A web site that goes by the name of BidenCash Market has posted 2 million credit cards online as a promotional blitz to attract customers. The site operates on both on the dark and clear web, offering credit card data for sale to the public.
The stolen data has been used for fraudulent activities such as identity theft, credit card fraud, and other financial scams.
Cybercriminals refer to this kind of rich data grab as "Fullz," which typically includes an individual's full name, date of birth, social security number, address, phone number, email address, bank account details, credit card information, and other personally identifiable information.
Approximately 30% of the stolen cards are valid, fresh, working credit card numbers. The BidenCash criminal site, which used the free stolen data dump for marketing, is one of the most serious menacing underground data enterprises in the world. The majority of the data breach's victims are Americans, and those affected must take immediate steps to protect themselves from identity theft and fraud. Baber Amin, COO, Veridium, shared just how dangerous credit card data dumps are to end-users and how organizations that process or take credit card data in can mitigate security issues:
"Even the most security aware can have their credit card information compromised and made available. This can happen due to no fault of the individual.
The data dump is not just about credit card information but contains valuable information that can be used for Identity theft. This second part should be a more serious concern, as it can lead to damage to credit score, reputation, and possibly legal issues. The damage from identity theft is long lasting.
On the financial side, the two main points of credit card compromise are point of sale and magecart or online skimming.
EMV or chip cards were supposed to stop point of sale skimming. But because all EMV cards also have a mag stripe, if someone compromises the POS terminal where users are putting in their card, they can skim the information from the magstripe bypassing chip security. Contactless cards aka “Touch and Pay” is thus more secure than even EMV, as the card never needs to be inserted into any device and never leaves the user.
As a merchant, make sure your POS terminals are up to date, especially for areas that are publicly visible, e.g. gas pumps, vending machines, ticket kiosks, etc.
As an end user, always opt to use contactless payment at the point of sale.
Magecart or online skimming is the compromise of online shopping carts and checkout process. Bad actors can inject malware into ill maintained ecommerce sites. Additionally, all the security offered by EMV and contactless cards is nullified, when the user voluntarily enters the CC information at checkout. Not only that, but they also enter information that can be used for Identity Theft, e.g. email address, shipping address, possibly a username and a password, etc. It is important for website administrators to stay up-to-date with their content management system's patches and plugins.
Buying from reputable online vendors is the best option for end users:
If possible, use virtual cards online
Use unique usernames and passwords on each site if you must create an account
If they offer PayPal during checkout, use it, as it creates an indirect level of payment.
A better solution is to use services like Apple Pay and Google Pay, which replace sensitive information with arbitrary tokens (Tokenization).
These services provide a more secure and convenient experience, as they use tokenization to protect sensitive information. Since these tokens disappear after each authorization, they cannot be reused if stolen.
The other advantage of these services is that they work both in person and for online shopping. EMV or chip cards are reduced to the security of the older non chip card when paying online, as there is no chip reader available.”
###