Even though banks and other financial institutions do a lot to protect their customers from payment card fraud, criminals still find ways around it. The newest research by NordVPN analyzed 6 million stolen payment cards found on the dark web. Two in three cards came bundled with at least some other private information, such as an address, phone number, email address, or even Social Security number (SSN).

As many as 3.5 million (58.1%) analyzed payment cards belonged to Americans, making the U.S. the most affected country globally. Researchers also estimated the average price of American cards on the dark web is $6.86. American payment cards are prone to fraud — according to NordVPN’s card fraud risk index, on a scale from 0 to 1, America’s payment card fraud risk index is 0.79.

“The cards researchers found are just the tip of the iceberg,” said Adrianus Warmenhoven, a cybersecurity advisor at NordVPN. “The information sold alongside these cards makes it much more dangerous. In the past, experts linked payment card fraud to brute-forcing attacks — when a criminal tries to guess a payment card number and CVV to use their victim's card. However, most of the cards we found during our research were sold alongside the email and home addresses of their victims, which are impossible to brute force. We can, therefore, conclude that they were stolen using more sophisticated methods, such as phishing and malware.”

By selling the database analyzed in the research, cybercriminals could earn more than $18.5 million in total. If purchased, these payment card details could net criminals much more than they originally paid for them. 

Two million payment cards for sale included their American owners' home address and telephone number, 1 million cards included email addresses, and around 100,000 cards included their owners’ date of birth and even SSN. 

If a data breach or hack exposes users’ card details as well as their addresses and other personal information, it can lead to identity theft. Once the attacker has obtained the victim’s name, home address, and email address, they may even abuse legal methods (such as using the GDPR’s right to access for more personal information) in furthering the identity theft scheme or committing other malicious activities.

Over half of the 6 million stolen credit card records analyzed came from the U.S., most likely due to its high rates of card penetration, sizable population, and strong economy. However, stolen U.S. cards commanded a comparatively low price ($6.86 as opposed to the $7.01 global average) on dark web marketplaces — the most valued cards (at $11.54 on average) were from Denmark.

Based on their findings, NordVPN researchers have calculated the risks posed by credit card theft and related cyberattacks to residents in 98 countries. Malta, Australia, and New Zealand came at the top of the risk index, with the U.S. closely following in 5th place. 

On the other end of the spectrum, Russia had the lowest risk score, and China was third from last. These findings seem to confirm prevailing hypotheses regarding the location of large-scale hacking operations and the purposeful targeting of Anglo-European countries.

“Few criminals now use brute force to steal payment card information,” said Warmenhoven. “This means that techniques are becoming more sophisticated. However, this also means that informed users have less chance of being affected.”