Stolen Data Not Fetching Much Cash on Dark Web, Reports Show

By Nora Macaluso

It’s common knowledge that the costs, in time and in money, associated with having one’s personal information stolen can be devastating.

Perhaps what’s surprising is how little that information brings when it’s sold: in many cases, next to nothing, according to companies that track prices on the dark web.

Researchers from the website Privacy Affairs searched the dark web to see what kinds of information was available and how much it costs, compiling the average prices into an index released in July.

Among the report’s findings: A Walmart account with a credit card attached could be purchased for an average of $10; a Wells Fargo bank statement brings, on average, $25, and a U.S. driver’s license of “average quality” went for about $70.

Prices for data on underground markets didn’t change much between 2017 and 2019, risk intelligence firm Flashpoint found in a report from last October.

Prices for “fullz” — full packages of personally identifiable information — were up slightly in the two-year period, though they could fetch as little as $30 apiece, according to the firm.

“With the dark web, ID theft now operates like Walmart and Amazon.”

Howard Dvorkin, Debt.com.

“It’s still unclear what the determinants are for pricing trends within the cybercrime economy,” the Flashpoint report said.

Neither Privacy Affairs nor Flashpoint responded to Digital Privacy News requests for comment.

‘Reputable’ Sellers

The dark web marketplace in many ways mirrors the legitimate internet, with “reputable” sellers attracting business and offering sales and discounts to loyal customers, privacy experts said.

While the big money is in stolen databases with large amounts of information, small-time criminals can profit from the sale of individual accounts, they said.

Identity theft has been around for decades, but in recent years it’s become more pervasive and more efficient, said Howard Dvorkin, chairman of Debt.com.

“With the dark web, ID theft now operates like Walmart and Amazon,” he told Digital Privacy News. “Literally, they’ve borrowed the best practices from some of our most successful retailers.”

Personal data is “cheap because of the sheer volume,” said Mark Lanterman, chief technology officer at Computer Forensic Services, based in Minneapolis. “It really is supply and demand.

“I’ve seen things like credit reports for sale anywhere between $3 and $25,” he said.

Value Influencers

Such factors as a person’s credit rating or hometown may influence the value of the person’s information, analysts said.

“It really is supply and demand.”

Mark Lanterman, Computer Forensic Services.

Once a thief has access to enough information, it’s not hard to fabricate a driver’s license and create an online bank account, then apply for a loan and have the funds wired to that account, they told Digital Privacy News.

It’s possible to make a living through such financial crimes, Lanterman said.

“Criminals higher up on the food chain, they’re more into the bulk sale of the stolen information,” he said.

According to Ray Walsh, a data-privacy expert at ProPrivacy.com: “What we don’t see is a bustling marketplace filled with huge numbers of existing and newly emerging vendors.

“We see the same names selling similar datasets across … marketplaces.”

Ray Walsh, ProPrivacy.com.

“Instead, we see the same names selling similar datasets across all those marketplaces,” he said.

The Flashpoint report said most purveyors of such information are probably resellers, who price their offerings based on supply and demand.

That prices haven’t changed much over the past couple of years “may be an attempt to maintain stability without affecting the demand of fraud-related products and services,” the report said.

Monitoring prices “should provide a temperature check for the cybercrime climate, because a number of listings are catered to the entry-level threat actor,” Flashpoint said.

“Remove some of those breadcrumbs.”

Kim Miller, Porzio Compliance Services.

Consumer Protections

Consumers cannot do much to prevent their personal information from making its way to the “deep web” — the part of the internet not directly discoverable through standard search engines — but they can guard against theft, said experts at Porzio Compliance Services, a unit of the Porzio Bromberg & Newman P.C. law firm.

Freezing credit with the three major companies — Experian, TransUnion, Equifax — will stop 40% to 50% of identity theft, said Kim Miller, Porzio Compliance’s director of investigative intelligence and analysis.

Other tips: Open a post office box instead of using a home address for accounts, and don’t use an email address that contains your name.

“After the horse is out of the barn, it’s a little difficult.”

Jim Mottola, Porzio Compliance Services.

“Less personal identifiers is the goal,” Miller told Digital Privacy News.

“The fraudster cares about the easy target,” she said. “Remove some of those breadcrumbs.”

But it’s important to take steps before information is compromised, added Jim Mottola, the company’s vice president of data privacy, investigations and security.

“After the horse is out of the barn,” he said, “it’s a little difficult.”

Nora Macaluso is a Philadelphia writer.

Sources (all external links):