Much has been written over the years about the seemingly unending succession of data breaches involving credit card and other personal payment data. But little is known about the so-called dark Web, the sites where these data thieves set up shop to sell what they’ve pilfered. It turns out these markets are exemplars of free-market capitalism, with prices varying widely not only by type of credential but also by country, according to data released Wednesday by Comparitech, a United Kingdom-based researcher that looked at more than 40 illicit online bazaars between Dec. 18 and Jan. 15.
So-called fullz, in the argot of the dark Web—a Social Security or other national ID number accompanied by credentials such as name, date of birth, and an address or phone number—sells for $8 per record on average if the place of origin is the United States. That’s six bucks cheaper than the next cheapest country, the United Kingdom. The most expensive fullz comes from the United Arab Emirates, Japan, and Europe, all of which average $25 apiece.
But no credential sells more widely than credit card data, and here too the price range is wide, with some cards going for as little as 11 cents and others for as much as $986, Comparitech found. Likewise with PayPal accounts, which are second only to credit cards in volume on these sites. Here, prices range from $5 all the way up to $1,767.
The wide variance in prices, in particular, surprised Paul Bischoff, the report‘s author. “We originally set out to get an ‘average’ price of credit cards and PayPal accounts, for example, but that soon proved impractical,” he says by email. “Both credit cards and PayPal accounts range from a few cents to hundreds of dollars.”
The country where the data came from and the amount of information associated with the card are factors that determine price. The United States accounts for two-thirds of all stolen cards, the Comparitech report says, citing cybersecurity firm Sixgill, and that quantity depresses the price the cards can command. U.S. cards go for an average of $1.50, with the next-lowest price, $2.50, attached to U.K. cards. The most expensive cards come from the European Union, at $8 on average, followed by Japan, Australia, and New Zealand, at $7.
Besides quantity, the range of data associated with the card also determines price. Since nearly all stolen cards are used for online transactions, data that doesn’t include such information as name, card verification value, postal code, and expiration date are close to worthless—but not quite. Pilfered cards can still be used in venues such as American gas stations, notes Bischoff.
“A criminal could use special hardware to forge simple magnetic-strip duplicates of cards and use them where magnetic strip readers are still in use,” Bischoff says in the report. “Gas stations in the U.S., for example, are often still equipped with magnetic strip readers instead of tap or chip card readers.” U.S. gas stations face an April deadline, set by the card companies, to convert their pumps to the more secure EMV standard.
As the price ranges found by the report show, dark-Web prices for PayPal accounts run higher on average than for credit cards. While the median credit limit on a card is 24 times the card’s price, the ratio of median account balance to price for a PayPal account is 32 times.