Data-breaches fund low-risk high profit businesses

A report from Europol states that payment card fraud is a low-risk and highly profitable criminal activity that brings EU-based organized crime groups a yearly income of around 1.5 billion euros. These criminal assets can be invested in further developing criminal techniques, used to finance other criminal activities, or even facilitate the start-up of legal businesses.

Payment card data is the ideal illicit Internet commodity, as it is internationally transferable. Europol, in its report on Internet-facilitated organized crime (iOCTA), concluded that organized crime groups (OCGs) clearly benefit from globalization, using foreign payment card data to purchase goods and services online. Credit card information and bank account credentials are the most advertised goods on the underground economy’s servers; according to Europol’s intelligence, around 60 percent of payment card fraud losses, totaling 900 million euros, were caused by card-not-present (CNP) fraud in 2011.

Within the major card-not-present fraud investigations supported by Europol, the main sources of illegal data were data breaches, often facilitated by insiders and malicious software. In most of these cases, the quantity of compromised card details was substantial, reaching hundreds of thousands or millions, and enabling criminals to sell the data in bulk on online.