ITP Techblog

On the dark web, there's a flourishing trade in stolen credit card details and a new study reveals that New Zealanders' information commands a premium.

Virtual private network operator NordVPN analysed four million payment card details during a trawl of dark websites and picked up 50,000 that belonged to New Zealanders. These are credit card numbers, names, dates of birth and expiry dates that have often been hacked via insecure internet connections or databases. 

But most of them actually come from "brute force" attempts to guess the credit card number and card verification value (CVV), that three-digit number that is often essential to process a card transaction online. If hackers are able to glean a person's name and date of birth, they can then try a brute force attack to guess their credit card details.

The first 6 - 8 digits are the card issuer's ID number, leaving 7 - 9 digits that need to be guessed. Researchers have shown that such brute force attacks to guess Visa credit card details can be performed in six seconds or less.

Source: NordVPN

The details on the dark web are potentially very useful to hackers, who can use them to try and make purchases online posing as the unsuspecting legitimate credit cardholder. While the Kiwi card details uncovered ranged in price from $1 to $38, the average price was NZ$28.17, higher than the $15 global average. The price of the details, naturally enough, increases as more valuable information is included, such as the all-important CVV number.

NordVPN has an explanation for the higher price, which will send a nervous shiver through anyone who makes a lot of credit card transactions online.

"Payment cards from New Zealand are so expensive (compared to the NZ$15 world average) because the high living standard inside the country attracts fraudsters," explains Marijus Briedis, NordVPN's chief technology officer.

"If a lost or stolen payment card is used in a fraudulent manner, the liability falls onto the bank or the merchant. However, the rules that describe which cases of fraud in New Zealand must be reimbursed are rather abstract and leave room for interpretation, which in many cases isn't favourable to the consumer," he adds.

Essentially, we are softer targets because we are relatively wealthy and because banks are more likely to reject claims of fraudulent use of cards and less likely to pick up the tab for any losses.

Japanese cards fetch top dollar

Card details stolen from Japanese users fetch $65.5 on average, while details from Honduras cardholders are often advertised for less than a dollar. 

"Prices of cards depend mostly on demand. The greater the demand, the more money criminals can charge for certain data they try to sell," Marijus points out.

"In this case, the demand directly correlates with how easy it is to steal money from a card and how much money could be stolen. That is why the most expensive cards come from countries with a higher quality of life or poorer bank security measures." 

The US is the country with the most credit card details floating around for sale on the dark web (nearly 1.6 million were uncovered by NordVPN) while Australia had around 420,000. Briedis recommends that users keep a very close eye on their credit card statements for unusual purchases.

But the real answer to credit card fraud, it seems, involves our banks upping their security game so that we become less attractive targets.

"The Kiwi example shows that proper security measures should be prioritized in banks and can help users to be safer," he said. 

"Banks can use tools like fraud detection to track payment attempts to weed out fraudulent attacks. Stronger password systems are also a huge step towards preventing card fraud, but fortunately, multi-factor authentication is becoming the minimum standard. So if your bank doesn't offer it already, demand it or consider switching banks."