Where Cyber Criminals Buy and Sell Information

We’ve spent much of this week at the RSA security conference. There are around 300 tech-security companies here; most want to tell you how at risk we all are. And, by the way, they have a product that will mitigate that risk. In many cases the threat is theoretical – maybe it exists in a lab or can be prevented with software that most businesses already use. One of the things we’re trying to do is find threats that are real and put them in their proper context.

Here’s one: Hackers steal credit cards and sell them online. Cyber crime is getting specialized: One person writes the malicious computer code, another person uses the code to steal information, someone else buys the stolen information and makes fraudulent purchases. This happens all the time. And it’s blatant.

One company, CardCops, showed us some of the Internet chat rooms where cyber criminals buy and sell this information. They do this even though they know that law enforcement and security companies are watching. It was eye opening. But don’t take our word for it. Here are links to a couple of Web sites where hackers are trading this information every day. (Like everyone at RSA, CardCops isn’t agenda free: It monitors these Web sites for individuals who sign up for its identity-protection service.)

Do you need this service? If you’re an average credit-card holder, probably not. By the time your information hits one of these sites, it’s likely that your credit-card company has already issued you a new card. Even if they haven’t, most card issuers won’t hold individuals responsible for fraudulent charges. If you have a platinum card, you might be more at risk. Sites like this one help hackers identify platinum accounts from the credit-card number. And a motivated hacker might try to open up a new account using a platinum card holder’s information, figuring that person probably has more assets worth looting.