From Breach to Fraud: The Compromised Payment Card Lifecycle

Posted: 27th April 2022

It’s happened to almost everyone. One day we check our bank statement or receive an alert and scratch our head thinking “Hmm, that’s odd. I don’t remember making that purchase.” Unfortunately, the truth is that we became a fraud victim long before that purchase was made, as our card was probably compromised days, weeks, or even months before.

To say the least, it’s a pain to be a victim of card fraud. Think of the time spent speaking with customer service, waiting for your card to be reissued, and renewing your subscriptions with new payment information. As consumers, in the end we are inconvenienced and typically, we just end up with a new card, and rarely if ever, do we lose any money. The same cannot be said for banks as they have much more at stake.

Some financial institutions have over one million compromised cards, and each compromised card carries liability should it be used for fraudulent purchases. It’s not just the cost of refunding fraudulent transactions that’s daunting for the bank; its reputation is also compromised. When a bank customer experiences fraud and goes through the process of dealing with customer support and obtaining a new card, they lose confidence in the bank. Additionally, while customers are waiting for a new card, they’re no longer using it for purchases, which could result in the loss of top-of-wallet status. Investigating fraudulent transactions is also a costly process for the bank, impacting the bottom line. 

How do fraudsters steal card data and monetize it? Below we break down each step of the compromised payment card lifecycle, and identify actions you can take to prevent fraudulent transactions from occurring in the first place.

Compromised Payment Card Lifecycle

Magecart Infection

Before we get into the compromised payment card lifecycle, we must begin with how fraudsters infect merchants. Magecart is the leading cause of Card Not Present (CNP) payment card data theft, and criminals are leveraging a number of nefarious and increasingly sophisticated methods for injecting e-commerce sites with these e-skimmers. For example, they may weaponize Google Tag Manager containers, hide scripts within SVG elements, or attempt to trick consumers with fake iFrames.

With the range of ecommerce solutions now available, it’s relatively easy to open an online store, resulting in thousands of ecommerce sites. Most of them are focused on selling products and not on securing their customers’ data, and it’s these minimally protected stores that are most vulnerable to criminals. Popular targets include men’s and women’s boutique clothing stores and specialty stores such as vape shops and stores selling guns and ammunition. Additionally, merchants are often quietly compromised for long periods of time without them being aware of it. According to research from Recorded Future, merchants in the US are infected for 191 days on average, and merchants outside the US are compromised for an average of 161 days. 

The Compromised Transaction

Most methods used to steal card data have little to no impact on the customer experience, leaving them unaware as to whether the card was compromised or not. Since 2017, e-skimming to steal payment information from CNP transactions has increased, with the pandemic serving as an inflection point when CNP card data became more in-demand and more expensive than CP data. To proactively combat the risk of stolen cards, financial institutions can gain visibility into compromises on e-commerce sites by leveraging tools that scan for active magecart infections. 

Card Shops on the Dark Web

Stolen cards are often posted on payment card shops on the dark web, which operate much like other online businesses – except that the vast majority of these illicit sites are not even selling real data. Most are selling fake card data that was randomly generated to look real, and to waste the time of financial institutions, law enforcement agencies, and researchers attempting to comb the dark web for compromised card assets. However, there are a number of legitimate top-tier card shops, and their profits are enticingly high for cybercriminals, with the largest shops netting $79 million in annual profit in 2021. 

For consumers and financial institutions, a key fact to understand at this point in the compromised payment card lifecycle is that just because the card has been stolen and is for sale on the dark web doesn’t mean we should expect to see fraud just yet. The critical detail, which is even more important, is knowing when the card is sold on the dark web. 

Sold Cards

When cards are sold on the dark web is when alarms should be going off at the card-issuing banks. Our data consistently shows compromised cards purchased on the dark web are often used for fraudulent transactions within three to four days of purchase. However, there is often one last step fraudsters like to take before attempting to monetize stolen cards. 

Card Validity Tested Using Tester Merchant

Often the last indicator before a card is used for a fraudulent transaction is that the criminal will use a dark web checker service to verify card validity. No fraudster wants to be swindled, so card shops often offer money-back guarantees. After a card is purchased, the buyer typically has anywhere from five minutes to three hours to test the card for validity using a card “checker” typically conveniently provided on the card shop site. There are many different checker services available including those that conduct a small transaction or those that attempt to link a card to an online account in order to achieve a pre-authorization request on the card. Some checkers offer additional services, such as telling you whether the card is linked to a PayPal account. Most checkers charge $.20 to .30 per card. For criminals looking to save a penny, they can always check cards manually for free, namely by trying to add them to a digital wallet account. Once the fraudster determines the card is still valid, we can say with a very high degree of confidence that they’re about to use it for a fraudulent transaction. 

Fraudulent Transaction Placed

Once a criminal has purchased the compromised cards, it becomes a question of monetizing them. One popular method is to use a stolen card to purchase gift cards from legitimate stores and then use those gift cards to purchase goods – a layered approach that helps criminals evade detection. Some criminals are savvy and try to hide their footprints while others attempt to get away with as much as possible before the bank catches on and blocks the card. For example, Recorded Future observed a compromised card used for a large order at a fast-food restaurant. Apparently, attempting to make fraudulent transactions can make some criminals very hungry. 

Account Takeover Attempted

Besides using stolen cards to make fraudulent transactions, a popular strategy is to attempt to gain access to the cardholder's online banking account using additional PII that came with the purchase of the card on the dark web. Given tricky social engineering tactics, call centers and customer support personnel need to be a key component of defending against fraud. 

Preventing Fraudulent Transactions

Financial institutions typically take a reactive approach to mitigating card fraud, waiting until fraudulent purchases have taken place and then attempting to limit their losses. With Card Fraud Intelligence from Recorded Future, financial institutions can capture valuable data fragments from compromised cards in the cyber underground. With a high degree of confidence, they can take a proactive approach to blocking fraudulent transactions before they occur. 

Join us for a webinar on April 26th, “Credit Card Fraud: What the Dark Web Fraudsters Don’t Want You to Know” as we dive into the murky underground of credit card fraud, break down how it works, and discuss how intelligence can help you save millions of dollars.