France is the European country most affected by the illegal selling of bank card details on the dark web, a new analysis of four million stolen card details has shown.
Virtual private network (VPN) specialist NordVPN analysed the transactions and found that France was the country most affected by the criminal activity.
A VPN enables internet users to hide their network details to mask the location of their computer and improve the privacy of their internet browsing. It can be used to increase your web security, for example when checking bank details or using cards online.
The ‘dark web’ is a section of the internet that does not show up on search engines, and requires a different type of browser (such as Tor) to access it. While it can be used as a benign way to access the internet anonymously, it is notoriously used by criminals for underground activity such as the sale of drugs, weapons and data.
Of the four million bank cards discovered by specialists at NordVPN, more than 150,000 belonged to people in France. This made it the European country in the study most affected by the activity, ahead of the UK, and Germany.
Cybersecurity expert Nicholas Arpagian told FranceInfo: “It's a kind of black market on an international scale. [Users] can quickly profit from the exploitation of this data. Why?
“Because they can get the money in a very short time, and quickly transfer it to a safe place. It is therefore monetisable in an extremely short time."
The average cost of the details of one bank card from France is €15, the study found. The most expensive are those from Hong Kong or the Philippines.
For the estimated four million bank cards stolen, the study found that criminals can make as much as €40million from the resale of this data (on average €10 per card).
Mr Arpagian continued: “Hackers know how to exploit this data. In addition, it can be geo-located, for example, so that cards from this or that country or geographical area are even more valuable, and that's why they're so sought after by hackers."
How to prevent card data theft
Damien Bancal, a journalist specialising in cybersecurity, advised: “You must check your accounts regularly, and take at least five minutes [to check some website details].
“Just as when you are in front of a physical shop window, you look at the prices, you feel the material…
“So on the internet you should consider how long the site has existed, who is behind it, if it is known, if it has a physical address, if there is a telephone number, after-sales service, or a good number of positive reviews.”
He also said:
Beware “too good to be true” promotion prices
Check that the website payment page has a padlock symbol to the left of the browser bar
Check that the page URL starts with ‘https’ rather than just ‘http’, as this offers extra security
Check and change your passwords regularly
Users can also set up two-factor identification, for example, via a payment app, which means you must type in a code sent to your mobile device in order to authorise a transaction.
He said that many banks have “done a lot of work” to secure internet transactions, but that each consumer must take responsibility to avoid “spreading their credit card details everywhere” too.
It comes weeks after warnings of a scam in which fraudsters set up false websites that look similar to recognisable brands, in a bid to trick you into spending money.
Some sites also present themselves as ‘authorised resellers’ of online giants such as Amazon, and pose as sellers of ‘unsold goods’ on the site, at extremely low prices. These are usually a scam.
New authentication security measures
New EU security standards are aiming to improve the safety of online shopping. Under the EU's PSD2 payment services directive, banks and online merchants are now required to deploy a so-called ‘strong customer authentication’ system for electronic payments or sensitive banking transactions.
This will mean two out of three security measures will be required to make online payments using an app on a recognised smartphone.
Customers will receive an authentication notice, either by entering a unique personal identification code into a bank app, or by biometric methods – such as a fingerprint, facial recognition or iris recognition – for suitably equipped mobiles.
“For customers who do not have a smartphone, banks offer alternative solutions such as the use of a one-time SMS coupled with a password known by the customer, or the use of a dedicated physical device,” the EU banking federation said.