In December 2013, the US retail giant Target announced that their in-store payment systems had been compromised by hackers. They did not immediately announce how much data had been lost, only that the compromise lasted between November 27 and December 15 and that customers’ names, card number, expiration date, and CVV or card verification value were acquired (Target, 2014). Later that month, it was revealed that the breach may have affected 70 million people who shopped at stores across the country. The incident was rather shocking, particularly as it appeared to have been enabled by a weakness in the point of sale terminals, or cash register systems, in the stores themselves (Higgins, 2014). As a result, Target scrambled to respond to customer fears and provided detailed information on how individual victims could protect themselves in the event that their personal information was affected.
Though this story was shocking for many consumers who had not experienced such an incident before, it was just one of many large-scale data breaches that occurred over the last decade in the USA. In 2009, Heartland Payment Systems announced that their system security had been compromised during 2008 by a small group of hackers. The company processes over 11 million credit and debit card transactions a day for over 250,000 businesses across the USA. The impact of the breach was massive, as hackers were able to acquire information from 130 million credit and debit cards processed by 100,000 businesses (Verini, 2010). This was the largest breach of customer data in the USA, and was thought to stem from malicious software planted inside of the company’s network in order to record payment data as it was sent by retail clients (Krebs, 2011). Even more disconcerting, this breach was apparently masterminded by Albert Gonzales and a few other hackers who compromised the payment systems of Marshalls department stores and its parent company, TJX, a few years prior. That compromise led to the loss of 45 million credit card records and over $1 billion in customer damages (Roberts, 2007). Thus, these actors were not simply hackers who were lucky enough to make one big score. Instead, they are proficient and dedicated repeat offenders who sought out high-value targets in succession and made lucrative profits as a result of their efforts.
The scope of these breaches demonstrates the substantial capacity of cybercriminals to acquire information in volumes far exceeding that of any successful street criminal. It is important to note that data breaches are not the only way in which personal information may be acquired in the digital age. As many as 51 % of all adults in the USA use the Internet to engage in banking transactions, whether to check their balance or pay bills electronically (Fox, 2013), and 21 % of adults use their mobile phone to engage in bank transactions through applications or the web (Federal Reserve, 2013). As a result, cybercriminals have found ways to exploit this process and surreptitiously access personal and financial information over the Internet (James, 2005; Newman & Clarke, 2003).
Dealing in Dumps: The Market for Stolen Data
In light of the growing prominence of electronic data theft and the significant financial harm that it may cause for individual victims and compromised companies, it is critical to consider what offenders do with the tremendous quantity of information that they obtain. There is no way that one person, or even a group of 10–20 people, could use hundreds of thousands of credit or debit cards in a short period of time. Even with the ability to make on-line purchases or transfer funds from victim accounts, there is simply too much information for any one individual to use it in a reasonable time frame.
As a consequence, there is now a burgeoning market for individuals to dispose of data that they obtain through data breaches and other forms of theft to others through web forums and Internet Relay Chat (IRC) channels (Chu, Holt, & Ahn, 2010; Dhanjani & Rios, 2008; Franklin, Paxson, Perrig, & Savage, 2007; Herley & Florencio, 2010; Holt & Lampke, 2010; Holz, Engelberth, & Freling, 2009; Honeynet Research Alliance, 2003; Motoyama, McCoy, Levchenko, Savage, & Voelker, 2011; Thomas & Martin, 2006; Wehinger, 2011). Though these markets are hosted in various countries around the world, many of the most active appear to operate out of Russia and Eastern Europe (Holt, 2013; Peretti, 2009; Symantec, 2012). Regardless of the location, the sales process begins when a seller posts an advertisement for a product or service, including their preferred mode of contact and payment method (Franklin et al., 2007; Holt & Lampke, 2010; Motoyama et al., 2011).
Typically, sellers accept on-line payments through various mechanisms depending on the market, including PayPal, PaySafeCards (Motoyama et al., 2011), e-Gold, Web Money (Franklin et al., 2007; Holt & Lampke, 2010), and other on-line systems. Real-world payments are also accepted by some sellers, though they must commonly be made through MoneyGram or Western Union, established services for the transfer of hard currency transnationally (Holt & Lampke, 2010; Motoyama et al., 2011). Interested buyers contact the seller and negotiate prices and complete transactions outside of the IRC channel or forum, typically through private messaging systems, ICQ, or email in order to help minimize their culpability or overt involvement in criminal exchanges (Franklin et al., 2007; Holt & Lampke, 2010; Motoyama et al., 2011). Though the hidden nature of market exchanges makes it difficult to document the quantity of materials sold, there is substantive research detailing the range of products offered by vendors. These markets primarily facilitate the sale of credit card and bank account information, personal identification numbers (PINs), and supporting customer information obtained through various forms of electronic fraud or theft in batches of tens or hundreds of accounts (Chu et al., 2010; Franklin et al., 2007; Holt & Lampke, 2010; Honeynet Research Alliance, 2003; Thomas & Martin, 2006). Although financial service providers from around the world are compromised, the bulk of stolen data sold in these markets appears to come from the USA, followed by various European nations (Franklin et al., 2007; Holt & Lampke, 2010).
In addition, these markets provide a venue for criminal service providers who offer resources to use illegally acquired information to obtain cash and products. For instance, individuals offer so-called cash-out services, where they may make transfers either from bank accounts to electronic accounts set up by a criminal, or through direct withdrawals at automatic teller machines (ATMs) ...