13:07, 29.Sep 2016
Credit and debit card details stolen from 100,000 Britons are available for sale on a new criminal internet market that is said to be the largest and most brazen of its kind.
The banking details of more than a million people worldwide can be bought for as little as £1.67 from the illegal website, which has been operating in plain sight on the internet rather than on the “dark web”, where much online criminality takes place.
An investigation by The Times has revealed the existence of the website and uncovered private information stolen from a former senior adviser to the Queen as well as from doctors, lawyers, bankers and other professionals.
The site, called Bestvalid.cc (http://bestvalid.cc/session), appears to have been operating with impunity since at least June last year, suggesting that it has either flown under the radar of police across the world or they have been unable to shut it down.
The revelations provide further evidence that law enforcers are being routed in the fight against online fraud, which is believed to cost Britain’s economy at least £27 billion a year.
Keith Vaz, chairman of the home affairs select committee, said it was deeply disturbing that the site had been allowed to trade online. It could be funding terrorism and organised crime, he said, and should have been taken down by the security services already.
“The National Crime Agency must act immediately to get this site closed,” he said. “I will be writing to the NCA to bring this issue to their attention.”
The website resembles an authentic online retailer, with a customer helpdesk and refunds for faulty products. It sells stolen card numbers in packages that often contain additional sensitive information about an individual. Some packages include the maiden name of the victim’s mother, a common answer to online banking security questions.
With her permission, a reporter bought the stolen information of one of the site’s victims using bitcoin, the digital currency that is almost impossible to trace. The package included her debit card number, security code, expiry date, mobile phone number and postal address.
The victim, Laia Humbert-Vidan, 30, a radiotherapy physicist from London, said that she felt shocked and violated after seeing her private details appear on screen. “I don’t feel like the police are able to protect anyone from online fraud,” she said. “If they were, these types of sites would not exist in the first place.”
Fears are growing that cybercriminals are doing a roaring trade in hacked information on the dark web, a hidden part of the internet that can be accessed only with a special internet browser.
TalkTalk and Carphone Warehouse are among several British businesses that have fallen victim to hacking in recent months, leading to the loss of hundreds of thousands of private records. Some have surfaced on criminal dark web markets. However, Bestvalid is on the open web, which means that it can be accessed in seconds with a standard web browser, such as Google Chrome or Apple Safari.
Daniel Cuthbert, an information security expert, said that Bestvalid was by far the biggest site of its kind that he had seen in recent years. “Most illegal card emporiums are on the dark web, or they require a customer to be vetted or pay a fee to enter,” Mr Cuthbert, chief operating officer of Sensepost, said. “What’s interesting about Bestvalid is that they’ve decided to operate on the open web . . . It’s completely brazen.”
The NCA refused to confirm whether it had begun an inquiry because it does not comment on individual sites.
The cost of cybercrime to the British economy is difficult to assess because many frauds are thought to go unreported. The government has estimated £27 billion a year, while the Centre for Economics and Business Research has put the figure at £34 billion a year for businesses alone.
Reasons for understatement of the scale of online fraud include individuals being unaware of falling victim or being too embarrassed to admit it. Businesses, including banks, are believed to be loath to degrade trust by revealing the true extent of fraud.
The hack of Carphone Warehouse, which came to light in August last year, led to the loss of about 90,000 customer credit card records. At one point the mobile phone retailer warned that 2.4 million of its customers’ records had been compromised.
TalkTalk admitted in October last year that hackers had stolen the private information of 157,000 of its four million customers. The broadband provider said that no card details were taken. A 15-year-old boy was arrested in Co Antrim, Northern Ireland, in connection with the breach. Four men from England and Wales were also arrested. All five men remain on bail.
An NCA spokesman said: “The NCA, alongside UK and international law enforcement partners and the private sector, are working to identify and, as appropriate, disrupt websites selling compromised card data. We will work closely with partners of the newly established Home Office Joint Fraud Task Force to strengthen the response. This may include the provision of information to the appropriate authorities of countries hosting the server. As part of a prevention approach, alerts to financial institutions providing the details of compromised cards will be considered.”
Source: The Times