The dark web — a network of encrypted websites, invisible to traditional search — provides a safe haven for criminal activity and is a storehouse for compromised credit card data and personal identifying information, or PII.
Over the course of numerous widespread data breaches, the amount of PII available for sale has grown exponentially.
For financial institutions, the dark web has come to represent an ongoing threat. However, shouldn’t FIs keep their friends close and their enemies closer? Can the dark web be used to fight fraud as much as it can be used to carry out fraud?
When it comes to card fraud, merchant breaches are one of the most common methods for a fraudster to steal card data. After a breach, the stolen card information is then sold on the dark web through “carding shops.” In these shops, fraudsters will buy and sell stolen card data.
The nature of cards makes them particularly vulnerable. Unlike digital forms of payment, for example, cards usually take a physical, plastic form — the numbers can’t be changed on a whim in the wake of suspicious activity. Cards are also universally accepted. Fraudsters can easily replicate a card by printing the stolen card information on a magstripe or by using it at almost any online retailer.
According to the Identity Theft Resource Center, 14.2 million credit card numbers were exposed in 2017 — up 88 percent from the year prior. With so much card information available for purchase on the dark web, FIs find themselves susceptible to unacceptably high fraud losses. Further, the cost to reissue cards can also be a burden, again passed on to the FI. And, with the advent of EMV chips, cards have become much more expensive to manufacture.
As card-related fraud losses continue to mount, with more merchant breaches likely in the near future, FIs should consider using the dark web for good — to identify cards and digital identities that have already been exposed. By catching fraud early in the cycle, and acting quickly to stop it, FIs can provide a better experience to their customers and save themselves from potential losses.
At present, FIs have to wait for a bad transaction — stopping it only after the institution has taken a loss — instead of going after card fraud proactively.
By using the dark web as a cybersecurity tool, instead of an ungovernable threat, FIs can intercede and interdict compromised card data post-breach, pre-fraud. If more financial institutions accessed the platform of the enemy, they’d likely be able to better protect their friends (and customers) as well as themselves.
