New research by an American university has revealed the extraordinary profits criminals are making from stealing and selling our financial information.

Criminologist Thomas J Holt at Michigan State University led the first scientific studies into estimating cybercrime profits.

Holt and his fellow researchers analysed online forums where criminals are known to sell stolen financial and personal information, usually in batches of 50 or 100 cards at a time. The buyers then attempt to access victims’ accounts or buy goods or services with the stolen cards. 

The majority of stolen data comes from the USA and Europe.

How they operate

Once the hackers have got your details, they then head to online forums to sell those details on. And it's the crooks buying your info that actually stand to make the biggest profits.

A hacker might sell a batch of 50 to 100 stolen credit or debit cards for anything between $250,000 (£177,584) and $1 million (£710,336). But the buyers can then cash in by using those stolen details to spend wildly.

The study suggested that on average a batch of 50 stolen cards could make the buyer between $2 million (£1.4 million), that’s if only 25% of the cards work, and almost $8 million (£5.7 million) if all of the cards work.

[Related story: Beware of this new type of contactless card fraud]

What the forums look like

The researchers analysed a sample of 1,899 threads from 13 web forums where criminals have been known to sell stolen data. Ten of the websites were primarily in Russian and three were in English.

The images below are an example of how batches of card details are sold on these forums.

Source: Examining the Structure, Organization, and Processes of the International Market for Stolen Data (ncjrs.gov) 

A massive 84.3% of the sampled forums had some sort of stolen data up for sale, with 44.7% of sellers offering other users’ bank account or credit card information or Card Verification Value (CVV) data from cards (34.9%). A tiny 1.4% had electronic data from the likes of eBay and PayPal accounts and a small proportion sold malware and tools to carry out cybercrimes.

Source: Examining the Structure, Organization, and Processes of the International Market for Stolen Data (ncjrs.gov) 

Most individuals communicate through instant messaging on the forums.

It turns out that bank account data from the UK was the least expensive at $4.08 (£2.86) while US data was the most expensive at $5.33 (£3.73).

As well as cards, thieves are selling documents like passports and driving licences.

A typical page looks like normal people posting goods for sale. It even has a positive and negative feedback section, which have just as much bearing on seller reputation as they do on general goods websites.

MasterCard and Visa are at higher risk from hackers, followed by American Express and US bank Discover, according to the research.

Holt argues in the report that regulation of these forums would involve substantive law enforcement. But as it’s a global crime, it makes it difficult for individual authorities to enforce laws on hackers overseas.

[Related story: How to deal with fraudulent emails]

Dangerous complacency

Holt worries that cardholders aren’t seeing data theft for the problem that it is:

“It’s happening so often that average consumers are just getting into the mind-set of, ‘Well, my bank will just re-issue the card, it’s not a problem”. They see it as a nuisance rather than a loss of valuable information.

"If we do not understand the scope of this problem, if we just treat it as a nuisance, then we are going to enable and embolden this as a form of crime that would not stop."

More on scams and how to report them