Have you ever checked your bank statement and discovered that you apparently used your card to buy something in Hong Kong or some other distant location even though you’ve never visited said location and you live thousands of miles away?
If so, you’re certainly not alone. In the UK alone there are over 80 million debit and credit card holders, in Europe over 550 million and just over 1 billion credit cards in use in the US. Given that payment cards drive online shopping and that there are constant waves of data breaches it’s hardly surprising there are plenty of opportunities for cyber villains to get their sticky digital mitts on card numbers.
But how do your card details end up being used thousands of miles away in places like Ludhiana in India, Puerto Varas in Chile, Riga in Latvia or some other unlikely destination, such as the town 40 miles from where you live but you’ve never visited?
- Card details are stolen in hacks, such as the 400,000 customer records skimmed from the British Airways website in 2018 or Dixons Carphone, which had PoS malware installed on over 5,000 terminals between July 2017 and April 2018. The card information of over five million customers was accessed by hackers.
- These high profile hacks receive a lot of publicity but smaller companies are frequently attacked and card details stolen. These breaches aren't always reported because many businesses that have been breached do not discover it until well after the event. One loose affiliation of hackers, dubbed Magento, is especially prolific in skimming card numbers from smaller e-commerce sites. It has successfully attacked thousands of websites and continues to do so.
With data breaches so common there are a plethora of cyber-criminal underground markets trading stolen information and cloned payment cards.
- Dark web card shops specialise in using the stolen card numbers to create cloned cards. Some are shut down by law enforcement but others pop again like a game of whack-a-mole. Some underground shops sell millions of card details that have come from online and offline retailers, hotel chains, restaurants and so on, alongside other stolen personal information.
- There are many small dark web forums where cyber criminals sell data they've stolen. In some cases buyers can barter for card details and the supply is so plentiful that some details are sold for give-away prices.
- Buying this information is a simple and often an automated process. Card information may have been stolen from a New York location yet the buyer could be six thousand miles away.
- When a cloned card is used, the buyer will initially use it at an obscure retailer, garage or restaurant because these businesses often don’t have sophisticated security in place. If the card transacts without problems, criminals will then use it at larger organisations, ATMs, or e-commerce sites.
The problem of stolen cards is so pervasive that it’s not unknown for a bank which has had lots of customer card details stolen to go into the dark web and buy the card information back.
- Of course banks also have fraud detection schemes in place to analyse transactions for unusual payments. These systems look at things like who you're trying to pay, the payment amount, have you ever made a payment like that before and the location of the payment.
- If you live in London and your card is being used to make a purchase in Urandangi, a remote town in the Australian outback, the purchase will be red flagged. However, if it is used in a nearby city in the UK, it will likely slip the net if the transaction amount doesn’t look out of place.
There isn’t a lot you can do when a company is hacked and your information is stolen but you can protect your details from being used by cyber criminals with the use of identity protection tools. BullGuard Premium Protection 2021
provides advanced identity protection that immediately alerts you should any of your data appear where it shouldn’t for instance on a dark web forum.
It also includes advanced machine learning to protect against malware such as spyware, key loggers and banking Trojans that are specifically designed to infiltrate your computer, steal your personal data and send it back to servers controlled by cyber criminals.
But more than safeguarding payment card details identity protection can be used for social media accounts, addresses, password and all sorts of other information that can be used to build false profiles or socially engineer victims into falling victim to cybercrime. This information is often put for sale on underground forums and is someone has used their email password on other accounts it could easily unlock the door to much more information.
Because hacks are so common it’s not wise to rely on others to protect our personal information rather we have to recognise that in the digital world we also have to take steps to safeguard ourselves.