September 22, 2010

When you’re shopping for stolen credit and debit cards online, there are so many choices these days. A glut of stolen data — combined with innovation and cutthroat competition among vendors — is conspiring to keep prices for stolen account numbers exceptionally low. Even so, many readers probably have no idea that their credit card information is worth only about $1.50 on the black market.

Don’t you just hate it, though, when online stores nickel and dime you to death? I started to get that chintzy vibe when I opened an account at, one of many sites where one can buy stolen Visa, MasterCard, Discover and Amex card information. The purloined card numbers — no doubt lifted from PCs infected with data-stealing malware like the ZeuS Trojan — fetch $1.50 for U.S. accounts, and $4 (USD) for accounts belonging to U.K. residents.

And for a premium, you can obtain “fullz,” or the card data plus other useful information about cardholders, such as their date of birth, mother’s maiden name, etc.

The trouble is, the minute you seek to narrow your search using the built-in tools, the site starts adding all these extra convenience fees (sound familiar?). For example, if I wanted to buy a card stolen from anyone around the Washington, D.C. area, it would probably be from a resident of McLean, Va., which is more or less a tony place where there are plenty of well-to-do folk. Anyway, the site found me a card (a MasterCard) belonging to a McLean resident alright, but then the service wanted to tack on an extra $.60 just because I isolated my search by city and state — raising the cost in my shopping cart to $2.10! No way, Jose. Not this bargain shopper.


Have you seen:

Virus Scanners for Virus Authors…The very first entry I posted at Krebs on Security, Virus Scanners for Virus Authors, introduced readers to two services that let virus writers upload their creations to see how well they are detected by numerous commercial anti-virus scanners. In this follow-up post, I take you inside of a pair of similar services that allow customers to periodically scan a malware sample and receive alerts via instant message or e-mail when a new anti-virus product begins to detect the submission as malicious.

93 thoughts on “I’ll Take 2 MasterCards and a Visa, Please

  1. Big Geek Daddy

    Does anyone know what it costs a Credit Card company to settle transactions that occur on stolen cards? Seems like if it’s more than $2 to $3 then they should be buying this data and using it to cancel stolen cards before fraudulent transactions occur.

    1. TFBW

      The cynic in me suspects that the net profit they make from allowing fraudulent transactions to go ahead exceeds the costs associated with preemptive cancellation — particularly since they try to make the merchants eat the costs of fraud as much as possible.

    2. Jonathon

      Wow. That opens up a whole new business vector for these crooks!

    3. Dan Grossman

      It doesn’t cost the issuer a penny. All the costs of stolen cards are borne by the merchants that unknowingly accept payments from them. Not only does each and every affected merchant pay back the money charged, eating both that loss and the loss of product/service if already shipped, but they pay a chargeback fee to cover the bank’s cost in dealing with the paperwork.

      One stolen card, used at 5 stores, could generate over $100 in chargeback fees. It might actually be a profitable occasion for the bank!

      1. KFritz

        Could you please provide documentation on that? I’m no lover of credit card companies, but readers here deserve some verifiable info.

        1. chester

          Easily, just look at any merchant agreement from a company that allows you to take credit cards.

        2. Max

          Or just google “merchant chargeback policy.”

          I’m an online merchant and can confirm that that’s the process. When a cardholder disputes a charge, the amount plus a fee is taken out of the merchant’s account and then it’s up to the merchant to prove that the charge is valid, which usually requires a signature.

          Even if the charge is found to be valid, the merchant still pays the chargeback fee. It’s quite the racket and I wish cardholders realized the gates of hell that open when they casually tell their issuer that, gosh, I don’t recognize this charge.

          1. JBV

            You can’t begin to imagine the the gates of hell that open when a consumer’s credit card number is stolen.

            The only thing a merchant gets stuck with is a fee, a taxable write-off as the cost of doing business. For the consumer, an identity or credit card theft results in weeks or months of phone calls, correspondence, filing police reports, and on and on.

            A cautious on-line buyer will always call their credit card issuer as soon as they see an unrecognized charge to their account. (A really cautious credit card user will check their accounts on line frequently and regularly, and not wait for the monthly statement.) When I see an unrecognized charge, I not only call the issuer immediately to dispute it, but also request that the card number be cancelled, and that a new card be issued.

