4 places your stolen information may be going

By Michael Lloyd

If you've been a victim of card fraud, you know that you'll typically get your money back without too much trouble once your lender has established that you played no role in the loss. You will cancel your card, get a new one, and try not to think about the frustrating experience again.

But before the card is cancelled -- and sometimes even after -- crooks are usually busily at work trying to profit from your financial and personal details before they get caught. They have a number of ways to do this.

"Fraudsters will normally attempt to use compromised card details in the same environment in which they were stolen," a spokesman for Financial Fraud Action UK (FFA UK) said in an emailed response to questions. "For example, criminals may try to use details stolen online, such as through malware or a data hack, to carry out a transaction on the internet, over the phone or by mail order.


"Similarly, details compromised at an ATM, where a PIN was also
captured, could be used to create a counterfeit card which fraudsters
would try to use in an overseas country where a Chip & PIN technology has not yet been rolled out."

Here are a few ways thieves may use your information:

1. Dump sites
Criminals who steal card details using malware or skimmers at point-of-
sale (POS) terminals or cash machines will often not use the stolen information to make purchases or withdraw money themselves. In some cases, the sheer volume of the data they steal would make this impractical.

Instead, many scammers who use these methods will put their data hauls up for sale on illicit online card shops, known colloquially as "dump sites". The majority of these operate on the dark web, which is a "hidden" portion of the internet that is not indexed by standard search engines. But some can be accessed using a normal web browser.

Batches of card details are available to buy on these sites, with more valuable data -- such as CVV2 (the three-digit security code on the back of a card) numbers, online banking passwords or mothers' maiden names -- attracting higher prices.

"If the credit card data is accompanied by other information, such as PIN, mother's maiden name, date of birth, and shopping habits, then it makes the card even more valuable," wrote Liviu Arsene, senior e-threat analyst for security software firm Bitdefender, in an emailed response to questions. "This type of information is usually traded on underground forums and may be resold again and again between cybercriminals, until it ends up in the hands of a group that has the skills and knowhow to make use of it."

2. Card-not-present transactions
Fraudsters operating on a smaller scale will often try to use card details to buy items online that they can sell on at a quick profit, either domestically or overseas.

"It is common practice for credit card thieves to move fast once they have your data," Arsene said. By reselling the items they buy, they throw authorities off their scent, Arsene continued.

In the UK, where many sites ask cardholders for their CVV2  for purchases, buying items of any price can be difficult for scammers. Extra security layers -- such as Visa Verified or MasterCard SecureCode, which require PIN verification for each purchase -- can also stall a fraudster who doesn't have a card's full data.

However, some e-commerce sites, such as Amazon, allow customers to make purchases without entering a CVV2 code or completing extra security steps. Many overseas sites have less secure payment systems as well, but services such as Visa Verified or MasterCard SecureCode will often identify fraudulent transactions attempted through these systems, making it more difficult for fraudsters without full datasets to make purchases.

3. Money transfer
"However criminals attempt to use stolen card details, banks have advanced fraud detection systems in place which monitor for any unusual transactions," the FFA UK spokesperson commented.

Not all card issuers and lenders have as robust anti-fraud measures in place as others, though -- something fraudsters know and will use to their advantage. They can target accounts with those less-secure institutions.

Some criminals who gain access to online banking details will make money transfers from the victim's account when they know the financial institution's fraud department is closed, making it less likely that the bank will detect the fraud before it can be stopped.

4. Identity theft
If a fraudster has managed to get hold of your personal information as well as your bank account and card details, he or she may be able to access your online banking facilities and apply for new financial products in your name.

This will often be one of the most difficult types of fraud to detect, as scammers will go out of their way to cover their tracks, perhaps accessing your existing accounts and changing your contact details. This will allow them as much time as possible to wring money out of the situation.

Apart from being as vigilant as possible with all of your personal information, keep a regular eye on your online banking facilities and credit record to check for any suspicious activity.  

See related: Protect yourself from card-not-present fraud, Old-style scams increasingly used by fraudsters

Updated: 17 August 2016