The cybercrime underground is a well-oiled machine worth trillions of dollars annually. On dark web sites hidden from law enforcers and most consumers, cybercriminals buy and sell huge quantities of stolen data as well as the hacking tools needed to obtain them. There are thought to be as many as 24 billion illegally obtained usernames and passwords currently circulating on such sites, for example. Among the most sought-after is fresh card data, which is then bought in bulk by fraudsters to commit follow-on identity fraud.
In countries that have implemented chip and PIN (also known as EMV) systems, it’s challenging to turn this data into cloned cards. So most commonly it’s used online in card-not-present (CNP) attacks. Fraudsters could use it to buy luxury items for onward sale, or potentially they could buy gift cards in bulk – another popular way to launder illicitly obtained funds. The scale of the market in these cards is difficult to estimate. But the administrators of the world’s largest underground marketplace recently retired after making an estimated US$358m.
With that in mind, here are five of the most common ways hackers could get hold of your credit card data – and how to stop them:
Phishing is one of the most popular techniques for cybercriminals to steal data. At its simplest, it’s a con trick in which the hacker masquerades as a legitimate entity (e.g., a bank, an e-commerce provider or a tech firm) to trick you into divulging your personal details, or unwittingly downloading malware. They often encourage users to click on a link or open an attachment. Sometimes doing so takes the user to a phishing page – where you’ll be encouraged to enter personal and financial information. Phishing is said to have hit an all-time high in Q1 2022.
These scams have evolved in recent years. Instead of an email you may receive a malicious text (SMS) from a hacker pretending to be a delivery company, a government agency or another trusted organisation. Scammers may even call you up, again pretending to be a trusted source, with the aim of obtaining your card details. SMS phishing (smishing) more than doubled year-on-year in 2021, while voice phishing (vishing) also surged, according to one estimate.
The cybercrime underground is a huge marketplace, not just for data but also malware. Different types of malicious code have been designed over the years to steal information. Some record your keystrokes – for example as you’re typing in card details on an e-commerce or banking site. How do the bad guys get these tools on your machine?
Phishing emails or texts are a popular method. Malicious online ads are another. In other cases, they may compromise popular websites and wait for users to visit them. Drive-by-download malware of this sort installs as soon as you visit the compromised site. Info-stealing malware is also often hidden inside legitimate-looking but malicious mobile apps.
3. Digital skimming
Sometimes hackers also install malware on the payment pages of e-commerce sites. These are invisible to the user, but will skim your card details as they are entered. There’s not much users can do to stay safe, aside from shopping only with big-name brands and websites, which are likely to be more secure. Detections of digital skimming (aka online card skimming) rose 150% between May and November 2021.
4. Data breaches
Sometimes card details are stolen direct from the companies you do business with. It could be a healthcare provider, an e-commerce store or a travel company. This is a more cost-effective way to do things from the hacker’s perspective, because in one attack they get access to a huge trove of data.
On the other hand, with phishing campaigns, they have to steal from individuals one-by-one –although these attacks are usually automated. The bad news is that 2021 was a record year for data breaches in the US.
5. Public Wi-Fi
When you’re out and about it can be tempting to surf the web for free on public Wi-Fi hotspots – in airports, hotels, cafes and other shared spaces. Even if you have to pay to join the network, it may not be safe if hackers have done the same. They can use this access to spy on your details as you enter them.
How to keep your credit card details safe
Fortunately, there are plenty of ways to mitigate the risk of your card data getting into the wrong hands. Consider the following as a good place to start:
Finally, it’s good practice to keep an eye on all your bank and card accounts. If you spot any suspicious transactions, tell your bank/card provider’s fraud team immediately. Some apps now allow you to “freeze” all spending on specific cards until you can ascertain whether there’s been a security breach. There are plenty of ways for the bad guys to get our card details, but also lots we can do to keep them at arm’s length.
By Phil Muncaster, Guest Writer at ESET