          2. Max

            JBV, as I said, the merchant is stuck with the fee AND the amount charged. That’s the point being made. By all means, dispute charges that aren’t valid.

            But if you don’t recognize a charge, contact the merchant first. Nine times out of ten, they’ll say “You ordered a widget on September 22nd” and you’ll say “Oh, right, I remember now,” and you’ve just saved them a ton of work and expense.

          3. Robin

            Keep in mind that that signature could be anyone’s, as long as the merchant got a signature the bank has few chargeback rights because in theory, a merchant accepting a counterfeit card may not ever know the true owner of the card to verify a name. Bugs Bunny could sign your receipts and banks are required to eat the losses in those cases.
            Also, there are transaction types that have no chargeback rights, and they are used more and more today (especially with online purchases).

            Merchants are not the only ones that eat losses, banks have just chosen whether or not they are willing to accept the losses in providing debit cards to customers.

          4. Max

            (Sorry if this is a dupe.)

            Robin, I disagree. The bank doesn’t need “chargeback rights,” because they issue the cards and they make the rules. They have final say and if the card was stolen the merchant will pay for it, plus a fee, even they have a signature, a blood sample, and video testimony from the cardholder authorizing the charge. Merchants pay for fraud; that’s how the system works.

            Take a look at the Wikipedia page on credit card fraud. “The liability for fraud lies on the merchant, not the credit card company. The merchant must pay the full cost of the fraud plus a chargeback fee.”

          5. JB23


            You couldn’t be more wrong. I work in fraud chargebacks. The sheer number of items we have to write off because there’s some random squiggle on the signature line is amazing. If you’re loosing chargebacks where you have a signed receipt, you really need to get a better bank.

          6. Max

            JB23, as I said, I’m an online merchant, so I don’t ever have a signed receipt. I do sometimes have delivery signatures, and have not found that to be a magic bullet.

            My point, again, is that the common belief that the credit fairy pays for chargebacks is incorrect. It’s the merchant. Merchants pay for fraud. There may be some small subset of signature forging that banks have to eat, but I guarantee you that it’s negligible compared to the sums merchants pay in card-not-present fraud.

          7. Concerned Citizen

            Max is right, merchants have to PAY FOR IT. If you place an order for 1000.00 and then charge it back, the merchant LOOSES 1000.00! The bank takes the money from the merchant, in addition to the fee. I’m not saying that having credit card fraud happen to you is a walk in the park, but more often than not, the cardholder does not end up paying anything. As someone who works for a merchant, employed full-time preventing credit card fraud, I can say that the merchant looses the fight even if items are shipped to full AVS verified address, with a signature. Basically there is no universal law when your wrestling an 800 pound gorilla. I personally notify cardholders that they’re cards are being use fraudulently, and most of the time the cardholder knew nothing about it until I called them! Also, if your company doesn’t have (or simply chooses not to use) insurance, then you ARE NOT COVERED.

          8. Daniel

            Actually, it’s not the merchant that the duty of refunding the money falls to first. There is a company in between (if its pretty much anything other than AMEX) called the acquirer that the issuing bank will shove the responsibility of refunding the money to first. It is then the acquirer’s job to inform the merchant that there is a discrepancy and a chargeback has been filed and then get the money from the merchant. This sneaky little move separates the bank even one more step from the actual problem. And if the problem cannot be rectified, the acquirer is then out money as the bank bills the same amount from them.

            Note that the wikipedia article on aquirers is vague, slightly inaccurate and sparse.

      2. Tim

        I work at a US bank and to be honest we almost always eat all fees and the fraudulent amount. We rarely ever get our money back from a merchant.

        1. Max

          Well, Tim, what can I say? You (or anyone reading this) could spend 90 seconds Googling “credit card fraud” and find multiple credible sources that confirm that merchants pay for credit card fraud to the tune of billions yearly. This idea that banks “eat all fees and the fraudulent amount” is completely alien to me, and I’ve had an active merchant account for more than ten years.

          I’m sure there’s plenty of fraud to go around and that banks eat some of it before it reaches merchants, but again, my sense is that it’s a small fraction of the total amount.

      3. TJL

        Dan: You point out the tremendous economic impact of fraudulent use of cards. However, merchants generally only pay for card not present transactions that were fraud.

