Banks today are all too familiar with the perils of payment card fraud, which has reached a 20-year high. In most cases of a fraudulent charge, the bank will absorb the cost or recoup it from the merchant, close out the impacted payment card, issue a new card, and call it a day. Financial institutions, having closed the compromised card, carry on under the assumption that the account is now secure and the risk is mitigated. What if that’s not the case? It turns out that the risk does not always stop — or start —with the compromised card.
Dark web marketplaces regularly advertise listings for “fullz,” a term fraudsters use to describe a full package of an individual’s personal data. These fullz, usually advertised along the lines of “Fresh Fullz” to denote that the information is new to market, usually contain payment card data (e.g. card number, PIN, CVV, expiration date), cardholder details, and other personal data (e.g. Social Security number, mother’s maiden name, or answers to security questions). The fresher the fullz, the more likely the payment card data will yield a payout, since banks usually don’t cancel cards until after fraudulent charges appear (something we’re working hard to change).
Terbium Labs recently identified listings on four major dark web markets for so-called “Dead Fullz”. Dead fullz contain the same information as a regular fullz, with one key difference: the payment card accounts are already “dead,” or closed. (Note that “dead” does not refer to a deceased person, just the dead card.) These listings are inexpensive, going for as little as $1 per fullz, since the accounts are already closed; fraudsters cannot quickly cash out on payment cards as they could with traditional fresh fullz. The dead fullz listings include a wide range of data, perhaps to compensate for the inactive card, and at least one listing claims to include credentials for payment accounts.
Fraud is not necessarily over once a compromised card is closed or “dead”. For example, with the other information from a fullz, a fraudster could attempt to steal the victim’s identity or use components of a dead fullz to create a synthetic identity. Similar to infant fullz, dead fullz contain a plethora of personal information that could be useful to a fraudster in creating a synthetic identity. Synthetic identities contain combinations of legitimate personal information from both real identities and fabricated data, and can be used to commit a wide range of fraud. Additionally, since people have a tendency to reuse PINs and passwords across accounts and answer similar security questions — all of which are data types included in typical fullz — fraudsters can exploit this information to access other accounts.
Data is sold and resold on the dark web. Fraudsters can exploit the same identities for years. In a world of unavoidable exposure and ongoing compromise, organizations must monitoring sensitive information constantly, regardless of when they anticipate breaches or data compromise might occur. For financial institutions, simply cancelling and re-issuing a new card will only prevent fraudulent charges on that specific payment card. A canceled card does nothing to stop future fraudulent activity stemming from other compromised cardholder information. To tackle the problem of systemic fraudulent activity, we must take a more holistic and proactive view of the fraud ecosystem. Just because a card is dead doesn’t mean the risk of fraud is gone.