September 22, 2010

The good news for those shopping for stolen credit card data, according to a blog by former Washington Post reporter Brian Krebs, is that competition has driven down the typical price to $1.50 per card. The bad news, he says, is that these black-market sites have begun tacking on fees.

Don’t you just hate it, though, when online stores nickel and dime you to death? I started to get that chintzy vibe when I opened an account at, one of many sites where one can buy stolen Visa, MasterCard, Discover and Amex card information. The purloined card numbers — no doubt lifted from PCs infected with data-stealing malware like the ZeuS Trojan — fetch $1.50 for U.S. accounts, and $4 USD for accounts belonging to U.K. residents.

The site charges extra for "fullz," card data that includes details such as the cardholder's date of birth or mother’s maiden name. It also charges extra for letting the shopper choose a cardholder location, Krebs says.

The site found me a card (a MasterCard) belonging to a McLean resident alright, but then the service wanted to tack on an extra $.60 just because I isolated my search by city and state — raising the cost in my shopping cart to $2.10! No way, Jose. Not this bargain shopper.

One commenter to the blog wondered why banks don't purchase this data and use it to cancel stolen cards before fraudulent transactions occur. It's an interesting question. Another commenter wondered if people can use stolen credit cards to buy the stolen credit card data. The answer, according to Krebs, is that "payment is made via LibertyReserve and/or Webmoney, virtual currencies that are popular in the underground."