For years, cybercriminals have used both the deep web and the dark web as clearing houses for consumer credit card numbers as well as other personal information. By conducting persistent, enterprise-level searches of open source data on the deep web as well as the dark web, the credit card industry, along with the vendors and merchants that are part of the vast credit card financial network, can disrupt and diminish this illicit activity.
Scope of the problem
When a credit number ends up on the deep or dark web, it represents one small piece of the larger credit card fraud enterprise. According to a 2016 Lexis Nexis study covered in Forbes, Merchants lose $190 billion annually to credit card fraud, while banks lose $11 billion a year and consumers lose $4.8 billion. Of course, credit card fraud covers a wide range of criminal activity, but one data point from a 2018 Identity Theft Resource Center study is telling. In 2017, a record-setting year for identify theft, 14.2 million individual credit numbers were exposed online.
Ultimately, stolen credit card information hurts merchants in several ways. After the 2013 data breach at Target, for example, the company ended up paying $18.5 million to settle legal claims in 47 states. You can add legal costs to that figure, as well as the opportunities Target lost because key executives had to focus on the data breach and its fallout, rather than growing their business.
But Target, like any business that is the victim of a data breach, also loses consumer trust in its reputation. A KPMG study found that 19 percent of consumers would completely stop shopping at a retailer after a breach, and 33 percent would take a break from shopping there for an extended period. Not surprisingly, the market for cyber insurance reached $2 billion last year as companies look for ways to mitigate the damage.
A sampling of recent news headlines provides a glimpse at how widespread this problem has become. Last year, an attack on Under Armor exposed the personal information of about 150 million consumers. Some of that information included credit card numbers, but in many cases, the breach also exposed valuable ancillary information like birthdays and passwords. In a data breach this year, Marriott admitted that 383 million guests around the world had their personal information exposed, including 5 million who had their passport numbers exposed.
Meanwhile, Sears, Delta, and Best Buy were all hit by the same data breach. As many security professionals have observed, data breaches are the new normal, and for most consumers, it’s a question of when, not if, their credit card numbers are going to appear online.
Current consumer solutions are inadequate
Several credit card companies currently offer services that alert customers when their credit card information has been compromised. At the same time, a cottage industry of identity theft protection services has sprung up to offer consumers similar safeguards. While these solutions are helpful, they’re ultimately inadequate for several reasons.
First, these solutions put the onus on the customer to protect themselves. While consumers should do what they can to safeguard their personal information, the speed of modern commerce consistently puts customers in the awkward position of having to choose between convenience and security. That choice is manifestly unfair to consumers, but it also ignores the fact that credit card companies, merchants, and vendors have reputational and legal liabilities when breaches occur.
Second, while existing consumer solutions do a reasonably good job of identifying when a credit card number has been compromised after the fact, they’re ultimately reactive solutions that search the deep web and dark web periodically.
Third, the scope and scale of the problem is simply too big for isolated solutions. Even if a large number of consumers use these services, significant defensive gaps will persist.
How open source data can better address the problem
Firms that handle credit card information don’t have to build their own solutions. Indeed, beyond the credit card issuers and a handful of the largest merchants, it’s unlikely that most firms will have the expertise to build their own solutions. But the fact is, it’s actually best if firms use open source solutions that can better facilitate a collective response to the problem.
From a technical perspective, locating individual credit card numbers or batches of credit card numbers on the deep web and dark web is a matter of setting a search to look for specific patterns. Such searches can be further enhanced by looking for other identifiers such as billing ZIP codes, three-digit security codes and expiration dates.
The key, however, is to make that search persistent so that the instant a number appears on the dark web or deep web, the issuer can act. In this way, open source data provides for a proactive solution, allowing issuers and those merchants with the most to lose to act before those credit card numbers can be sold to criminals and exploited. Equally important, because open source solutions are less expensive, smaller firms can also leverage the same protections without significant additional costs.
In this way, open source data solutions, when deployed at the enterprise-level, improve the overall security of the credit card, and by extension, increase consumer trust. By acting collectively, issuers and large merchants can disrupt criminals at scale, and they can share information with law enforcement to better understand the nature of the threat. Increased vigilance at the enterprise-level won’t eliminate the sale of stolen credit cards online, but the more we can scale countermeasures, the more likely we are to drive down the cost of this kind of crime.