What Happens When Credit Card Numbers Stolen

Millions of individuals have had their credit cards stolen at least once in their lives. In 2019, the Federal Trade Commission recorded over 270,000 incidents of credit card theft in the United States. Credit card theft has grown so common that banks now provide 24-hour hotlines for victims to report lost or stolen cards. Though it is always inconvenient, dealing with credit card theft may be quite straightforward for customers. Credit card theft is projected to rise further as data breaches, online shopping, and virtual economies grow more widespread.

Banks and credit card companies go to tremendous pains to prevent fraud and limit the impact on their clients’ bank accounts, but what happens when a credit card number is stolen?

The good news is that if the theft is restricted to the credit card number and cardholder’s name, there is probably nothing to worry about. The bad news is that It may and typically does get considerably more complicated.

Data and Identity Theft is an Organized Business

Most credit card fraudsters have more on their minds than the acquisition of high-end items. Criminals are increasingly operating as part of bigger groups focused on data and identity theft.

While it may be tempting to take identity theft personally, the truth is that by the time cardholders begin receiving bank warnings about suspicious activity, stolen information has already been packaged in bulk alongside that of thousands of other victims and has most likely been bought and sold multiple times by multiple criminal groups.

Some organizations specialize in stealing and selling credit card information. Others concentrate on quality control, ensuring that the cards and information can be used. Others are just concerned with monetizing the cards by making transactions that will be resold for cash. Most victims are only aware that their credit cards have been hacked at the last step when charges begin to appear in bank account transactions.

Why Do Criminals Want Personal Data?

But why are there so many steps? And why should you buy in bulk? It all boils down to money, unsurprisingly.

The value of a single consumer’s stolen credit card ranges from $5 and $150, depending on the amount of additional data given. The addition of a name, address, and CVV number increases the card’s worth, although only somewhat. A social security number, date of birth, and mother’s maiden name may allow the vendor to charge at the top of the range. However, the low price points make it unprofitable for thieves to sell stolen credit card data one by one. Even if the fraud does not succeed, selling in bulk ensures a big payoff.

This is also why data breaches can be so catastrophic for victims. Criminals may obtain not just basic information, but also purchase patterns and shopping histories, depending on which firm was attacked and how much data was acquired. With such highly customized data, a person using a consumer’s card can imitate behavior, decreasing the odds of being discovered by a bank or even the consumer.

When this type of targeted, specialized, and deliberate theft occurs to hundreds, thousands, or millions of victims all at once, even minor data breaches can have far-reaching consequences.

Given this size, it is understandable that cybercrime and credit card fraud has become more organized. The presence of several groups working at each step of fraud reduces the total risk: those involved in stealing the cards are not the ones responsible for monetizing them. They might not even be doing the majority of the selling.

The rise of cryptocurrencies such as Bitcoin, as well as specialized ‘Dark Web’ markets (such as the recently shut down but highly successful Joker’s Stash), focused specifically on selling credit card details and other personal information, has enabled criminals to operate efficiently and, most importantly, anonymously. Transactions may happen at breakneck speeds, making it impossible to follow precisely where data is being transferred.

The Endgame of Stolen Credit Card Numbers

Let’s walk through the steps of a fictitious credit card heist:

01. In a data breach, credit card information, including a cardholder’s SSN, was taken.

02. The crooks involved gather all of the information they’ve gathered, including the personal data of tens, hundreds, or thousands of cards, and sell it on a dark web marketplace.

03. Another party has purchased the list. At this stage, the data may be bought and sold again, or it may be quality checked for validity. Though there is no set timetable for how long stolen data remains in circulation, it might range from minutes to days to years.

04. Eventually, a buyer will begin to use the stolen data to make online or in-person transactions with a fake card. These purchases are then resold for money.

05. Individual consumers should, hopefully, receive a warning from their bank on suspicious behavior as a result of this (s). These consumers are able to deactivate their cards and successfully dispute the purchases before the issue worsens.

While this is an oversimplified scenario, it illustrates the route credit card data go after being taken from you.

Bottom Line

Finally, checking credit card purchases, understanding a bank’s policy for reporting suspicious behavior, and exercising caution when sharing personal information online may all help to keep a credit card where it belongs: inside a wallet.