For the first half of this year, more than 23 million credit cards were for sale worldwide on the dark web, and almost two-thirds of them came from the U.S., according to a study by Sixgill.
Everything from Americans’ love of credit cards to our passion for e-commerce to our lack of EMV technology means credit card theft in the U.S. far outpaces the rest of the world.
For the first half of this year, more than 23 million credit cards were for sale worldwide on the dark web, and almost two-thirds of them came from the U.S., according to a study by the cybersecurity company Sixgill.
Benjamin Preminger, senior cyberthreat intelligence specialist at Sixgill, attributes the volume of U.S. cards for sale on the dark web to the high number of credit cards in use here compared to other countries. Another factor is Americans’ love of e-commerce, where credit card data can be stolen while consumers are making online transactions.
Americans’ credit cards outnumber the country’s population. At the end of 2017, there were 364 million open credit card accounts, according to the American Banking Association, at a time when the U.S. population was about 325 million.
This year, Americans are expected to do $561 billion in e-commerce transactions, according to the e-commerce company Shopify. China, with a population four times larger, is the only country expected to have more e-commerce, valued at $740 billion.
Which payment networks have the most cards on the dark web?
Visa represented 57% of the cards for sale on the dark web, while Mastercard accounted for 29% – higher than their respective shares of the credit card market. On the other hand, American Express, which holds 22% of the credit card market, represented just 12% of the stolen cards, Sixgill found.
It’s not clear why American Express’s theft rates are lower, Preminger says.
“It could be they have better security measures, or the people who own American Express cards use smarter cybersecurity etiquette,” he said.
The most popular information sold on the dark web is credit card authorization codes, which are needed to make online transactions, Sixgill found.
One way cyberthieves get information is through formjacking, in which malicious code is inserted into legitimate retailers’ sites to steal your credit card and personal information.
Beginning in 2018, cybercriminals “figured out how to perfect it and make a lot of money off it,” says Kevin Haley, director of security response for the cybersecurity provider Symantec. Last year the company blocked more than 3.7 million formjacking attempts, but many others were successful, including attacks on Ticketmaster and British Airways.
Cybercrooks also may steal your information by planting malware on your computer to record the keystrokes you make, Preminger says.
Impact of EMV
It also doesn’t help that gas stations, along with many smaller merchants, still haven’t switched to EMV technology, says Stas Alforov, director of research and development at Gemini Advisory, a cybersecurity firm.
“The security is there to help protect” consumers, Alforov says, “but a lot of mom and pop shops don’t want to spend the money.” A new point-of-sale terminal and software can cost thousands of dollars.
But gas stations are running out of time to install chip readers – beginning Oct. 1, 2020, fuel merchants will be held liable for fraudulent transactions at non-EMV pumps.
In contrast, “most European countries have had EMV for years,” he says.
When an EMV card is used to make a payment, a unique transaction code is created that can’t be used again. In contrast, the magnetic stripes on traditional cards contain data such as your name, credit card number and card expiration date. That can be stolen and used to make new credit cards.
Since EMV cards became more common in the U.S. starting in 2015, in-person fraud has declined, while card-not-present fraud has climbed, according to a 2019 study by the Federal Reserve Bank of Atlanta.
Losses from card-not-present fraud in the U.S. jumped from $3.4 billion in 2015 to $4.6 billion in 2016, with the migration to EMV cards. Meanwhile, face-to-face fraud losses fell from $3.7 billion to $2.9 billion.
That follows the same pattern found in other countries, such as the U.K. and France, after their switch to EMV cards, the Fed found.
The U.K. has only 7.4% of the credit cards for sale on the dark web, and France has less than 1%, Sixgill found. Both countries have populations of about 66 million.
Many of the cybercriminals operate from other countries. Because it has become harder to steal data from countries such as those in Europe, the cyberthieves may think, “why change anything if I can just change my attention to the U.S.,” Alforov says.
Europe also has much stricter rules on credit card transactions, such as 3D Secure, which creates an extra layer of authentication for online transactions. Security will become even stronger in the fall with 3D Secure 2.0.
Another factor that has provided access to credit card and personal information to cyberthieves is the big data breaches that have hit the U.S., affecting such companies as Target and Equifax. The information swiped in those data breaches then can be sold on the dark web, says Liron Damri, chief operating officer of the cybersecurity company Forter.
The fact that English is the worldwide language of business also may make it easier for fraudsters from other countries to access personal information of their victims or send phishing emails, Damri says.
Forter has found “pretty robust demand and supply chains” for stolen credit card information, Damri says. Demand for stolen credit card information is highest during the holiday season, when online shopping booms and it might be easier for crooks to make fraudulent transactions.
And cyberthieves are willing to pay more for premium cards, such as platinum cards with higher credit limits, than for more common credit cards, he says. Premium cards may sell for $50 each, compared to $5 for common cards.
See related: New technology, analytics help fight card-not-present fraud
How to protect your credit card and personal information
- If a point-of-sale terminal isn’t working properly, you should pay with cash or use mobile payments, says Alforov.
- If you’re making a purchase online, be sure to use a credit card rather than a debit card.
- The reason? Credit cards have stronger fraud protections and fraudsters can’t drain your bank account. “At the end of the day you know your bank will make you whole,” Alforov says.
- Do not click links for email promotions that look too good to be true, warns Damri.
- Be careful of the links you click on or the files you download and make sure they are secure, Preminger advises. “A cat video could compromise a system,” he says.