We all know that it’d be a disaster if a thief got their hands on your payment card information. But your details are safe as long as you know your card or your card data haven’t been stolen, right?
Not only is there a way to discover payment card numbers without breaking into a database, there’s also a booming underground black market for them. These numbers are being sold by the millions. We even know the average cost – about $10 USD per card.
NordVPN analyzed statistical data gathered by independent researchers specializing in cybersecurity incident research from markets where payment card numbers are being sold. Here’s what we learned.
The independent researchers discovered mountains of data on the dark web that helped us map out the statistical scope of payment card detail hacking online. Records revealed what types of cards’ details are sold the most in different countries, and the average cost of card data from different countries. This enabled us to assign risk indices to each country covered by the data. How does your country rank up?
Here are some of the researchers’ key findings – in addition to the data:
Database breaches aren’t the only way to get hacked payment card details anymore. Increasingly, the card numbers sold on the dark web are brute forced. But how does this attack work?
Brute forcing is a little bit like guessing. Think of a computer trying to guess your password. First it tries 000000, then 000001, then 000002, and so on until it gets it right. Being a computer, it can make thousands of guesses a second. Most systems limit the number of guesses you can make in a short space of time to prevent these kinds of attacks, but there are ways to get around this. After all, they don’t target specific individuals or specific cards. It’s all about guessing any viable card details that work to sell.
Here’s how it works:
Clever hackers can significantly cut down how many numbers they need to guess and check to find your payment card number. In fact, researchers at Newcastle University estimate that an attack like this could take as few as 6 seconds.
There is little that users can do to protect themselves from this threat short of abstaining from card use entirely. The most important thing is to stay vigilant. Review your monthly statement for suspicious activity and respond quickly and seriously to any notice from your bank that your card may have been used in an unauthorized manner.
Here’s what banks and other service providers can do to protect users:
Data collection: The data was compiled in partnership with independent researchers specializing in cybersecurity incident research. They evaluated a database that contained the details of 4,478,908 cards in total, including details of the type of card (credit or debit), issuing bank, and whether it was refundable. The data NordVPN received from the third-party researchers did not contain any information that relates to an identified or identifiable individual (such as names, contact information or other personal information). We do not operate with exact numbers of payment card details sold on the dark web, as NordVPN has only analyzed a set of statistical data provided by independent researchers.
Analysis: The raw numbers only provide part of the picture. Population size and card usage vary between countries, and these are just two factors that can change the impact of these numbers.
We compared the statistical card data between countries with UN population stats and the number of cards in circulation by country or region from Visa, Mastercard and American Express. This allowed us to calculate a risk index to more directly compare how likely your card is to be available on the dark web by country.
We calculated the Risk Index using the following elements:
We then logarithmically normalised these numbers to produce scaled ratings between 0 and 1.
We analyzed how people share their personal devices and what measures they take to protect themselves and their family members online.
Thousands of users tested their cybersecurity-savvy. Find country rankings and average scores in different demographics.