The Dark Art of Buying Back Stolen Card Data

There are many potential buyers of stolen bank account data, including the banks themselves. But fraudsters are increasingly reluctant to sell their data back to its original owner.

Security experts say the banks' strategy of buying their stolen data is an effective and inexpensive way to determine the source of a breach and suppress criminal activity. But at the same time, the most sophisticated black-market "card shops" are getting less welcoming to outsiders.

In the mid-2000s, approximately 80 percent of black-market participants were unaffiliated with criminal organizations or groups, according to a report published last year by Rand Corp. Today, that number is closer to 20 percent.

"I think the challenge for the bank is not really the size of the black market, but the precautions the bad guys are putting in place," said Kevin Haley, director of security response for cyber security firm Symantec Corp.

Fraudsters know that the only reason a bank would buy back its data is to investigate how it leaked and thwart future breaches.

In some of the more high-profile breaches of recent years, banks have bought back their customers' credit and debit card numbers to see if they were all used within a certain time frame and at a certain retailer, or what security experts refer to as the common point of purchase. Banks employed this strategy following the 2013 Target breach, as well as the 2014 breaches of Home Depot and Sally Beauty Supply.

"That's really the only legitimate reason to plunk down any resources to buy back the data," said Robert Siciliano, security analyst and identity theft expert with BestIDTheftCompanys.com. "Otherwise, buying back data does not ensure in any way, shape or form that data has already been copied and is not being sold to others."

Typically it's law enforcement officials, such as the FBI or Secret Service, carrying out the investigation as opposed to the banks themselves.

But this process can be hit or miss, depending on what kind of intelligence the banks are able to obtain, said Brian Krebs, independent investigative reporter who runs the site KrebsOnSecurity. Krebs has written several posts about data breaches and the practice of banks buying back stolen customer data.

"There are a lot of variables that affect the value of the intelligence you may or may not get from this," he said.

In the Sally and Target breaches, card shops were selling huge batches of cards that were all stolen from the same source. But more often, the shops will mix and match cards from different sources in an effort to make it harder for banks to determine a common point of purchase.

Battle of Wits

Earlier this year, an FBI agent reached out to Krebs to try to figure out why the agent had been locked out of a fraud site he was trying to access. After he bought several cards, a popup appeared on the site that said, 'No pigs allowed.'

While Krebs said it's possible the agent could have been more careful, the story illustrates how it's getting harder for banks and law enforcement agencies to use the card shops to their advantage.

Higher-end crime rings are creating their own clubs, in which users need to have one or two people recommend them before they can gain access to sites where stolen information is bought and sold.

There are also ratings systems, much like what eBay uses, so that anyone can rate the experience of buying and selling to a particular party. In this manner, a cyber-criminal can build up a reputation.

These precautions are important for the fraudsters to deter not only law enforcement, but also a subset of thieves known as "rippers," who go into these sites and rip off other criminals. Haley said he's seen rippers set up websites advertising that they're selling credit cards, when they actually don't have a single card to sell. "There's truly no honor among thieves," he said.

Security experts also report an increase in the use of ransomware which is used to hold information hostage by compromising the machine on which it is stored. One of these attacks made headlines in October, when London-based TalkTalk Telecom Group received a ransom demand after its website was hacked, exposing its customers' names, addresses and banking information.

Criminals use ransomware to encrypt data and hold it for ransom, promising to decrypt the data once the ransom is paid. In one recent instance, Cisco security researchers took down an online ransom ware operation that they estimated brought in $30 million a year for a group of hackers.

"It's very lucrative. Because people aren't backing up their data effectively, they see their only option as paying the ransom back," Siciliano said.

Supply and Demand

Whether paying a ransom or buying back stolen information, security experts warn that it's never a good idea to provide thieves with any funds they can use to further support their criminal organizations. Terrorist groups, for example, have been known to rely on ID theft and breached card data to fund their activities.

The good news for banks is that they can get a lot of bang for their buck by buying only a dozen or so credit card numbers. And because the fraud shops have become more competitive with one another, they've also lowered their pricing. Cards typically range from $10 to $30 apiece, according to Krebs, and Haley estimates they can cost as little as $1 per card.

"The price has certainly gone down over the years because we've seen an explosion in the number of shops selling these things," Krebs said.

The preferred tactic, of course, is to prevent credit cards from being stolen in the first place. Prevention efforts haven't kept up with the tremendous increase in the amount of cybercrime that has occurred since 2013, Haley said.

"What we haven't seen is a lot of organizations stepping up in ways to reflect the worsening of that threat landscape," he said. "So companies need to start stepping it up and taking it seriously."

Unless banks, merchants or law enforcement officials intervene to shut down stolen accounts, there's nothing to keep criminals from using the same tactics indefinitely.

"The bad guys will continue to siphon credit cards off a company for as long as they can," Haley said. "They don't at one point say, 'OK, I've got enough. I'll go home.' "

Autumn Cafiero Giusti is a freelance writer based in Louisiana.

For reprint and licensing requests for this article, click here.
Bank technology Consumer banking Cyber security Data breaches Fraud detection Credit cards
MORE FROM AMERICAN BANKER