One of the web’s largest marketplaces for stolen card data has been hacked, leading to the theft the second time over of more than 26 million cards.
A source shared the news with security researcher Brian Krebs, whose name and likeness have been used for years by the administrators of the online BriansClub store.
It is claimed that the trove includes credit and debit card details stolen from bricks-and-mortar retailers from the past four years, including eight million uploaded so far in 2019.
The binary data could allow hackers to create fake magstripe cards with which to fraudulently purchase goods in stores. Although the roll-out of EMV is intended to put an end to this practice, there are still enough merchants and cardholders using the legacy cards to make such forums a going concern.
In fact, Krebs calculated that with cardholder losses estimated at $500 per card, BriansClub could have generated as much as $4 billion in losses from the roughly nine million cards it has sold to fraudsters since 2015.
Tim Mackey, principal security strategist at Synopsys, argued that whether you’re running a global enterprise, a small business or an underground carding forum, there are several shared cybersecurity truths.
“First, the attackers define the rules of the attack and the best you can do is defend against their actions. Second, the only data ever taken is data available for the taking. When designing your data collection and storage procedures, it’s critical to look at all data operations through the lens of what would happen if there was absolutely nothing preventing your biggest competitor or worst enemy from downloading that data,” he explained.
“Is all the data appropriately encrypted? Are all access attempts audited? Is modification controlled? For these questions, and many more, the next question becomes one of “how,” and it’s how you approach these questions and their answers which distinguishes a successful cybersecurity initiative from one likely to make the news for the wrong reasons."