        Card present transactions are most often “eaten” by banks–many of which are community banks that cannot control the fact that merchants don’t check ID, don’t check signatures etc.

        The solution is multi-pronged and honestly not all that difficult. The FI’s, and retailers need to get our DA’s in the US to put teeth into prosecuting these white colar crooks. Secondly, banks and merchants must work together to stop fraud. Huge purchases to a PO Box, no ID present, etc should signal potential problems.

        Likewise, when banks see the onset of a local fraud outbreak, they should be more proactive in working with local retail to prepare for the situation.

        As for the site selling data, shouldn’t an arrest be forthcoming???

  2. Jason

    So …. when you complete your purchase of credit card data, do you use … another credit card?

    1. Melbi

      Actually, you probably use a “Visa Gift Card” (or equivalent) which can be used like a credit card anywhere credit cards are taken, but which have a set balance between $25-500 and aren’t tied to an individual’s personal details.

      Not that I condone, you know, doing this and buying shady cards or anything, but logistically this is probably the only way to safely avoid a Catch-22 situation.

      1. JCitizen

        Or use a card that issues individual credit card numbers to each vendor. Once that vendor is compromised, you know who the vendor is, and also that transaction will be cancled!

        Meanwhile, the crook can’t get your personal info and the actual credit card doesn’t really exist!

        1. GreenEgg

          You wouldn’t want to use a real credit card, even one that issues temporary numbers, as you have two problems – the crooks stealing your own credit info and the cops busting the website and finding out who bought the fake cards.

          1. JCitizen

            What difference does it make? Whether you use the card online or in a brick and mortar store; the online crooks could still break into their POS machine through the internet and STILL get your personal information!

            Some ID thieves specialize in physically compromising customer data at the store location also!!

            At least with this system, you KNOW who got cracked! And the credit card company refuses payment to the thieves. These card companies generally provide ID theft insurance as well.

            I don’t see how crime is going to pay with that system.

  3. Jim

    How kool is purchasing stolen credit cards with a stolen credit card?

  4. Ephraim

    So, what is the price difference in costs for Chip & Pin cards. Areas where you also need a PIN to secure the transaction.

    1. Matt

      Presumably about $2.5, since that’s the difference between a UK (needs a PIN) and US (doesn’t) card.

      (I can’t think of any other reason US and UK cards would be priced differently. Anyone?)

      1. BrianKrebs Post author

        I would assume this market also is priced by supply and demand. It stands to reason that there are simply fewer Brits, and fewer UK cards. UK cards may also typically carry higher limits that U.S. cards, but I don’t have any idea about that, really.

        1. Ephraim

          So presumably, when card transactions go chip & pin only the value of the card depreciates. So I assume the market for US cards will increase while UK, Canada, France, etc will decrease to zero. Especially as banks enforce the use of “verified” or “securecode” when chip & pin is unavailable.

          Funny how some banks are smart enough to be able to issue you CC numbers for one-off transactions, so you don’t have to risk your card number being exposed on the net.

      2. Lucian Constantin

        The problem with chip-and-pin cards is that they are backwards-compatible with non-chip-and-pin ATMs in countries where the technology is not widely deployed.

        So, magstripe data and PIN for an UK chip-and-pin card would be enough for it to be misused in another region of the world.

      3. Lucian Constantin

        Also, and sorry for posting twice, the “chip” part is only required for ATM transactions, as I suggested in my first reply.

        The credit card details sold by the website in Brian’s article can only be used for card-not-present transactions (online), where the chip or no chip part makes no difference.

      4. replying to matt

        matt…tard…. theres 300+ million american people and about 60+ million UK people…who do you think is easier to spam and get details from..americans or the brits?

        Also, in the UK most banks dont give you a DEBIT card unless you earn more than £500 a month in salary meaning UK cards are usually decent in terms of balance where as the typical american debit card (lowest level) maybe hold 0 or close to it… Hence price difference.

  5. Lydia

    $1.50? not according to Symantec. I’m not sure how effective the new (wierd!–Hasselhof???? Snoop Dogg???) Symantec marketing ploys are, but the “Could I be a victim” risk evaluation on this link put my personal data at $163. (Oh!…gee…Makes their products look cheap at twice the price, huh?)

    Brian, your site is one of the few I trust to get sensible, sound, accurate information from. Thank-you.

