|A research from NordVPN has analyzed 4M payment card details that were found by independent researchers for sale on the dark web and belonged to citizens of 140 countries. 50K belonged to Canadians. The average price of all the found cards was 9 dollars and 70 cents. The average price of a Canadian card was 5 dollars and 4 cents.|
45,557 payment cards found hacked belonged to Canadians. The most affected country was the US as 1,561,739 out of 4,481,379 payment cards found for sale belonged to Americans. The second most affected nation was Australia, with 419,806 cards discovered for sale on the dark web.More than a half (30,000) of all the discovered payment cards coming from Canada were Visa, followed by Mastercard (14,870) and American Express (574).
“Since 2014, we have been seeing a constant growth in payment card fraud around the world. We decided to look into how much a payment card costs on the dark web and why there’s a booming underground black market for them,” says Marijus Briedis, CTO at NordVPN. “And the answer is that hackers can easily make a lot of money. Even if a card costs only $10 on average, a hacker can make 40M$ by selling a single database, like the one that we analyzed.” Canadians were affected with 50K payment cards found leaked
45,557 payment cards found hacked belonged to Canadians.The most affected county was the US as 1,561,739 out of 4,481,379 payment cards found for sale belonged to Americans. The second most affected nation was Australia, with 419,806 cards discovered for sale on the dark web.
Even though the biggest number of cards found for sale were from these 2 countries, this doesn’t mean that they are the most vulnerable. According to the research, the vulnerability depends on factors like the proportion of non-refundable cards (if a card is refundable, the owner can be reimbursed in case of being scammed), the country’s population, and the number of cards in circulation.
“For example, taking into account a large number of cards with refunds available, US cards may be more reliable. But there was still a big number of them found hacked on the internet because of the greater number of credit card users in this country in general,” Marijus Briedis explains.
NordVPN researchers compared the card data between countries with the United Nations’ population statistics and the number of cards in circulation from Visa, Mastercard and American Express to calculate the risk index and compare more directly how likely people’s cards are to be available on the dark web by country.
The Canadian risk index was estimated to be 0.2. The most vulnerable country was found to be Hong Kong, with a maximum possible risk score of 1. The second most vulnerable was Australia (0.85), followed by New Zealand with a score of 0.8. The least vulnerable score is 0, and it was attributed only to one country — the Netherlands.
Average Canadian card price is 5 US dollarsThe prices of the discovered Canadian payment cards varied from 1 to 14 US dollars. Even though the vast majority (9,080) of payment cards cost $6, the average price of all the found cards was 5 dollars and 4 cents. The most expensive cards could be found in Hong Kong and the Philippines (average price $20), while the cheapest cards on the dark web belonged to Mexicans, Americans, and Aussies (prices starting from $1).
Visa Prepaid and Classic Credit cards were the most common to be hackedMore than a half (30,000) of all the discovered payment cards coming from Canada were Visa, followed by Mastercard (14,870) and American Express (574).Comparing the number of credit and debit cards, credit cards were a bit more likely to be found hacked, with 38,84% of the discovered cards being debit and 61,16% being credit cards.Talking about card levels, Visa Prepaid cards were twice as likely to be found on the dark web than the Classic card versions. Different trend could be seen with Mastercards, as there were pretty similar amounts of Classic cards found hacked as Prepaid ones.
How did those records appear on the dark web? Brute-forcing explained“Increasingly, the card numbers sold on the dark web are brute-forced. Brute-forcing is a bit like guessing. Think of a computer trying to guess your password. First it tries 000000, then 000001, then 000002, and so on until it gets it right. Being a computer, it can make thousands of guesses a second,” Marijus Briedis, CTO at NordVPN explains. “After all, criminals don’t target specific individuals or specific cards. It’s all about guessing any viable card details that work to sell. Researchers at Newcastle University estimate that an attack like this could take as few as 6 seconds.” There is little users can do to protect themselves from this threat, short of abstaining from card use entirely. The most important thing is to stay vigilant.
“Review your monthly statement for suspicious activity and respond quickly and seriously to any notice from your bank that your card may have been used in an unauthorized manner. Another recommendation is to have a separate bank account for different purposes and only keep small amounts of money on the one your payment cards are connected to. Some banks also offer temporary virtual cards you can use if you don’t feel safe while shopping online,” Marijus Briedis recommends.
Here’s what you should pay attention to when it comes to financial security:
Stronger password systems: Payment and other systems need to use passwords, and those passwords need to be strong. Every extra step is one that will make it much harder for attackers to break in. To prevent inconveniences for users, banks could provide password managers, and there are already good consumer options available, like NordPass.
MFA: Multi-Factor Authentication is becoming the minimum standard, so if your bank doesn’t offer it already, demand it or consider switching banks. Passwords are only one step, but verifying using a device, texted code, fingerprint, or other security measure provides a huge step up in protection.
System security and fraud detection: Fraud detection systems can detect situations where thieves have succeeded. Banks can use tools like AI to track payment attempts to weed out fraudulent attacks. Pressure is also put on payment systems or online merchants, who often bear the cost of fraud and so have a big incentive to improve their systems.