Recent data breaches have brought to mind last year’s cyberattack on Target, when hackersstole 40 million credit and debit card numbers from its point-of-sale systems.
So what did hackers actually do with this information after they stole it?
The short answer is they sold it. Because the magnetic stripes (magstripes) on the back of customers’ credit cards hold a person’s account number, expiration date, and secret CVV code, they have value in the underground market. Hackers sell these magstripes to card counterfeiters who then easily paste them onto fake credit cards using their own magstripe encoding machines.
Between 1 and 3 million of the 40 million stolen cards were successfully sold on the black market for about $US27 each, reported
Brian Krebs, a former Washington Post staffer who has written extensively on cybersecurity. According to Krebs, before credit card companies had the chance to cancel the cards, hackers likely generated $US53.7 million in income.
According to a reportreleased earlier this year by the RAND Corporation’s National Security Research Division, the value of credit cards varies depending on how much of them are available on the hackers’ black market.The table to the right, taken from RAND’s report, shows how the average price of credit card data can change as demand fluctuates.After a large breach such as the Target breach, the market may be flooded with data, which causes prices to go down.
Card data can also be more or less valuable depending on the card’s characteristics. According to RAND, no-limit cards such as the American Express black card or chip-and-PIN cards are typically worth more in the black market.
In the days after Target was breached, the stolen credit cards were unusually expensive — mostly because banks did not cancel them quickly enough, according to Krebs. Some credit cards acquired in the Target breach were reportedly sold for as much as $US135, depending on the type of card, expiration date, and limit.
The good news is that consumers don’t have to pay to get their credit cards replaced if their information is stolen. Instead, credit unions and community banks pick up the tab. Since Target was breached, these banks have spent a reported $US100 million reissuing 21.8 million cards — only about half of the amount stolen in the breach.
Business Insider Emails & Alerts
Site highlights each day to your inbox.