The dynamics of the underground marketplace are pretty similar to that of the legitimate marketplace, with cybercriminals demanding and supplying, consolidating and start to work together, and coming up with new monetization approaches in order to continue enjoying the high profit margins of their goods and services. The once highly exclusive market segment of stolen credit card details, is today's commodity market segment trading with a virtual asset that has become so prevalent, that cybercriminals are already bargaining with it.
Taking into consideration the current oversupply of stolen credit card details and E-banking logins aggregated through banker malware botnets, it shouldn't come as a surprise that the price of stolen credit cards with complete owner's details is decreasing. What shapes the price of a stolen credit card, what is the average price of this underground item, and how are the organized vendors of stolen credit card details embracing the Cybercrime-as-a-Service model?
"Credit card numbers fetch only $2 or $3 each on today's market, Dan Clements, head of CardCops, told Forbes.com. "Full profiles," data sets that include a credit card, mother's maiden name, date of birth, social security number and possibly an ATM PIN, command just $10 apiece. Security giant Symantec says that bank accounts, credit cards and full profiles are the top three goods and services offered in the underground economy. Credit card data, they say, can trade for as little as 40 cents a card. By contrast, a decade ago, credit card information commanded as much as $20 to $30 per credit card, Clements says. That makes personal identity data almost a commodity: "They've come down on the curve a little bit, as it seems like more and more hackers and identity thieves have entered the market," he says."
Generalizing the average price for a stolen credit card with complete details for its owner, is a bit of an unrealistic attempt to come up with verifiable evidence that the price is decreasing in general. How come? Basically, due to the nature of the underground marketplace, a potential buyer isn't aware of all the sellers of a particular good or a service, and is therefore doing business with who he perceives as the best vendor offering the best deal. Moreover, sampling different market propositions through the entire 2008, continues to indicate highly varying price ranges for the same item, whose chaotic percentage increases or decreases based on how much they "feel like" charging for the items, is making it harder to estimate the average price.
Anticipating the demand, and looking for more efficient ways to supply, the organized providers of stolen credit cards data have been embracing the Cybercrime-as-a-Service model during the entire year, coming up with do-it-yourself web services for purchasing the credit card details, where they monetize each and every aspect of the business model, by charging extra based on the number of lookups for a particular variable that they're missing. For instance, a sample web based service is charging the following prices for various verification services allowing a cybercriminal to restore the full identity of the credit card own, even through some of the details might be missing :
Mother's Maiden Name ($3) Social Security Number ($3) Date of Birth ($0.5) Mother's Date of Birthday ($1) Driver's License Number ($8) Background Report ($15) Credit Balance Report (25)
Here are the rules for using the value-adding, and extra charging service :
"1. Various lookup options are available (bins, zip, state, city, exp, sex). 2. Possibly to make a special order (rare countries, from 100 cvvs, negotiated price) 3.1 Cvvs can be checked right before sell at customers wish at additional price. 3.2 Invalid replacement in 72 hours time. 3.3 Replacement can be only in case of private checker service shows not APPROVED while check CCNUM+EXP. 3.4 VBS/MCSC can't be changed. 3.5 After 72 hours - ccs can't be replaced. 3.6 Results of checks at some checkers with code 05 DECLINE I do not accept, possible not compatibility of merchant and bank. 4. Cloned/Expired cards are excepted. 5. Service takes care of valid only, not their balance. It's available to sort cvvs by Classic/Gold/Platinum types, not a warranty of high balances. 6. Plz write me as correct as U can, coz sometimes I can't understand Ur slang. 7. Service can deny to process Ur requerst / to deal with You witout explanation of reasons. 8. Seller is not a robot. He needs eat, sleep and live his own life. If I absent for a long time - Im not at the 'party', I have a serious reasons or went to another city/country. 9. For dummies - DO NOT CHANGE comment for WM transfer that I give to U. 10. Time spending online, can be changed, without notify of customers. 11. Not following service rules - can occur putting all consequences to a customer, and probably further black to customer. 12. Not allowed to flood my thread with posts "Where are U", "Why U not online", and "Im waiting for U". As consequence - ignore and U will be denied of service. 13. It is not allowed to intimidate service, to flood services icq / forum thread, to do hysterics. Who wants to solve their problem - can do It quietly. 14. Any service rule can be changed without notifying of customers."
And whereas the price for purchasing stolen credit card details is clearly decreasing in general, the value-added services and verification checks coming with it may gradually increase it in the long term. The bottom line, in a market segment with no indication of a monopolistic vendor of stolen credit cards, someone's stolen credit card is worth as much as the seller feels like charging for it, or based on his current price discount for bulk purchases.