this type of fraud when the fraudsters have all the correct account application answers,” Wooten said. “Having access to a full user profile makes it that much easier to pretend you are someone else and take advantage of them.”
If you’re worried that a recent data breach put your information at risk, keep an eye on your accounts and check your credit report. The sooner you can stop a fraudster in his or her tracks, the less they will profit and the easier the situation will for you to clean up.
A little extra caution with everyday activities that could expose your information never hurts either, according to Tjuputra.
“The Internet really is like the wild, wild west,” he said. There are people that can do things you never thought was possible.”
See related: Data breaches: Who’s to blame?, 10 tips for data breach protection