Technology: The Recession Hits Identity Theives

Your personal identity isn't worth quite as much as it used to be—at least to thieves willing to swipe it.

According to experts who monitor such markets, the value of stolen credit card data may range from $3 to as little as 40 cents. That's down tenfold from a decade ago—even though the cost to an individual who has a credit card stolen can soar into the hundreds of dollars.
The black market for personal data is even less transparent the market for derivatives and other unregulated financial instruments, but it works like any other market: When the supply of goods is plentiful, prices start to sink.

And in spite of authorities' efforts to take down the markets that serve as clearing houses for other people's financial data, the black market in personal identity is flush with product.

Increasingly cunning phishing attacks and large-scale data breaches—like last year's 8.5 million-record breach at Fidelity National Information Services and an earlier 1.4 million-record hack at Designer Shoe Warehouse—have, over the past decade, turned underground distribution channels into an overstocked pond.

That's made the hackers functioning as data wholesalers more like typical globe-trotting business executives: branding and marketing, partnering, merging and acquiring, and—as current prices reflect—cutting prices to compete for business.

A handful of legitimate operations have gotten to peek into these shady markets. Among them, the Affinion Security Center (a service arm of the Affinion Group conglomerate) has a CardCops service which sends computer algorithms to crawl online marketplaces—primarily Internet relay chatrooms and members-only message boards—looking for personal data and alerting customers if their data is exposed.

Credit card numbers fetch only $2 or $3 each on today's market, Dan Clemens, head of CardCops, told "Full profiles," data sets that include a credit card, mother's maiden name, date of birth, social security number and possibly an ATM PIN, command just $10 apiece.

Security giant Symantec says that bank accounts, credit cards and full profiles are the top three goods and services offered in the underground economy. Credit card data, they say, can trade for as little as 40 cents a card.

By contrast, a decade ago, credit card information commanded as much as $20 to $30 per credit card, Clemens says. That makes personal identity data almost a commodity: "They've come down on the curve a little bit, as it seems like more and more hackers and identity thieves have entered the market," he says.

Data thieves will now often sit on their ill-gotten data investment in order for the prices to "mature," says Clemens. Such was the case with Montgomery Ward's data breach, which was made public in June 2008 but probably occurred at least six months earlier. "The breach occurred some time ago, and the hackers sort of sat on the data for a while and were just putting it up for sale in the chatrooms," notes Clemens.

Affinion found the hackers trying to sell 200,000 credit cards for $10,000. "When we saw some samples of the data—which they will often do, they will often post samples of the data—we were able to contact those people, and we found out that the common denominator among all of them was that they shopped at"

Global demand for personal information is also shifting geographically, adds Thomas Roussan, chief executive of the Affinion Security Center. In past years, buyers of personal data were primarily based in Eastern European countries such as Romania, Bulgaria and Estonia, says Roussan. "Over the last few years, we've seen Southeast Asia—Vietnam, Indonesia—start entering the market. And now we're seeing some anti-U.S. countries like Iran."

U.S. government authorities including the Secret Service, Federal Bureau of Investigation and Department of Justice are aware that such marketplaces exist. But the dynamic and decentralized nature of the markets make them difficult to stop altogether.

In 2004, the U.S. Secret Service took down an Eastern European-based forum called "Shadowcrew" that was the clearing house for 1.7 million stolen credit cards, which resulted in $4 million in damages for consumers.

Later that year, 19 people were indicted for running the 4,000-member forum.
With the exception of two fugitives, all of domestic Shadowcrew defendants pleaded guilty. But the rest of those members? According to the Department of Justice, several new forums popped up in the wake of the Shadowcrew sting, very likely used by those who had abandoned Shadowcrew. "They move around pretty quickly," says Clemens.

In 2005, a competing forum named "The International Association for the Advancement of Criminal Activity" re-branded itself as "The Theft Services," according to the Department of Justice. A year after that, the DOJ says a forum known as the "Cardersmarket" allegedly increased membership by taking over four rival marketplaces.

On Oct. 16, 2008, the FBI announced that it had shut down a members-only forum called "Dark Market." This site, which was used for buying, selling and trading personal information, had more than 2,500 members and netted the bureau 56 arrests. Penetrating the forum involved a two-year undercover operation and an undercover FBI agent working as a forum administrator.

But even if the market may be flooded with stolen data, the costs consumers must shoulder when their data is stolen can still be hefty. Federal law limits consumer liability for credit cards to $50 and ATM cards to between $50 and $500. Yet the Poneman Institute, which tracks identity theft, calculates that the average cost for a data breach victim last year was $197 per record and $239 for a financial record. Those costs do not include the several dozen hours identity theft victims say it takes to correct a damaged credit score.

Affinion occasionally releases test data—the digital equivalent of marked bills—to see where it ends up. "We let them go in the 'Wal-Mart' of the underground and they get taken by the thieves and used almost instantly," says Roussan.

Unfortunately, falling prices in this market may only make digital thieves work that much harder.