      1. Patrick

        Whoa whoa whoa, the card # is fully viewable in that image. Also if that is the case why would one buy it off the site. Color me confused.

        1. BrianKrebs Post author

          Thanks, Patrick. I blurred that one (although it didn’t have a name or expiry attached to it, so kind of hard to use).

          1. Patrick

            No problem. I really liked the article, this is the kind of thing you just don’t see people posting. If we can get enough information out to the people on how these people operate we’ll have a better chance to stop them.

          2. greenup

            You really should do more than blur, just block it out with black.
            I’m not going to take the time, but I have successfully un-blurred text before, and there are a number of studies you can google that will show how to do it. Deconvolution is the hard way, hand-edit sharpening a little less hard, “guess-matching” is easier and producing best results. (particularly with your blur method)

      2. Michael

        The first hit on Bing-ing “buy webmoney” is buywmz-dot-com that states “Buy WMZ Webmoney units with your Credit Card (VISA, MasterCard)…” Whois buywmz shows Matthew Stokes in Belize, RIPE shows in the Ukraine. Scam site or for real?

        1. BrianKrebs Post author

          Michael, I don’t know much about that operation you’re talking about, but take care with those sites offering to convert credit card dollars to Webmoney and other virtual currencies. Many are complete shams, and others will charge you through the teeth to do it. If you really want to fund a WMZ account, I’d urge you not to rush into it and to find a reputable exchanger. Unfortunately, unless you want to provide your bank account details, often the easiest way to do it is to wire money. Again, very high risk transaction.

          1. ASO

            The financial media needs to start reporting WebMoney exchange rates.

          2. Michael

            No worries, am not buying, thanks for the warning. What I’m getting at is if buywmz’s legit, it’s theoretically possible to buy more stolen cards with a purchased stolen card via webmoney even with a stiff conversion fee, isn’t it?

        2. a

          every user of WM has unique WMID, and this WMID is always shown, you can click on it and check status of the user like:
          1) account type – there are different account types starting from anonymous with no personal info attached and ending with authorized dealer when all personal data is verified like passport, phone numbers etc.
          2) business level (BT) – it is somehow combined number of transactions and value of the transactions, formula kept in secret. Higher BT means higher level of trust.

          WM is very advanced system because you would not send money to anonymous users, when you send money to an authorized seller account you can be sure that passport was presented (physically, no copies accepted) and the phone number was verified.

          Unless, of course, the seller account itself was compromised, however it is not that easy to steel an account because name/password authorization does not work there, they use at least encrypted certificates.

          Looking at paypal makes me laugh…. but I understand that not so many people know what certs are and how to use them…. it is a bit more complicated that the standard name/password scheme…

          The reason WM is used underground is that because it is not regulated by the government in any way (read taxes paid) 😉

          1. BrianKrebs Post author

            Correct me if I’m wrong “a”, but it appears that the verification checks (requiring of passport presentation, etc). is a fairly recent phenomenon that does little to revalidate the countless people who obtained WM accounts before these checks were in place, which is to say a majority of the people in the criminal hacking community.

            How do I know this? I have three Webmoney accounts, and only one of them is tied to my real name.

          2. a

            I got seller account about 1.5 years ago and I had to give them my personal details. AFAIK, all sellers had been asked to disclose their personal info if it was not on the file.
            That’s not even the point, the point is that you can always go and check the seller profile and see how much and what kind of personal info was disclosed to WebMoney. You may not see real name or address of a seller but you will see if WM knows it.

  6. Steve

    Note also that merchant chargebacks happen with PayPal and other pay services too. Pay Pal will work with you to resolve chargebacks but the card issuer has final say and Pay Pal will debit your account if you lose.

    I broker expensive items and I need to protect both my buyer and my seller so I hold the money and they agree I have final say. My biz does not take credit cards or use Pay Pal or any other form of payment where the card issuer decides who wins. All my competitors do things the same way. The ones still in business that is!

  7. Mark Ratledge

    But wait! If you order right now, you’ll receive not one, not two, but THREE credit card numbers, with full personal data, for your chosen location! Operators are standing by! Click “Buy Now” right now!

    But seriously. Next thing I can imagine appearing are affiliate setups for CC# sites. What business models can’t be adapted for use?

