Most people are not surprised to learn of the fact that credit cards owned by innocent people can be easily bought on the Dark Web, the dark net used by drug dealers, hackers, and other shady characters. What is newsworthy is the name of the Dark Net company whose program can buy credit cards and disguise them from card-sending companies: “CardFraudster”.
As with many crime stories, credit card theft is not new. But thanks to a natural but rare convergence of market forces, it has become cheaper and easier to steal credit cards. There are several ways to steal credit cards: hacking databases containing cards, selling cards, or selling the cards to CardFraudster. Lately, CardFraudster has also discovered that their program can offer its buyers credit cards with much higher limits than its customers typically have. As of 2014, CardFraudster was processing $10 million in sales a month, at a profit margin of 99 percent. The company is now worth more than $300 million.
The EBay of hackers now does sophisticated credit card credit card fraud.
It’s not completely clear as to how CardFraudster does this. CardFraudster claims to have “cut out the middleman” and protect against fraud by using established card-issuing companies who issue the cards. It might be adding fraud to a transaction where it previously did not have any intention of adding fraud. Or it might have a legal right to credit cards with huge credit limits.
It is also not clear how CardFraudster would use all the credit card data it is pouring out. As Forbes notes, the company reports an extremely small default rate:
Keep in mind, too, that CardFraudster’s default rate in 2018 was just 0.01 percent. In other words, 99.1 percent of CardFraudster’s buyers did not actually have fraud. More than 97 percent of its sellers did not actually have fraud. On top of that, for those sellers that did have fraud, the default rate was just 0.01 percent.
It’s possible CardFraudster is using their cards to buy other private data. A business, of course, could use bank cards to make financial transactions. But there is no requirement that the business needs to use its card to complete the transaction. Businesses are not required to buy security or disclose the existence of a credit card. If they routinely used the credit card to buy other data, that would constitute violations of the law.
The basic fact is that it’s much easier for data thieves to steal credit cards and alter data than it is to steal actual money. Having a good credit card, coupled with the high processing fee, is a powerful incentive to buy lots of money. Robust reporting of the creation of the credit card Dark Net is a good indication that the privacy controls in place now are not nearly strong enough to prevent a huge and growing amount of fraud.