After a hacker steals your credit card number, you may receive an email, text or phone call from your bank to alert you of criminal or fraudulent activity with your credit card. This is a helpful and necessary measure implemented by financial institutions to help protect your accounts. However, sometimes the alert is too late and the cybercriminal has already replicated your card and gone on a shopping spree. Have you wondered though, what exactly happens to your stolen credit card number, and what is it worth to a criminal? Well, we took a peek inside the cybercriminal underground to explore this interesting and frightening reality.
Cybercriminals have to race against the clock to use your credit card information before you or your bank shuts down the card. So, where does a stolen credit card go when it gets into the wrong hands?
What Happens to Stolen Credit Card Info
Credit card thieves have to move fast once they have your data. Here’s a look at their methods:
- They take your stolen card data and add it to their stockpile.
- They sell a group of credit card numbers to other cybercriminals on websites designed to process these transactions (think of it as an eBay for eVil).
- The buyer of the group may resell them again or begin using the stolen data at online retailers.
- The criminals also have hardware on hand to print fake plastic cards in case they want to use the them at physical stores.
- The criminals make purchases of goods that they can resell for quick cash.
How Criminals Price Cards
Once they have your card data, the criminals selling the info have to price it. And not all credit cards are worth the same price to criminals who are buying. Here’s how they determine what’s “good.”
- The criminal who wants to purchase a batch of cards may make a few small transactions to test if the card is still active, or known as “live.”
- If the card is sold with the victim’s address and additional information can be appended to it, such as mother’s maiden name, SSN and date of birth, those additional details make the card more valuable.
- If the criminal selling the card can also provide purchasing behaviors, that’s even better. For example, the behavior data may indicate that you routinely used your card at Target and Lowes in South Carolina. By adding your shopping habits to the card, the card is worth even more money because the criminals know that the victim or financial institution might miss a fraudulent charge if they can pretend they are you and shop like you in your hometown.
Eventually, the card data reaches the hands of criminals who can use the cards and associated data to commit fraud. Armed with these stolen cards, the criminals have the tools to make fraudulent purchases of goods that can be resold, including gift cards and consumer electronics. Once those goods are sold, the value of the card is realized. All of the intermediate reselling of card data in the supply chain hinges on the ultimate purchase and reselling of goods in this process.
How Retailers Can Protect Themselves & Their Customers
If you have a business that takes credit card information from your customers, Payment Card Industry (PCI) compliance is often not enough to protect your customers’ debit and credit card data. Consider taking these three steps to better protect this data:
- Make sure that any remote access to your network does not have a side door that leads to your credit card data.
- Train your employees on how to spot suspicious emails to avoid letting the cybercriminals in through your trusted staff.
- Practice a credit card and debit card theft disaster to make sure you know what to do in the event your systems are breached.
Cybercriminals will continue to hit retailers, because that is where the money is and their tactics have worked so far – they have breached Target, Home Depot and according to law enforcement, potentially thousands of other companies. The key is not to become immune to the news of another data breach or cyber incident at your favorite store. These incidents are damaging to you as the retailer, your bank and, ultimately, your wallet. Overall, NPR reporter Elise Hu gets it right: “the damage does fall disproportionately on retailers. They spend a lot of money on security to prevent breaches of their payment systems and keep their names out of hacking-related news.”
What Consumers Can Do to Protect Themselves
Consumers can’t always rely on an alert from their bank to let them know their credit card has been stolen. For their own good, it’s up to consumers to keep an eye on their bank and credit card statements to catch any fraudulent charges as they come in – and work to correct the damage immediately, which means contacting the financial institution and reporting the fraud, and closing the card before further damage can be done.
If your Social Security number was stolen in a breach, you also could be at risk for a criminal to open new accounts in your name. Checking your credit reports regularly can help you spot unfamiliar accounts so you can shut them down. You’re entitled to your credit reports for free every year from the three major credit reporting agencies.
More on Identity Theft:
- How Can You Tell If Your Identity Has Been Stolen?
- What Should I Do If I’m a Victim of Identity Theft?
- How Credit Impacts Your Day-to-Day Life