The average sale price for a stolen credit card paired with personal information on the cardholder is $15.
“Criminals have a clear incentive to target internet retailers,” says Brett McDowell, executive director of the FIDO [Fast Identity Online] Alliance, an interindustry group aimed at developing specifications for better internet security.
That’s because merchants often keep valuable data on their networks—networks that criminals can, and do, break into to steal information and resell it. There were 3,141 confirmed data breaches last year, according to the Verizon 2016 Data Breach Investigations Report. Of those, 370, or about 12%, were of retailers’ systems, and 182 of these retailers confirmed data was stolen. The report did not track whether the breaches were of retailers’ websites or store networks. The more recent major security breaches, such as Target Corp. in 2013 and The Home Depot Inc. in 2014, involved compromised point-of-sale terminals in stores.
Payment data is the prize that most thieves are seeking when they hack into networks, says Al Pascual, senior vice president and research director for the fraud and security practice at Javelin Strategy & Research. Customer data—email addresses, birth dates, shipping addresses, passwords, etc.—is also valuable. The average sale price for a stolen credit card paired with personally identifiable information, such as the card owner’s billing address, was $15 in 2015, according to Intel Corp.’s McAfee Labs research, or about double the price of the credit card information alone.
Obtaining customer login credentials also can prove fruitful because of consumers’ penchant for using the same usernames and passwords on multiple websites, and e-retailers’ hesitation to apply more stringent authentication methods. Internet retailers “are always fighting to reduce their shopping cart abandonment rates, which historically required them to sacrifice some proven user authentication practices to reduce the number of steps required for a customer to complete a purchase,” McDowell says. Those practices include two-factor authentication, wherein a customer provides two means of verifying his identity such as a password and identifying information that might be the name of their first pet, for example, before allowing the consumer to complete a purchase.
63% of confirmed data breaches (across all industries) in 2015 involved leveraging weak, default or stolen passwords, according to the Verizon investigation report. Once these credentials are in hand, experts say the most common target for their use is to access payment information consumers store with merchants or financial institutions.