    There must be students in MBA programs right now, maybe even on scholarships, developing new online crime business models.

    1. Ralf

      If GoDaddy ever went bad, those are the kind of deals they’d offer!

  8. Tyler

    So are the low prices so that the crooks would buy in bulk, the way equally shady debt collectors buy your debt for pennies on the dollar?

    I’m assuming there’s probably a preferred way that they also ship or receive these stolen goods as well (since receiving it at your address would get you busted).

    Very interesting, thank you for bringing this to light.

  9. Stuart

    I think you can get CC numbers at Costco in a six-pack…

    Of course, the catch is you need to be a member.

    1. BrianKrebs Post author

      I may need to add this to the body of the story. I answered it in a comment above but here it is again:

      For all those who are asking, payment is made via LibertyReserve and/or Webmoney, virtual currencies that are popular in the underground.

  10. Mike

    I don’t know about you, but it seems to me like using a credit card to make a purchase from a company dealing in stolen credit cards sounds like an overall poor choice…

  11. Mister Snitch

    If the stolen card I buy doesn’t work, who do I complain to?

  12. george

    Hi Brian,
    Impressive reporting, as usual.
    You mentioned you haven’t completed the transaction (on the reason of +0.6 USD extra charge:). Assuming you had and of course not use or disclose any CC number you purchased, would the simple fact of purchasing this info be an illegal act ? Just curious how far can go an investigative reporter without technically breaking any law.
    And the second remark, I would love to see any info/reporting about places where one can make one of those CC with individual numbers for each vendor, or one that can be filled with the right amount of monies just before the transaction, etc, preferably covering (the report, that is) also Europe. I am frustrated because I could not find any bank to issue me a card with a limit lower than 1250 euro, while I would like one specifically for card-not-present transactions with a limit set at 100-150 Euro. No matter how respectable is an online merchant, I don’t like using there a CC with 12000 Euro limit.

    1. JBV

      Not sure if they have this in Europe, but some US banks have an online service – Shop Safe – where you can get a credit card number, good for only one vendor, and where you set the dollar limit and expiry date. I use this for most online purchases. Hope this helps.

    2. vince

      In France, 6 banks propose this one-time generated cc number. It is pretty efficient, but not very used. (google : “e-carte-bleue”).

      Hope this helps,

  13. Jim

    As much as i detest Bank of America, they have the” Shop Safe” option. I use this option for all charges other than point-of-sale purchases. A unique number and CV is issued. The card holder fills in the amount and time limit up to twelve-months. Two months is the default limit. May be used for repeat payments each month by the vendor if need be.

    1. JCitizen

      I hear ya Jim;

      I detest ALL card companies, but I like the system Discover has for online purchasing. It does the same thing very seamlessly. However I hope Secunia is tracking any vulnerabilities their plug-in and/or desktop application have.

      I think you can call it in too, but I haven’t looked at that angle.

      Needless to say, I have my PC loaded up like Fort Knox!

  14. Sarpent

    And people buy these credit card numbers using a credit card? What could go wrong there?

  15. Concerned Citizen

    “The purloined card numbers — no doubt lifted from PCs infected with data-stealing malware”

    This is actually a misconception. Where do you store your credit card billing address on your computer, or your billing phone number or the 3 digits on the back of your card, or your mothers maiden name…
    It is not your PC that they get this information from. Think; who does store ALL of your cardholder information?

    1. Tyler

      @Concerned Citizen Malware consists of Keystroke loggers and trojans that record the information typed into an infected PC. All your information could easily be obtained by these various programs, and then it’s just a matter of viewing your profile and getting things like the security question answers.

      1. Concerned Citizen

        I understand what Malware is obviously, what I was trying to say is that some old lady who has never used a computer in her life has all of her credit card details stolen, when the card itself never left her sight. How do you suppose this happens. Who’s computer was hacked in this scenario?

          1. Viveka

            Someone who doesn’t want to get sued or blacklisted for saying straight-out that the problem is upstream, either at a merchant or an issuer.

    2. JCitizen

      The crooks actually don’t even need a key-logger. They can read your hard drive and find many pertinent types of information.

      You can try running the free version of Identity Finder on you PC, but it won’t prove my point. I have the paid version, and it scared the pants off of me! I found out I had SSN# going all the way back to my dearly departed mother, and phone numbers and addresses, and credit cards too!

