Stolen credit card data worth about £13 on dark web, PayPal worth more

The value of stolen credit card data on an underground dark web marketplace has dropped by about a quarter during 2021, according to new data released by researchers at Comparitech, while the value of a hacked PayPal account has nearly trebled over the same period.

Comparitech’s researchers sifted through 13 dark web markets to collate their new dataset, and found that stolen credit card data fetched an average of $17.36 (£12.61/€14.69) or about $0.00033 per dollar of credit limit. Prices in all cases tended to correlate to credit limits or account balances, in the case of PayPal accounts.

Actual physically cloned credit cards traded for far more money, around $171 on average, or $0.0575 per dollar of credit limit. Compromised PayPal accounts – clearly in high demand in the cyber criminal underground – can be obtained for $197 on average, or 9.2 cents for every dollar in the account balance.

“Credit cards can be sold as physical or digital items on the dark web,” said Comparitech’s Paul Bischoff. “Credit card details used for online fraud are cheaper and can be sent in a text message. Physical cards are usually cloned from details stolen online, but can be used to withdraw from ATMs. Because the merchant requires equipment to clone the card and must send the buyer a physical product complete with PIN number, the price for cloned cards is much higher.”

The most valuable credit cards to cyber criminals tend to be MasterCard products, worth 6.47 cents per dollar, followed by Discover, worth 6.27 cents per dollar, and Visa, worth 5.75 cents per dollar. American Express products are worth less, 5.13 cents per dollar, presumably reflecting their often limited acceptability among merchants.

But brand is just one of many considerations affecting price, said Bischoff, with other factors affecting price including the expiry date – for fairly obvious reasons, newer cards are more popular – the credit limit, whether or not the card verification value (CVV) number or ATM PIN is included, the cardholder’s location and whether or not it comes with other personal data (known as “fullz” in the trade).

Stolen credit cards are either cashed out or used to make purchases that can be resold. In the past, they were more frequently used to buy less traceable forms of money, usually cryptocurrency or gift cards, but this is seen less often now, said Bischoff, partly because anti-fraud protections, such as Verified by Visa or MasterCard’s SecureCode feature, have greatly restricted where stolen cards can be used.

This has possibly had some influence on the spike in the value of PayPal accounts over the past 18 months or so, but there are other reasons why PayPal accounts are so sought after, said Bischoff: “They can be accessed from anywhere with a web browser; they usually have existing balances; it’s easy to send money on PayPal; it’s a common form of payment; and many merchants accept it.”

The process of taking over a PayPal account is somewhat different from stealing credit card data, with the vital information being in the form of usernames and passwords, rather than card and CVV numbers. This means that those who obtain them will often have done so through phishing or malware attacks.

The credentials can then be sold on to a buyer who can drain existing funds, make purchases, make transfers from other compromised bank accounts or credit cards, or request money from contacts in the guise of the account’s legitimate holder.