In a blog post, David Greenwood, a researcher at ThreatPipes, bought a pre-paid Visa card and put those details on the web alongside a variety of fictitious card numbers based on MasterCard and Visa formats. Over the last two years, he said that there have been four attempts to use his credit card fraudulently.
This prompted Greenwood to observe the life-cycle of how information propagates across the internet and dark web.
"Frustratingly, you can’t just start selling this information on dark web forums. You need a reputation. You need people to vouch for you. You need a reputation," he said.
This led the researchers to give his details away for free. "I dumped the complete package to various paste sites including; full card numbers, expiration dates, CVV codes, and billing address," he said.
He found that within a couple of hours, hackers used the card for a small transaction to check if the card was usable. Greenwood said that fraudsters use bots and scripts to test the credit card information, then target merchant sites that provide automated responses that provide decline details.
"Within two hours someone (or something) was attempting to purchase something from a well known retailer here in the UK using my prepaid card," he said.
He said that bots are watching and waiting to exploit victims from lots of angles. Not only that, the information doesn’t have to be credit cards, it could be internal company data, network data, or accidental international data leaks (API keys, usernames and passwords).
"Yes, you should be implementing good security measures to mitigate the risk of these types of scenario happening. The fact is; your defences will slip up one day. You should probably be watching too," he warned.
Robert Capps, vice president at NuData Security, a Mastercard company, told SC Media UK that once cyber-criminals get stolen credit card data, it is often tested right away.
"Cyber-criminals test cards to make sure they are active, so they are able to resell them to other cyber-criminals for a higher price. Once sold, it’s a race against the clock to commit fraud using the valid stolen credit card… before another cyber-criminal does, or before the issuing bank deactivates the card," he said.
Capps added that observations of card validation attacks across his firm’s customer base found that over 90 percent of these attacks are automated – and this automation is becoming a lot more sophisticated to circumvent security tools being deployed by most major financial institutions to combat such attacks.
"Merchants can provide the first line of protection against these attacks by implementing a layered defence that includes passive biometrics and behavioural analytics, which are able to identify these sophisticated automated and human attacks, through the collection and analysis of hundreds of human interactional characteristics, to identify humans from the machines, and legitimate customers from the imposters."