Here's what your stolen identity is selling for on the dark web
You may be surprised, or insulted, or enraged, to find out.
/arc-anglerfish-arc2-prod-pmn.s3.amazonaws.com/public/LJBQLKK3LRCR5NLXBM73HXWFCE.jpg)
How much is your personal data worth to you? A lot. (Thanks, Equifax.) And how much is it worth to an identity thief?
You may be surprised, or insulted, or enraged, to find out.
Verified high-limit credit cards from countries including the U.S., Japan, and South Korea are selling on the dark web for the bitcoin equivalent of about $10 to $20, according to an annual report on cybercrime by Secureworks, a unit of Dell Inc.
The dark web is "the collection of internet forums, digital shop fronts, and chat rooms that cybercriminals use to form alliances, trade tools and techniques, and sell compromised data that can include banking details, personally identifiable information, and other content," as Secureworks defines it.
Verified means the seller has tested transactions on the card and found it has not yet been canceled. For scammers on a budget, there is unverified stolen credit card data, which comes out to pennies a card when bought in bulk.
Credit cards generally are not selling any more cheaply on the dark web these days, said Alex Tilley, a senior security researcher on Secureworks' counterthreat unit research team. But buyers are more likely to get higher-quality cards today, ones with sizable limits and suitable properties for fraud. It isn't as hit-or-miss as it used to be — a welcome change for criminals, chilling news for most of us.
Business credit cards are in favor, since they sometimes have no limit on spending, Tilley said. Those and high-end personal cards — say, a Platinum American Express that has been verified and has an 85 percent rating (judged by the seller to have an 85 percent chance of being successfully used in a fraud) — will sell for $15 to $20. A regular Mastercard that does not have a big limit might go for $9.
But there is more. An underground hacker market inexplicably called Trump's Dumps is selling full identities of individuals just like you for as little as $10 apiece. They're called fullz, "dossiers that provide enough financial, geographic, and biographical information on a victim to facilitate identity theft or other impersonation-based fraud," the report explains. Fullz can help a criminal get past those irritating "secret questions" that sites ask to verify your identity.
Recently, Secureworks' researchers have seen more offers of bulk preverified card details, along with more identifying information about the owners. In some cases, offers even include the cardholder's mother's maiden name. Still, they cost just $10 to $12.
In fact, the prices Secureworks cites for these examples of personal data are lower than what fraudsters have been willing to pay for documents like W-2s, which can be used to file false tax returns. Tax-filing data, which don't expire, can go for about $40 to $50, according to a report from IBM's security research group, known as the IBM X-Force, published earlier this year.
No piece of personal information is innocuous, Tilley said. Criminals will amass bits of data on people, waiting until they have enough that their fraud attempt is likely to succeed.
"Everything is valuable," he said. One bit of information "could be the last piece of a puzzle someone needed to take out a loan in your name. You don't know how far along criminals are until it's too late."
Credit monitoring and freezes could be the only hope of protecting yourself, Tilley said. "The problem is that you put a lot of trust in the third-party companies that hold your data, and that's a little out of your control."
Tell us about it.