Russian-speaking criminals account for £420m of card fraud annually

News by Steve Gold

New research claims to quantify the scale of card fraud in Russian speaking circles. And according to Group-IB's analysis over the last year, that fraud clocks in at a hefty £420 million (US $680 million).

The report, entitled `High Tech Crime Trends 2014,'suggests that the scale of card fraud in Russian-speaking circles is very large, but is also highly organised.

According to Ilya Sachkov, the CEO and founder of Group-IB, the awareness of high-tech crime in the financial services business is very important, but it does require a deep technical analysis and understanding of criminal schemes.

These leading-edge technologies, he says, allow crime to act quickly and anonymously. Card fraud, says the report, has no rules and bureaucracy, with crime now having the opportunity to ignore borders and freely break the law.

The use of crypto-currencies and the shadow Internet, he explained, contribute to the development of high-tech crime.

Structured fraud

Delving into the report reveals that the market for stolen credit card data over the last year has finally been structured and now features mass automated distribution channels in the form of electronic trading platforms.

"Professional wholesalers, who specialise in massive theft of credit card information in retail chains and online retail, engage in wholesale supply of stolen data on these platforms, receiving an average of half of the amount of retail sale of the card details," says the report.

The trading platforms, the Group-IB report notes, offer automated purchase of two types of stolen information: credit card text details (eg card number, expiration date, name of card holder, address, CVV) and dumps (eg contents of credit card magnetic stripes).

"The market value of a credit card dump is on average ten times higher than the cost of credit card text details. This is because dumps offer greater opportunities for fraudulent transactions. So, with the dump of a credit card, an attacker can make a physical duplicate of that card and conduct operations in offline points of sale, buying expensive electronics, luxury goods, medicines and other goods to be subsequently sold in a secondary market," notes the analysis. The report quantifies the scale of the fraud when it says there are now five major stores selling credit cards online. Located in the Russian-speaking element of the Internet, the study says that investigation reveals that the stores sell the data of an average of 200,000 credit cards a year.

Based on the premise of a single card costing an average of £12 (US$ 20) and one in every three people buying these card credentials being able to steal money from them, Group-IB says that the average amount stolen from these cards is £1,240 (US $ 2,000). From these figures, the report concludes that annual card fraud losses in the Russian language market are approximately £420 million (US$ 680 million).

Is this figure realistic?

According to Keith Bird, UK managing director for Check Point, the scale and value of credit card fraud is not a surprise given the vast amount of credit card data the industry has seen stolen in the breaches at various large retailers during 2014.

"Our 2014 security report found that credit card data accounted for 29 percent of sensitive information sent outside organisations over the past year, while 33 percent of financial institutions sent credit card information outside the organisation at least once in the same time frame," he said.

"What is clear, is that payment card data needs to be robustly secured. This includes point-of-sale payment terminals having endpoint security installed as standard and businesses that accept payment segmenting their POS networks from the rest of the corporate environment to ensure maximum payment data security," he added.

Tim Keanini, CTO with Lancope, agreed Bird's assessment, noting that the numbers are accurate.

"You also have to realise that these folks are not the only ones performing cyber-criminal activities. Even as a security professional, I have had to replace every single credit card in my wallet once or twice during the past 12 months. I'm sure every reader of this article can tell the same story," he said.

Instead of playing the security game here and talking about being more or less secure, Keanini says that we - as a security industry - need to think about cyber-crime as a business and how can we all make it too expensive to operate.

"We not only have to make it harder for them to infiltrate but, more importantly, we have to make it harder for them to operate as they need to execute multiple phases of operations to monetise this stolen information and the defender only has to detect and shut them down in one," he explained.  

Gavin Millard, EMEA technical director with Tenable Network Security, said that organisations that handle credit card information have to invest more time, money and effort to move from a traditional defensive approach to security towards continuous detection and incident response.

Doing so, he says, increases the probability of detecting malicious activity and decreases the time taken to identify when a breach occurs.

"Until we close the gap between exfiltration of credit card details and notification of breach to invalidate the cards stolen, the profitability of card fraud will remain highly lucrative to cyber-criminals," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews