Stolen Canadian Payment Card Info As Cheap As Fancy Lattes

A new report from NordVPN has revealed that stolen Canadian payment card information costs an average of just C$6.50 on black markets, cheaper than some fancy coffee shops.

That’s half the global average cost of stolen credit card information: $12 CAD.

For the report, NordVPN analyzed data from 140 countries collected by independent cybersecurity researchers. In total, he discovered that nearly 4.5 million map datasets were sold on black markets.

More than 45,000 Canadian credit card details were found online, which is surprisingly low as the country has the highest credit card penetration rate in the world, according to the report.

In Canada, Visa credit card information was the most common, followed by Mastercard. Conversely, debit card information was more abundant in the United States. The report explains that debit cards carry a higher risk because they don’t have as many safeguards, such as chargebacks, as credit cards.

Payment information stolen according to NordVPN
Canadians are at moderate risk of credit card theft. Over 45,557 stolen card datasets have been found online. Credit cards make up the majority. Source: NordVPN

United States, Mexico. Brazil, Turkey, Australia and EU countries were the most exposed to credit card theft. The most popular cards are those from Japan, which cost an average of CA$54 each.

Asked what determines the value of a card, Marijus Briedis, CTO of NordVPN, explained that hackers work like any other business and trading principle.

“We can only speculate on how these vendors price each payment card, but common sense should tell us that the price reflects the price of the goods themselves, the work required to obtain them, the profits that sellers want to get, and course demand should be a big factor in those prices,” Briedis said in an emailed statement to Computer World Canada.

“The higher the demand, the more money criminals can charge for certain data they are trying to sell. In this case, demand is directly correlated to how easily money can be stolen from a card and how much money could be stolen. This is why the most expensive cards come from countries with the highest quality of life or the weakest bank security measures. Some criminals also include other personal information, starting with names and zip codes and ending with credit scores with every charge card they try to sell. This can drive up the price tremendously.

The country issuing the card also plays a role in setting its price. As an example, Briedis explained that since Saudi Arabia is a financial hub, hackers believe they can steal more money through their cards.

The study ranked the potential for being a victim of credit card theft via a risk index between 0 and 1. It calculated the numbers based on the number of credit cards a person has on average ; the more cards, the higher the risk.

While North Americans were particularly vulnerable given the high number of cards they often carry, Europeans were also found to be more at risk.

How Hackers Steal Card Information Without a Data Breach

Hackers can now steal credit card information without breaching databases, according to the report. The number of brute force attacks is on the rise.

Brute force attacks involve the attacker using computers to guess card details. Attackers would select a card issuer and the issuer ID number which consists of the first six to eight digits. They then guess the rest of the card number using its specific card number format, followed by its checksum calculated by the banks using a hashing algorithm. Finally, the attackers guess the verification value from the three-digit card printed on the back of the card. It is easy to guess because of its length.

Most payment gateways block the user after a small number of incorrect attempts over a short period of time, but some fail to detect multiple invalid entries from different websites, essentially allowing unlimited guessing attempts. This allows the attacker to execute a distributed guessing attack, through which they focus on guessing card details through multiple websites.

Additionally, since different websites request different fields and respond to input differently, attackers can cross-reference and piece together information even faster.

Does it only take six seconds?

According to a 2016 study from Newcastle University published in IEEE Security and Privacy, a skilled hacker can produce a valid map dataset in as little as six seconds. All they need is an everyday laptop with an internet connection.

Mohammed Ali, the lead author of the research paper, broke down the numbers in a Newcastle University news article.

He noted that thanks to distributed guessing attacks and the different ways websites structure payment information fields, generating card information is “appallingly easy”.

To produce a valid dataset, attackers need to obtain three key numbers: card number, expiration date, and CVV. Mohammad said that after acquiring the card number, stolen or generated, hackers only need 60 attempts to guess the expiration date because most payment cards expire after 60 months. After the expiration date, the CVV becomes the final defense, but it takes less than 1,000 guesses to decipher a three-digit number. Spread the guesses over 1,000 websites and it would only take a few seconds to receive a verified answer.

Although the study was published six years ago, Briedis warned that brute force attacks are still effective today.

“As companies try to develop new techniques to defend themselves, hackers are coming up with new ways to overcome them,” Briedis said. “Unfortunately, there has been no more recent research on this. [brute force attacks], but the results should be very similar. As the security measures taken by banks or card issuers develop so do the techniques used by hackers. ”

How cardholders can protect themselves

Unfortunately, cardholders can’t do much to prevent attackers from guessing card details, but they can take steps to bolster their accounts.

A strong password makes guessing harder for attackers. Avoid using simple passwords like “123123” or “abcdefg” for any account. Also, don’t use the same password twice. If the passwords are getting too heavy or too many, try using a password manager service like 1Password or Bitwarden.

Another best practice is to enable two-factor and multi-factor authentication whenever possible. In addition, payment institutions also offer tools to prevent attacks. It may be worth signing up for them.

Users should be vigilant when reviewing their transaction history and bank statements. Immediately report any suspicious activity to their institutions. In addition, they should be wary of phishing attempts.

Finally, do not post financial information on social media.

Comments are closed.