Why It Matters:
Making money plays a big part in how gangs acquire members. To appeal to new recruits, a gang must show it is a profitable enterprise. Increasingly, street gangs are turning to tech as a source of revenue. One method that is showing up more frequently involves purchasing stolen credit card numbers on the Dark Web to make what appear to be legitimate purchases from retailers. These goods can then be resold online, on the street or in retail stores. This evolving situation has consequences that affect communities and corporations across North America.
It Starts With A Breach
A large volume of credit card data is obtained through data breaches. Hackers steal consumer credit card information by breaching networks where they are stored. Data breaches target the whole organization. This means that one breach could potentially impact millions of consumers. In 2018 alone, more than 6,500 data breaches were reported according to a report from Risk Based Security. These data breaches exposed more than 5 billion records in all, and the 10 largest breaches accounted for 3.6 billion records or 70% of the total. Of all the mega breaches that happened in 2018, some made headlines, such as the ones impacting Target, Home Depot, JP Morgan Chase and Facebook. Many others, however, we never heard about. Still more are never reported. Businesses are not always required to notify customers when their information is stolen in a data breach. So consumers could unknowingly find themselves exposed without ever being the wiser.
Besides data breaches, there are other ways thieves can obtain credit card numbers. Skimming involves a small device that captures credit card information as it is swiped at ATMs or gas stations. The thieves can return later to retrieve the device along with card numbers. Another common way to obtain cards is through malware or a virus that is downloaded onto a computer or phone that sits on the device undetected. This software then collects keystrokes or takes screenshots. This gives hackers access to all types of personal information, including credit card numbers. Thieves might also trick consumers into handing over their credit card information. This can be done by phone, by email, through fake websites and even through text messages. While there are a number of ways to obtain legitimate credit card numbers for fraudulent purposes, data breaches do much of the heavy lifting.
Credit Card Numbers For Sale
Once hackers acquire their trove of credit card numbers, these can be resold on carding forums or websites. It’s surprisingly easy to find information about purchasing credit card numbers online. There are even YouTube videos detailing the process. While sites and opportunities to purchase credit cards on the Surface Web do exist, the Dark Web is the hub of activity.
Credit card or carder websites on the Dark Web are sophisticated in terms of what they offer buyers. Buyers can search through their inventory to locate a seller with a solid reputation and select the number of card numbers they want to buy. Many sites have validation tools to help buyers verify that the card will still work to make purchases. These numbers can easily be purchased in bulk, making it a simple process for organized retail crime organizations to purchase a large number of cards to distribute through the criminal supply chain.
That does not mean buying credit card numbers on the Dark Web is without risk, but that does not appear to stop people from trying. On the one hand, buyers might end up paying for credit card numbers that don’t ultimately work. Or, given that government agencies are actively trying to disrupt illicit activity on the Dark Web, they might even end up getting caught up in a trap.
Once credit cards are purchased, they can be used to purchase goods online. This is referred to as “Card Not Present” fraud, and it’s on the rise. While online purchases might be easier in the short term, they can create additional risks and trackability to a specific address or location. Using a simple setup including an embosser, new cards can also be created to make purchases in physical stores. Gang members obtain credit card numbers to create new physical cards, then distribute them to individuals on their payroll to make purchases. Each person has their role, and everybody makes money.
Investigating the Dark Web
Worldwide gross fraud losses incurred by card issuers, banks and retail merchants stood at $24.26 billion in 2017 and is expected to reach $34.66 billion by 2022, as per the Nilson Report. While stakeholders across the board are investing heavily in new technologies and solutions to mitigate these crimes, the challenge is balancing customer experience with fraud detection. Card issuers, banks and merchants are not alone in trying to circumvent fraud, government agencies and law enforcement also do their part in investigating gang activity and organized crime. To understand the shifting economic activities employed by street gangs, to address the growing number of data breaches and to reduce the sale of stolen credit cards online, greater visibility into the Dark Web, and the Internet as a whole, is crucial. The past several years have shown us that there is no magic solution. Investigators from both public and private sectors are able, however, to make a significant dent in this causal chain of criminal activity that starts with hackers and ends with organized gangs. Through comprehensive and collaborative online investigations, security teams can better understand how crime converges across physical and digital spheres to have a better chance of stopping it in the future.