While the introduction of computer chips in bank and credit cards has greatly reduced the risk of fraud in other parts of the world, it is still alive and well in the U.S.A. in part due to slow adoption of this technology by banks and merchants. But, even cards with chips are vulnerable if their owners still swipe using the magnetic strip when conducting transactions. A recent study of 26 million stolen credit and debit card records, obtained by a whitehat hacker from an underground market called Brian’s Club, found that 85% of the stolen magnetic stripe data originated from EMV chip-enabled cards.
That finding is one of several documented in Swiped: Analyzing Ground-truth Data of a Marketplace for Stolen Debit and Credit Cards, the first “inside analysis of an underground marketplace for stolen credit and debit cards.” Conducted by a team of researchers led by Dr. Damon McCoy, an assistant professor of computer science and engineering at NYU Tandon, the study reveal that, between 2015 and 2019, this one underground marketplace was able to earn close to $104 million in gross revenue and listed more than 19 million unique card numbers for sale. Almost all of their “inventory” of stolen data was obtained from magnetic stripes swiped during in-person transactions.
In addition to McCoy, the research team included Tobias Lauinger, a postdoctoral researcher, and Ph.D. candidates Maxwell Aliapoulios, Rasika Bhalerao, and Cameron Ballard. The study was featured in a July 29 post on the Krebs on Security Blog. Read the full text of that article here, or a release on the study issued by NYU Tandon here.