From 2019 through 2022, the supply of stolen credit cards was reduced by almost 90%. Here’s why.
There is something magical about the simplicity of a credit card. With a single swipe or click, a number printed on a piece of plastic catalyzes commerce between the merchant and buyer. However, considering just how easy it is to use a card for purchasing, we would imagine that malicious actors strongly desire to steal credit cards and use them for their ends.
The deep and dark web hosts many marketplaces selling compromised credit cards. These cards are generally procured by targeting e-commerce sites through data breaches and phishing scams or with physical hacking tools such as skimmers and shimmers installed on ATMs, point-of-sale terminals, and gas stations.
But all is not well in the underground credit card markets. Over the last few years, there has been a dramatic decline in the number of cards offered for sale: in 2019, dark web markets listed approximately 140 million compromised cards for sale. This declined by 28% to over 102 million in 2020, which in turn declined by 60% to about 42 million in 2021. This year, based on our numbers from H1, we anticipate a drop of 77% to only about 9.1 million cards.
Figure 1: Total stolen credit cards over the years
Furthermore, the number of markets is in decline, from 47 in 2019 to 38 active markets in 2022 (though they rebounded after the low in 2020 when Russian authorities shut down some of the larger markets).
Figure 2: Credit card markets count over the years
However, a closer look shows that the remaining markets are far smaller than their predecessors. That is, the number of large markets (defined as selling over 100K cards per year) dropped from 38 in 2019 to 8 in 2022.
Figure 3: Large Credit card markets count over the years
By all measures, the supply of credit cards has collapsed. But what about demand? If demand for compromised cards has remained consistent as the supply crashed from 140 million to 9.1 million per year, then we would expect the price of a card to skyrocket.
However, this has not been the case. While the average price of dumps has risen from $10.51 in 2019 to $16.69 in 2022, and CVVs, from $11.04 to $13, there does not seem to be a clear year-to-year trend of increasing prices that would indicate that demand for compromised cards was stable. Instead, it appears that demand has also dropped off significantly.
Figure 4: Credit card average price change over the years - Dumps & CVV
There are several possible explanations for what caused such a massive market crash over the last few years. We believe that all of the following reasons have, to a certain extent, affected the reduction in supply and demand of compromised credit cards on the underground:
Cyber security tools and methods used by financial organizations are in an improvement process from year to year. As a result, procedures and processes became harder to break through for cybercriminals, such as using fingerprints, face recognition, PIN, EMV chip, MFA, and others.
All these are a part of the identity verification within a process related to the cardholder's bank account. EMV technology allows credit card networks to institute multiple layers of purchase verification. Before that, the MFA and other recognition methods verify the user before the ability to perform certain types of actions within the account.
The EMV chip can only be authenticated by unique readers, making the credit cards more secure than stripe-only cards. Although this technology has been around since 2015, it took several years to adopt and replace most credit cards. This was felt especially in the United States, where the EMV technology was introduced in several countries a few years before, mainly because the head leader of countries with compromised cards is the United States. Therefore, adapting to the new card authentication technology was one of the main reasons for reducing the number of compromised cards over the last few years.
Moreover, the credit card security teams cover your transaction details over time, such as business, locations, average spending, and other stats. All these stats are managed with machine learning to alert the cardholder of suspicious actions in his account. Before that, threat actors didn’t have to go through these complex levels of security. For example, the MFA process did not include getting an SMS to the personal phone of the cardholder for extra verification. In this way, account hacking was more accessible without the need to get possession of the user's phone in addition to stealing his credit card details.
Improved fraud detection
While credit card fraud is still the most common form of identity theft that is reported to the Federal Trade Commission, credit card vendors provide better security, analysis, and response to these illegal acts. First, the anti-fraud detection systems upgraded over the years because of the experience gathered from past incidents. Moreover, rules are being stricken, using artificial intelligence (AI) and machine learning to analyze hundreds of pieces of data for risk whenever a transaction occurs. As a result of the successful upgrade of the detection systems, even if a credit card is stolen, using it successfully is more and more difficult.
Let's take Visa as an example. According to Bankrate, “The Visa credit card network uses what it calls Visa Advanced Authorization to fight fraudsters looking to make purchases in your name. This anti-fraud detection system uses artificial intelligence (AI) and machine learning to analyze hundreds of pieces of data for risk whenever a transaction occurs.”
Improved security on eCommerce platforms
In a Magecart attack, a threat actor injects code into a checkout page of an e-commerce site, enabling the attacker to receive the information of every credit card used on the site. These attacks peaked in 2019, most notably an attack against British Airways that claimed 500,000 victims. Credit cards compromised from Magecart attacks were often quickly posted for sale on underground markets.
Security analysts have noted that Magecart attacks have been significantly decreasing each year.
Much of this can be attributed to improved security tools and methodology used by e-commerce sites. According to the 2022 Global Ecommerce Security Report, e-commerce businesses continue investing more in security technologies than ever to enhance overall protection. Moreover, the report shows the key points on how e-commerce businesses improve their security. The primary three keys are RUM (Real User Monitoring), MFA (Multi-Factor Authentication), and CSP (Content Security Policy). More than 70% of eCommerce businesses have improved their level of security by focusing on these three topics. As a result, they could hold back more attacks and assure control and a secure environment for themselves and their customers.
Law enforcement shutdowns
Many underground forums and markets related to the eastern side of the world focus on Russia. As a result, many credit card markets are owned and managed by Russian threat actors. During the last years, many markets were closed down by the country's law enforcement. For example, at the beginning of 2022, the stolen credit card market lost its second market leader in less than a month. In addition, according to “The Hacker News,” The Russian Ministry of Internal Affairs has taken down four major illicit dark websites in 2022.
Cybercrime offers plenty of other alternatives besides selling or stealing credit cards. Over the last few years, ransomware attacks have transformed from making a few hundred dollars from attacking a single end-user to bagging tens of millions by stealing the data and then encrypting the entire network of a large organization.
Furthermore, as cryptocurrency and NFTs drastically increased in popularity over the last few years, it provided actors with another lucrative opportunity. As a result, threat actors have attacked many crypto exchanges and owners of cryptocurrency and NFTs, siphoning tens of millions of dollars. For example, hackers recently breached gaming-focused blockchain platform Ronin Network and extracted cryptocurrencies valued at more than $600 million, making it the second biggest crypto hack ever.
Ransomware and cryptocurrency attacks are easier to monetize and can provide higher winnings than credit card compromises. With ransomware, the victim willingly pays, sometimes millions of dollars (albeit with a forced hand). And with cryptocurrency, there is no central authority protecting victims (unlike credit card issuers, which will render a card useless when fraud is detected). Both of these are single attacks that can earn advanced hackers significant windfalls. It would be no surprise if advanced actors and groups pivoted from credit card fraud for the greener pastures of ransomware and crypto hacking.
Most cybersecurity stories are doom and gloom, with messages that “things are going from bad to worse.” However, this is not the case with compromised cards. Trends from the previous 3.5 years point to a significant decline in the number of credit cards for sale and even indicate a decrease in demand for them.
While some may be because threat actors moved on to more lucrative targets, we ought to acknowledge the successful efforts of law enforcement agencies, credit card issuers, banks, and retailers to improve security. It is an encouraging story that we hope can be replicated to neutralize the many other criminal threats emanating from the cyber underground.
This does not mean that one should be careless with their cards. We still encourage cardholders to follow best practices to ensure they do not fall victim to credit card fraud and identity theft.