Researchers monitoring activity on underground markets found that more than 460,000 payment card records were offered for sale in two days on a popular forum where such data is being traded. The card info is split into four databases sold separately and offered in two rounds, on October 28 and November 27. Eight-five to 90% of the cards were valid and all came with the CVV (card verification value) numbers that are necessary for card not present transactions like online shopping.
Researchers monitoring activity on underground markets found that more than 460K payment card records were offered for sale in two days on a popular forum where such data is being traded https://t.co/QNDk6yxlEt
— Alexander Anoufriev (@anoufriev) December 12, 2019
For about $1 per card, bad actors can buy stolen credit or debit card details to use for online purchases. The data includes valid expiration dates and card verification values (CVV codes), both of which are required for successful transactions through ecommerce sites.
This lot of 460,000 card details was most likely stolen or exfiltrated through an online attack because most point of sale devices and kiosks do not ask for, or collect, CVV codes and expiration dates.
Every organization that accepts payment cards for online purchases should be concerned about their ability to secure payment card details through their website. If they are not protecting payment card details at its earliest point of entry, then stolen data will continue to appear on the dark web for sale.
Organizations need to tokenize or encrypt data, or, need to refuse to collect the data. There are no other options to reduce the chances of data theft happening within their control.