If you’re one of the unfortunate shoppers who may have had their credit-card information stolen during a trip to Home Depot or a U.S. Target location over the past year, you may be under the impression your data commanded a small fortune.
Not so.
According to Trend Micro, a data security company, credit card numbers poached by cybercriminals in data breaches like the kind Home Depot confirmed this week regularly sell for as little as $0.50 in underground online markets such as the Russian forums reportedly hawking numbers stolen from store locations in the United States and Canada dating as far back as April.
MORE: Home Depot confirms data breach at Canada, U.S. stores
Even a high-end price for an unblemished, freshly stolen account number is typically under $50, according to Trend Micro. The median price meanwhile is far lower than that.
“We’ve tracked prices over the past couple of years and the average range seems to be about $1–5 USD,” Mark Nunnikhoven, vice president of cloud and emerging technology says.
Falling prices
As for stolen Canadian cards, most are now generally protected by chip-and-pin technology that requires a PIN punched in at the store to make a successful purchase. Experts say the the added layer of technology has made stolen Canadian card numbers less valuable to cybercriminals and their customers.
Another reason prices are so low is that the so-called “valid rate,” or the percentage of cards that haven’t been cancelled by banks, credit-card companies or individuals following a breach, is falling with each new high-profile incident.
The more attention such breaches receive (when they’re discovered and disclosed), the more awareness has gone up and faster stakeholders have responded.
Prior to the Target breach late last year, stolen card numbers fetched fees of more than $150, because the valid rate and probability of a successful purchase were very high.
The price on stolen numbers acquired in the Target breach, in contrast, were initially high but quickly plummeted in the weeks following the breach’s disclosure as cards were rapidly cancelled.
Brian Krebs, the security blogger who first broke the Target and Home Depot stories, lays out a more detailed analysis here.
The sheer volume of a breach on Target’s scale – and possibly Home Depot’s – also dilutes the value of a stolen card, according to Trend Micro.
“The cybercriminal underground economy is much like any other type of business economy. It experiences pricing highs and lows, depending on demand and supply,” Trend Micro said in recent paper. “Incidents such as the massive breaches involving popular retailers increases the supply of such credentials, driving prices down.”
Still, while individual returns appear to be diminishing for stolen cards, experts say criminals are keeping ahead of the barricades that security firms are racing to put up, innovating new ways to exploit systems and steal profit-generating data.
“Even though the prices of most products and services sold in the underground market have been decreasing, that does not mean that business is not doing well for cybercriminals,” Trend Micro’s report said. “It can even mean that the market is growing.”
WATCH: Home Depot hack job
Comments