Swiped: Analyzing ground-truth data of a marketplace for stolen debit and credit cards

Maxwell Aliapoulios, Cameron Ballard, Rasika Bhalerao, Tobias Lauinger, Damon McCoy

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    This paper presents the first empirical study of ground-truth data from a major underground shop selling stolen credit and debit cards. To date, there is little quantitative knowledge about how this segment of the underground economy operates, despite it causing fraud losses estimated at billions of dollars a year. Our analysis of four years of leaked transactional data allows us to characterize this shop's business model, sellers, customers, and finances. The shop earned close to $104 M in gross revenue, and listed over 19 M unique card numbers for sale. Around 97% of the inventory was stolen magnetic stripe data, commonly used to produce counterfeit cards for in-person payments. Perhaps surprisingly, customers purchased only 40% of this inventory. In contrast, the shop sold 83% of its card-not-present inventory, used for online fraud, which appeared to be in short supply. Demand and pricing were not uniform, as buyers appeared to perceive some banks as having weaker countermeasures against fraud. Even multiple years into the U.S. EMV chip deployment, the supply of stolen magnetic stripe data continued to increase sharply. In particular, we identified a continuing supply of newly issued cards not equipped with EMV chips, especially among prepaid cards. Our findings suggest that improvements to EMV chip deployment in the U.S., combined with a limited supply of stolen card-not-present data, could be avenues to decreasing the revenue and profitability of this shop.

    Original languageEnglish (US)
    Title of host publicationProceedings of the 30th USENIX Security Symposium
    PublisherUSENIX Association
    Pages4151-4168
    Number of pages18
    ISBN (Electronic)9781939133243
    StatePublished - 2021
    Event30th USENIX Security Symposium, USENIX Security 2021 - Virtual, Online
    Duration: Aug 11 2021Aug 13 2021

    Publication series

    NameProceedings of the 30th USENIX Security Symposium

    Conference

    Conference30th USENIX Security Symposium, USENIX Security 2021
    CityVirtual, Online
    Period8/11/218/13/21

    ASJC Scopus subject areas

    • Computer Networks and Communications
    • Information Systems
    • Safety, Risk, Reliability and Quality

    Fingerprint

    Dive into the research topics of 'Swiped: Analyzing ground-truth data of a marketplace for stolen debit and credit cards'. Together they form a unique fingerprint.

    Cite this