What Happens to the Stolen Data?
Okay, now you know how large volumes of data are stolen from large organizations. What does the thief do with all these stolen records?
In the case of most ID-related data theft, the thief doesn’t do anything with the stolen data. Not himself, anyway. How the thief makes money is by selling the stolen data to other parties, who then use it however they deem fit—typically for purposes of ID fraud.
How does a data thief sell his stolen data? There are a number of different ways. Perhaps the most common is to use an underground economy server—a website devoted to the illicit trading of stolen data, including credit cards, debit cards, user names, passwords and PINs, and even Social Security numbers.
The people who frequent these sites comprise an underground of thieves, fraudsters, and other low-lifes who trade information for money. These sites have a language of their own (and it’s typically not the Queen’s English), where a “dump” is a credit card number and a “cob” is a brand new credit card account where the billing address can be changed via a pilfered PIN. On most of these sites, a piece of personal information typically goes for between $1 and $20, depending on the quality and quantity of data available.
Most of these black market sites are based in Russia or other countries in the former Soviet Union, which makes them difficult to police. Eastern Europe represents a kind of Wild West of data theft, where anything goes—and everything goes for a price.
That price is not negotiated on the website, however; that would be too easy for authorities to track. Instead, the dealmakers move off the web onto ICQ, the black market’s instant messaging program of choice. (That’s because of its almost-total anonymity—no registration required.) Payments change hands via an electronic currency such as e-gold or WMZs.
A lower-level ID fraudster can buy a piece of information and with surprising ease make double or triple his investment by using it to make unauthorized purchases on the stolen card. The fraudster first changes the billing address so that the merchandise is delivered to him, not the original cardholder. After it is received, the merchandise is typically fenced on the black market for pennies on the dollar.
Alternately, some thieves provide “cash out” services, where a stolen credit or debit card (and pilfered PIN) is used at an ATM to withdraw cash, up to the daily allowable maximum. Daily withdrawals are made until the account is depleted. (Because there’s a risk that the person doing the withdrawal could be arrested, these services typically command a premium.)
The sad fact about this sort of black market data trading is that it’s a relatively safe crime for the criminals. The perpetrators are hard to track and catch, the crime itself is difficult to prosecute, and there’s little if any violence involved in the profession; most of the criminals operate from the safety of their living rooms. According to the FTC, only about 5% of these cybercriminals are ever brought to justice.