The dark web acts as a virtual marketplace for a variety of ill-gotten or illegal items, including drugs, guns, phony documents, counterfeit currency, malware kits, and, of course, personal information. A hacker who obtains sensitive user data is likely to try to hawk it on the dark web. But as with any marketplace, prices vary depending on the type of data. A new report from consumer website Comparitech looks at dark web selling prices for credit cards and PayPal accounts in particular.
SEE: Ebook: IT leader’s guide to the dark web (TechRepublic Premium)
Credit cards are sold on the dark web either as digital items or physical clones of real cards. Prices for cloned cards are typically higher because the seller must have the necessary equipment to recreate a stolen card.
The average price for just the credit card number, CVV, expiration date, cardholder name and postal code is $17.36, according to Paul Bischoff, author of the Comparitech report. But the average price for a physical, cloned card is almost ten times higher at $171. Overall, average prices for credit cards fell this year by 27% compared with a similar study conducted eight months ago.
Selling prices for credit cards vary based not just on the brand of card but on the credit limit for the card. In the previous study, the median credit limit on a stolen credit card was 240 times the price paid for the card, or about 0.42 cents (US $0.0042) per dollar. The latest results show that figure to have dropped to 0.33 cents per dollar, or 306 times the price of the stolen card.
Among the major brands, those from Mastercard were the most lucrative, offering an average credit limit of 6.47 cents per dollar. Discover cards were next, valued at 6.27 cents per dollar, followed by Visa cards at 5.75 cents per dollar, and then American Express cards at 5.13 cents per dollar.
SEE: How your stolen data ends up on the dark web marketplace (TechRepublic)
A variety of other factors influence the dark web selling price of a credit card, including the expiration date (newer cards are likely to be more valid), credit limit, location and postal code, card tier (e.g., Gold or Platinum are more lucrative), availability of the CVV number, the daily withdrawal limit, and any balance and validity verification.
Cards with ATM PINs are worth more. Also factored into the price is whether the card’s been used before and whether it was sold individually or in bulk. Further, the availability of the cardholder’s personal information, known as fullz, also plays a big role. Fullz, or full information, includes the user’s social security number, street address, birth date and more.
Criminals typically buy credit cards on the dark web to cash them out or use them to purchase items that can be resold, Bischoff said. And you don’t even have to be experienced. Amateur crooks who don’t know how to use stolen credit cards will find lots of tutorials on the dark web.
Accounts for PayPal are more lucrative than credit cards, according to Bischoff. Based on Comparitech’s research, the average price of a PayPal account on the dark web is $196.50, with an average account balance of $2,133.61. This figure means that buyers pay around 9.2 cents per dollar in the account. For 2021, the price of this type of account rose by 194% compared with the study from eight months ago.
The cost of a PayPal account varies based on type. An individual account costs $161.59 on average, a Premier account costs $186.31 on average, and a business account costs $246 on average.
SEE: What your personal identity and data are worth on the dark web (TechRepublic)
Criminals who specialize in PayPal accounts steal their usernames and passwords, which they typically obtain through phishing or malware campaigns. The criminal either sells the account credentials to a buyer who drains the funds or transfers a certain amount of money from the victim’s account to the buyer. A hacker who captures PayPal account information can also steal money from any connected bank account or credit card.
Though credit cards, PayPal accounts and fullz are popular items on the dark web, other types of products attract buyers as well, Bischoff noted. Passports, driver’s licenses, streaming accounts, social media accounts, dating profiles, bank accounts, debit cards and even frequent flyer miles are up for sale. Most of the data snagged by hackers and other criminals is obtained through phishing attacks, credential stuffing, data breaches and card skimmers.
How to protect yourself
To help you keep your data more secure and safe from the dark web, Bischoff offered a few tips.
- Limit your online accounts. You can’t do much about a data breach in which an online company is attacked. But you can minimize your digital footprint by reducing the number of accounts you juggle on the web.
- Watch out for card skimmers. Look out for card skimmers at points of sale, especially unmanned ones such as those at gas stations.
- Beware of phishing messages. Learn how to spot and evade phishing emails and text messages.
- Protect yourself from credential stuffing. Avoid being the victim of a credential stuffing attack by using a strong, secure and unique password on each of your online accounts.
Subscribe to the Cybersecurity Insider Newsletter
Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays