cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Australian bank card details found for sale on the dark web

Almost half a million Australian payment cards have been found for sale on the dark web according to VPN service provider, NordVPN.

user iconReporter
Thu, 02 Dec 2021
Australian bank card details found for sale on the dark web
expand image

New data from NordVPN has revealed more than 4.47 million payment cards belonging to individuals across 140 countries had been found by independent cyber security researchers for sale on the internet.

Australia has been identified as the second most affected country with 419,806 cards, second only to the United States with the majority of 1,561,739 cards.

The NordVPN data revealed that Aussie card details were up for grabs on the dark web, selling for between $1.40 and $26, with about 80 per cent of the card details for sale being identified as debit cards, which generally has a lower level of protection compared to credit. The most stolen card details were from Visa with almost 220,000 for sale, followed by MasterCard with 192,000 affected and American Express had 9,000.

In addition to the data, NordVPN’s key findings show that:

  • An average hacked payment card’s data costs less than $10, and hackers have millions of these ready to sell;
  • Turkey had less than half the cards per capita that the US has, but the high proportion of non-refundable cards gives Turkey a higher risk index;
  • The risk index is based on one card per person, so the more cards you have, the more likely it is that one of them could be hacked! This is particularly a problem in the US where there are more cards in circulation per person but is also something that Europeans need to be aware of.
Hackers have discovered a way to find card numbers without breaking into a database, and there’s also a booming underground black market for them.
Researchers at NordVPN’s Cybersecurity and Privacy Research Lab analysed statistical data that was collated by independent researchers from dark web markets and found that most of the card numbers sold on the dark web are brute forced.
The attackers are able to pull this off because the digits on most cards follow a fixed pattern and can be deduced. For instance, the first couple of digits indicate the financial service provider, while the 16th is a checksum, and so on. The CVV is made up of three digits, which also helps with the guesswork.
Brute forcing is a little bit like guessing. Think of a computer trying to guess your password. First it tries 000000, then 000001, then 000002 and so on until it gets it right. Being a computer, it can make thousands of guesses a second. Most systems limit the number of guesses you can make in a short space of time to prevent these kinds of attacks, but there are ways to get around this. After all, they don’t target specific individuals or specific cards. It’s all about guessing any viable card details that work to sell.
Researchers at Newcastle University estimate that an attack like this could take as few as six seconds, which means clever hackers can significantly cut down how many numbers they need to guess and check to find your payment card number.
Unfortunately, there is little users can do to protect themselves from this threat short of abstaining from card use entirely, but it is important for users to stay vigilant by reviewing monthly statements for suspicious activity and responding quickly and seriously to any bank notices that indicate payment cards may have been used in an unauthorised manner.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.