      I’m not spamming for this company, it is the only one I know of that does this, but a good search at CNET may find other even better utilities. With these tools, you can shred the information, or encrypt it. The best way is to use an ID vault of some kind to keep the information encrypted in the first place. Or use something like LastPass that whisks it away to the cloud for storage. This – if you trust the cloud – yet.

      I prefer the later, as I don’t want it on the PC at all.

  16. Concerned Citizen

    In reference to JB23, do you ‘write off’ your losses, or do you not have any losses? What is it that you are ‘writing off’ if you are supposedly not loosing your chargeback disputes?

  17. Mark Herpel

    Credit and debit card fraud is the No. 1 fear of Americans in the midst of the global financial crisis. Concern about fraud supersedes that of terrorism, computer and health viruses and personal safety. (Source: Unisys Security Index: United States, March 2009)

    The first widely accepted plastic charge card was issued in 1958 by American Express long before the retail Internet. “Charge Cards” have not changed much since then. They are outdated, plastic was never meant to be used online and their costs are much more expensive than today’s digital currency products. Digital currency was created for online payments.

    The Internet was not created by a bank nor any type ‘financial company’ and consumers should not be forced to use bank products (credit cards) to engage in online commerce. Shoppers should wake up to the fees they are paying to for that ‘convenience’.

    Mark Herpel

    1. JCitizen

      So what “digital currency” do you use; I won’t consider your answer to be spam – I hope Brian and no one else does either!

  18. Sally G.

    The United “Stats.” They are so cheap on that site that they couldn’t afford to take a minute to spell “States” correctly. At least they have wormy parasitic crime to make them a loser in life.

  19. Gannon Dick

    “… — raising the cost in my shopping cart to $2.10! No way, Jose. Not this bargain shopper.”

    Thanks BK, you made my day.

    I knew that somehow, someway, someday my well practiced habit of cheap-skate-ery would be recognized for the only salvation of Civilization-as-we-know-it that it really is

  20. User1001

    I dont really remember, but aren’t the rules changing on Sept 30th 2010? I know in Canada something is changing and the fees will not be paid by “Visa/MC” anymore… ??

  21. Deviant

    I buy from this site all the time.. but now it is down because of morons like you. This is common knowledge.

  22. David Roth

    Dear Brian,

    I hope you can explain why you have decided to expose this particular online shop when scrutinized is viewed as irresponsible reporting. The post was full of satire and did not actually have a clear point except you could find stolen credit cards online, which the audience is fully aware of. What is the actual aim of this post since it is clearly out of sync with the ethos of this blog? Publicly displaying of the url may be viewed as unintentionally advocating people to visit which can lead many to similar websites. While also tutoring those on how to purchase from the site it seems like someone who is aiding a newcomer is some stolen credit card forum. Maybe the lines have been blurred since you are now a respectable member of the crime community your actions may lack the moral and ethical scrutiny of an editor.

    1. BrianKrebs Post author

      Hello David. I’m sorry you feel my reporting on this is irresponsible. Is it irresponsible for a reporter to write about a particular corner in a city that is the nexus of crime, prostitution and drug sales, knowing full well that some readers could use that information to obtain sex and drugs for sale?

      I would take issue with your second assertion that everyone knows about this (leaving aside, for the moment, the fact that it contradicts your first assertion that I’m pointing out a resource people weren’t previously aware of). From the hits that this post generated, and the fact that it was picked up all over the planet (including at places like I’d say the audience was not anywhere near fully aware of this type of market.

      Finally, I’d note that while it was not my intention going into reporting the post, that site was taken offline shortly after my story ran (and my site came under denial of service attack directly as a result for several hours afterward).

  23. Peat O'Neil

    Stay a step ahead by changing your name format on cards, opening and closing accounts frequently. Using your mother’s other maiden name.

    1. JCitizen

      Opening and closing accounts often, can have negative impact on your credit score. Closing old or dead accounts is definitely a requirement, using prepaid services is another protection that is commonly available.(cash cards)

    2. Brian Krebs

      Hey Peat! Long time no talk! Hope you are well.

      JCitizen may be right, Peat. Doing what you describe could have the unintended consequence of creating many slightly different credit files for yourself, which is exactly what you don’t want.

Comments are closed.