What would be the price of a stolen credit card with an already verified balance, and based on what factors would the sellers come up with the price range? Depends on who you're buying the goods from. Continuing the discussion on the Underground Economy's Supply of Goods, the service I'll comment on in this post is among the countless number of others offering stolen credit card numbers, however, in this one we have a great example of price discrimination compared to the majority of other propositions, emphasizing on a volume basis propositions - the more you buy the cheaper it gets.
Let's go through this proposition differentiating itself on the basis of the balance available on a per bank basis :
- Bank Of America/Between 2k - 50k/400$
- WellsFargo/Between 4k - 40k/300$
- Chase Bank/Between 2k - 30k/250$
- Citibank/Between 9k - 70k/300$
- Wachovia/Between 2k - 18k/275$
- Barclays/Any Balance/400$
- HSBC/Between 30k - 312k/400$ up to 100k=600$
- Halifax/Between 20k 180k/450$
- Nationwide/Between 15k - 230k/450$
- Lloyds TSB/Between 10k - 400k/600$
How they come up with these prices remains a subject to speculation, what's important to point out is that in between the price discrimination used here on a good that in reality is a commodity good, is that they're cashing-in on the high profit margins since when investing the time and efforts into stealing these credit card numbers though banker malware infected PCs, they weren't even aware of what their ROI would be, consequently any price set would be a profitable price outpacing the investments they've made into obtaining the accounting data.
We can also theoretically have the same seller making propositions on a volume basis, operating another site this time targeting different marketing segment, where the site itself would have also been advertised to reach that very segment. What he's enjoying is the overall lack of market transparency and the fact that it's not a daily practice for someone to come across sites selling stolen credit card details, which is where the first proposition would take place. The second, the one on a volume basis, would be targeting the experienced identity thieves who never even consider spending so much money on a good that they come across to, and have good understanding of the market, thus, know where to find bargain deals for it.
Who's supplying the bargain deals anyway, and how are the bargain deals affecting the behavior of the experienced sellers in the market? New market entrants that suddenly managed to get hold of huge amounts of stolen credit cards, consciously or subconsciously introduce penetration pricing in the market. Basically, they are aware of several services and they prices they charge for the goods offered, so on the basis of these prices they start to on purposely undercutting them in order to achieve the necessary growth during the introduction period.
With the ever decreasing cost required to conduct cybercrime, any investment made would automatically result in a positive return on investment. Moreover, for the time being, there's no way we can even consider talking about the average price for a stolen credit card number, as everyone is playing by their own rules, with only a few exceptions using basic market principles. So if you even come across an article or a report stating that the price of a certain good is the specific amount of money pointed out, don't take the number of granted, as this is just one of the many such servics and propositons the researchers came across to, not the average.
Ironically, just like you have publicly available backdoored versions of Mpack and Icepack aiming to trick the average script kiddies into providing those who backdoored the kits with the opportunity to hijack their successful campaigns, that's of course next to the backdoored phishing pages released in the very same fashion, we also have scammers trying to scam other scammers by pitching the stolen credit cards and never "delivering the goods".
Independent Contractor. Bitcoin: 15Zvie1j8CjSR52doVSZSjctCDSx3pDjKZ Email: dancho.danchev@hush.com OMEMO: ddanchev@conversations.im | OTR: danchodanchev@xmpp.jp | TOX ID: 2E6FCA35A18AA76B2CCE33B55404A796F077CADA56F38922A1988AA381AE617A15D3D3E3E6F1
Tuesday, June 03, 2008
Price Discrimination in the Market for Stolen Credit Cards
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment