As our security professionals infiltrate illicit networks every day, we recover thousands of stolen credit card details. Many of the cards have expired or are rarely used. So why do cybercriminals trade and share data that appears to be worthless?
The answer does not lie in the card numbers, but in the information that comes with them. The value is in the personal data accompanying each card.
What’s typically included in stolen credit card data?
Stolen card data often comes with an array of personal information about the card and the cardholder. For example:
-
Credit card number
-
Expiry date
-
CVV number
-
Full name of the cardholder
-
Full address, including postcode
-
Phone numbers, mobile and sometimes landline
-
Email address
In about 10–20 percent of cases, the data also includes highly sensitive details, such as:
-
Date of birth
-
Mother’s maiden name
-
Answers to secret questions
For cybercriminals, this information is a starting point for phishing and identity fraud.
How cybercriminals use stolen credit card data
Stolen credit card data has many uses beyond making fraudulent purchases. It can also be a starting point for phishing and identity theft.
Social engineering using credit card data
Stolen credit card data can facilitate phishing attacks in several ways:
-
Credit card phishing tactics: The first six digits of a credit card number are the bank identification number, or BIN. This identifies the bank or provider that issued the card. It also tells cybercriminals who they need to impersonate.
-
Email phishing with credit card data: Knowing the victim’s full name and address means the cybercriminals can make their phishing messages more convincing by addressing them personally. For example, instead of opening with Dear customer, they can convince the victim to lower their guard by saying:
Hi John, this is Peter from Town Bank. Can you confirm your address is still 31 Acacia Avenue?
-
Phone number phishing techniques: Mobile phone numbers generally aren’t public and are harder to obtain than email addresses. As a result, people are more likely to trust text messages more than emails. Cybercriminals exploit this by sending scams by SMS using the tactic known as smishing. Adding to the danger, links in an SMS are harder to verify, so recipients are more likely to click them.
-
Using secret questions: When cybercriminals know the secret answers, they can bypass the victim’s security questions. The victim might not even remember what their secret question was. For example:
To verify your account, please confirm the answer to your secret question: What was your mother’s maiden name?
Fraud and personal data theft using credit cards
Cybercriminals can also use your personal data to:
-
Apply for loans, credit cards, or benefits.
-
Open bank accounts.
-
Set up phone contracts.
-
Shop online in your name.
Automated checks and verifications often fail to block these fraudulent transactions because the name, address, and other details match correctly with the victim’s real records.
When two-factor authentication (2FA) is used, cybercriminals circumvent it by providing a slightly modified phone number or email address so that they receive the verification code.
Limited-use credit cards fraud: How expired cards are exploited
Expired or seldom-used cards are also useful in the criminal economy, where they’re often used to distract attention from larger-scale fraud.
The damage can go beyond a single transaction. When your identity is compromised, you can remain at risk for years afterwards.
How cyber threat intelligence can help you stay safe
The danger from stolen card data underscores the value of real-time cyber threat intelligence (CTI).
As our security professionals infiltrate illicit networks, we recover compromised email addresses, passwords, physical addresses, identity profiles, financial data, and more. Our real-time monitoring covers all the information involved in making payments. This includes names, card numbers, expiration dates, CVV numbers, and even phone numbers used to authorize the transactions.
If cybercriminals are trading information about you or your organization, we alert you right away. That means you can change passwords and block access before attackers can strike.
