The Nine Lives of a Stolen Payment Card

Next: The Truth About Dark Web Pricing
Previous: The Year Ahead: Developments in the Dark Web...
Writer Li B.
October 08, 2018

Li is an Analyst at Terbium Labs. When she is not lurking on the dark web and putting everything into spreadsheets, she can be found cooking and baking, monkey wrangling, or taking naps.

Banks today are all too familiar with the perils of payment card fraud, which has reached a 20-year high. In most cases of a fraudulent charge, the bank will absorb the cost or recoup it from the merchant, close out the impacted payment card, issue a new card, and call it a day. Financial institutions, having closed the compromised card, carry on under the assumption that the account is now secure and the risk is mitigated. What if that’s not the case? It turns out that the risk does not always stop — or start —with the compromised card.

Dark web marketplaces regularly advertise listings for “fullz,” a term fraudsters use to describe a full package of an individual’s personal data. These fullz, usually advertised along the lines of “Fresh Fullz” to denote that the information is new to market, usually contain payment card data (e.g. card number, PIN, CVV, expiration date), cardholder details, and other personal data (e.g. Social Security number, mother’s maiden name, or answers to security questions). The fresher the fullz, the more likely the payment card data will yield a payout, since banks usually don’t cancel cards until after fraudulent charges appear (something we’re working hard to change).

Terbium Labs recently identified listings on four major dark web markets for so-called “Dead Fullz”. Dead fullz contain the same information as a regular fullz, with one key difference: the payment card accounts are already “dead,” or closed. (Note that “dead” does not refer to a deceased person, just the dead card.) These listings are inexpensive, going for as little as $1 per fullz, since the accounts are already closed; fraudsters cannot quickly cash out on payment cards as they could with traditional fresh fullz. The dead fullz listings include a wide range of data, perhaps to compensate for the inactive card, and at least one listing claims to include credentials for payment accounts.

Screen Shot 2018-10-08 at 7.04.30 PM.png

Screen Shot 2018-10-08 at 7.04.41 PM-2dcfb8.png

Fraud is not necessarily over once a compromised card is closed or “dead”. For example, with the other information from a fullz, a fraudster could attempt to steal the victim’s identity or use components of a dead fullz to create a synthetic identity. Similar to infant fullz, dead fullz contain a plethora of personal information that could be useful to a fraudster in creating a synthetic identity. Synthetic identities contain combinations of legitimate personal information from both real identities and fabricated data, and can be used to commit a wide range of fraud. Additionally, since people have a tendency to reuse PINs and passwords across accounts and answer similar security questions — all of which are data types included in typical fullz — fraudsters can exploit this information to access other accounts.

Data is sold and resold on the dark web. Fraudsters can exploit the same identities for years. In a world of unavoidable exposure and ongoing compromise, organizations must monitoring sensitive information constantly, regardless of when they anticipate breaches or data compromise might occur. For financial institutions, simply cancelling and re-issuing a new card will only prevent fraudulent charges on that specific payment card. A canceled card does nothing to stop future fraudulent activity stemming from other compromised cardholder information. To tackle the problem of systemic fraudulent activity, we must take a more holistic and proactive view of the fraud ecosystem. Just because a card is dead doesn’t mean the risk of fraud is gone.

analysis June 28, 2018
Shady Business: Commoditization of Data in the Dark Web Economy

Terbium's new report, Shady Business: Commoditization of Data in the Dark Web Economy, examines the underground data trade, investigates the shady business side of dark web operations, and challenges existing ideas about data valuation....

analysis January 18, 2018
Excuse Me, Are You Using That Child Tax Credit?

Even with the turmoil taking over the dark web’s major marketplaces earlier this year, fraud vendors have set up new shops just in time for tax season. While many people won’t think about filing...