What Happens To Stolen Credit Card Numbers?

Credit card fraudsters usually have more on their minds than the purchase of luxury goods. Increasingly, criminals operate as part of larger organizations focused on data and identity theft.

While it’s tempting to take identity theft personally, the truth is that by the time cardholders receive warnings from banks about suspicious activity, stolen information has already been packaged alongside thousands of other victims—and has probably been bought and sold repeatedly by multiple criminal groups.

Some groups may specialize in stealing and selling credit card details. Others could focus on quality control by ensuring the cards and information can be used. There may even be others focused specifically on monetizing the cards by making purchases to be resold for cash. Most victims only become aware that credit cards have been compromised during this last stage since that’s when charges start showing up in bank account statements.

A single consumer’s stolen credit card information can sell for up to $110 dollars, depending on the amount of supplementary data included. A name, address and CVV number all add to the card’s value, but not by much. A Social Security number, date of birth and mother’s maiden name might allow the seller to charge at the higher end of such a range. But low price points mean it’s not worth the effort involved for criminals to sell stolen credit card numbers individually. Selling in bulk guarantees a lucrative payout—even if the fraud does not succeed.

This is also why data breaches can have such a devastating impact on victims. Criminals might not only steal basic information—they might also learn purchasing behaviors and shopping habits. Having such highly personalized data means a thief using your card can mimic your behavior, lowering the chances of getting caught by a bank or by you.

When this sort of targeted theft happens to hundreds, thousands or millions of victims at once, even small data breaches can have wide-reaching repercussions.

Considering all this, it makes sense that cybercrime and credit card theft have become increasingly organized. Multiple groups operating at each stage of fraud mitigates the overall risk: Those involved in stealing the cards are not the ones responsible for monetizing them. They may not even be doing the selling.

The rise of cryptocurrencies like Bitcoin and specialized “Dark Web” markets focused on selling credit card details and other personal information have made it possible for criminals to act efficiently and—most importantly—anonymously. Transactions can occur incredibly fast, making it difficult to track down where data is being moved.

Let’s break down the steps of a hypothetical credit card heist:

1. Credit card details, including a cardholder’s SSN, are stolen in a data breach.
2. The criminals put the information they’ve acquired up for sale on a Dark Web marketplace.
3. The data may enter a period where it is bought and sold repeatedly or even tested for legitimacy. This could be anywhere from minutes to days to years.
4. A buyer uses the stolen data to make purchases either online or in physical stores using a fake card. They resell these purchases for cash.
5. Hopefully, victims receive notification about suspicious activity from their bank(s). Before the situation worsens, these victims can cancel their cards and successfully contest the purchases.

While this may be an overly simplified example, it highlights the journey credit card details make once they are stolen.

Ultimately, reviewing credit card purchases, knowing a bank’s policy for flagging suspicious activity and being mindful of the data shared online can go a long way toward keeping a credit card right where it should be—safe inside a wallet.