Personal information from US citizens found on the Dark Web—ranging from Social Security numbers, stolen credit card numbers, hacked PayPal accounts, and more—is worth just $8 on average, according to a new report from tech research firm Comparitech.

Researchers pored through the prices of personal data and information—called “fullz” by those searching for “full credentials”—that are available for sale on nearly 50 different Dark Web marketplaces, finding that Japan, the UAE, and EU countries have the most expensive identities available at an average price of $25.

The report also said the prices for stolen credit card numbers range from just 11 cents to nearly $1,000. There were similarly huge price swings for stolen PayPal account data, which cost anywhere between $5 and $1,767, Comparitech researchers found, adding that the prices for accounts based in the US or UK were cheapest because they represented most of what was available.

The average price of a US PayPal account was just $1.50 and $2.50 for UK accounts, but the buyers could end up making a sizable profit. According to the report’s calculations, the low prices were in stark contrast to the median credit limits or account balances available with these stolen cards or hacked accounts.

“After a data breach or successful phishing campaign, much of the stolen personal information is sold on black markets. Many such marketplaces reside on the dark web. The median credit limit on a stolen credit card is 24 times the price of the card. The median account balance of a hacked PayPal account is 32 times the price on the dark web,” Comparitech’s Paul Bischoff wrote.

“Social Security numbers and other national ID numbers are for sale on the dark web but aren’t particularly useful to cybercriminals on their own. They are usually accompanied by other personal information, including a person’s name, date of birth, address, phone number, account numbers, and other personal information that cybercriminals use for identity fraud, including opening up new lines of credit in the victim’s name, taking over accounts, and withdrawing from banks, among other crimes.”

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

The report explains that the stolen credentials vary in terms of the information provided. Some had Social Security numbers, names and addresses while other more extensive packages came with utility bills, statements from a bank account or a driver’s license number.

The report that some packages came with photos of a person or photos of passports and driver’s licenses. Bischoff notes that certain information, like credit card numbers, are sold in bulk packages generally resulting from some kind of breach or attack.

“They might all have been collected from a single data breach, for example, or from the same card skimmer placed on a gasoline pump,” Bischoff wrote.

After the EU, Japan and the UAE, the average price of stolen credentials was above an average of $20 per record in Colombia, New Zealand, and Mexico. Turkey, Israel, China, Singapore, Canada, and Australia all had averages of either $14 or $15.

The US unfortunately leads the way in a number of categories listed in the report. More than one third of all the stolen credit cards the researchers found on the Dark Web sites came from the US and no other country came close.

The wide availability of stolen US credit card accounts meant it generally costs less on average than most countries. At the top of the list are the countries that make up the European Union, which averaged $8 per account.

Australia, Mexico, New Zealand, the UAE and Japan were all at $7.

“Black market vendors have a strong incentive to keep their customers happy. Reputation and positive feedback play a huge role in a vendor’s success, and many customers are willing to pay a premium for goods and services they know they can rely on. One listing, for example, listed a PayPal account for $811,” Bischoff added.

“The vendor promised the balance on the account would be €5000 +/- €200 with a 48-hour replacement guarantee in case of chargebacks. The customer can request a date and time that the account be handed over. If an account with the full amount is not available, the vendor will split it into separate transactions. I wish my bank had that kind of customer service.”

Cybersecurity experts attributed some of the report’s findings to how different countries and regions were legislating data privacy. Chloé Messdaghi, vice president of strategy at Point3 Security, noted that the three countries with the highest credential prices were all, in some way, “taking extra steps to make sure all companies are adhering to some sort of data privacy and protection.”

“I find it really fascinating that in the US, we have the cheapest fullz at about $8/record,” Messdaghi said, adding that the EU and Japan were prioritizing more robust data privacy laws to limit, or at least penalize organizations for, the kind of breaches that led to credentials being available widely.

“In the US, we don’t put it as high up on the priority list as they do, and this research clearly shows that. Companies–and consumers–need to do better at privacy. We need better regulation, better legislation. And, really, we need more overall awareness of our digital footprint. Close accounts you don’t or won’t use. Delete payment info. Reset passwords to be more than 20 characters. It’s easier to prevent a fire than to put one out.”

The report suggests that there is “not much an end user can do about data breaches except to register fewer accounts and minimize your digital footprint.”

The price ranges are making it likely that attacks on major institutions would continue, said Timothy Chiu, vice president of marketing at K2 Cyber Security. While everyone needs to do a better job of protecting themselves individually, it has become considerably more important that enterprises do their part in protecting the data they take from users.

The pandemic has forced almost every organization to operate online in some capacity and there has been a corresponding increase in attackers exploiting vulnerabilities found in web applications.

A Radware survey of 2020 released last month found that of 205 IT security decision-makers, 98% said their apps were subject to an attack in 2020. Another report from CDNetworks found an 800% increase in web application attacks in the first six months of 2020.

“Organizations that offer internet-facing applications need to improve their security for their applications to prevent data breaches,” Chiu said.

“Even, NIST, the governmental body that sets the Security and Privacy Framework for the federal government, has increased their guidance for application security, including both RASP (Runtime Application Self-Protection) and IAST (Interactive Application Security Testing), as requirements in the latest framework, SP800-53 Revision 5, that was just released in September of 2020.”

Saryu Nayyar, CEO of Gurucul, called for more regular reviews, updates, and the deployment of the best available security solutions, including security analytics. Law enforcement also needed to step up its efforts to disrupt cybercrime rings on a more frequent basis, Nayyar added.

But what stood out most to her was the way this sort of cybercrime had become professionalized to a worrying extent.

“Comparitech’s research findings is another highlight of how commoditized cybercrime has become. The price of stolen credentials follows the rules of supply and demand, while criminal actors are concerned with their reputations to the point where they provide guaranteed customer satisfaction,” said Nayyar.

“This, if nothing else, highlights that Crime has become a Business and is doing quite well on the Dark Web.”

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays