WITH more and more people using the Internet either to purchase items or to conduct financial transactions, an underground economy has emerged trading in stolen personal data.

In an attempt to quantify this underground economy, Symantec has compiled a study, called the Report on the Underground Economy.

According to the findings, the online underground economy has matured into an efficient, global marketplace in which stolen goods and fraud-related services are regularly bought and sold.

Symantec estimates that the total value of advertised stolen goods - that is, things like credit card details and bank account numbers and passwords - came to more than US$276 million between July 1, 2007 and June 30, 2008.

The Asia-Pacific including Japan (APJ) region accounted for roughly 12 per cent of this total, with Australia and South Korea among the top 10 countries globally that hosted underground economy servers.

Speaking to BizIT, Symantec GM for Singapore and Indonesia Darric Hor, noted that while US$276 million may not look like a big figure, if the actual use of the (stolen) goods were taken into account, such as maxing out credit cards and cashing out bank accounts, the value would be much higher.

'The potential worth of all credit cards advertised in the underground economy during this reporting period was calculated to be around US$5.3 billion and the worth of all bank accounts advertised on the underground economy servers was estimated at US$1.7 billion,' Mr Hor said.

He added that these figures are indicative of the value of the underground economy and the potential worth of the market globally, including Asia.

'Due to the borderless nature of the Internet, the goods may be advertised on underground economy servers worldwide, which may not actually correspond to the physical location of the goods or the sellers.'

The report is derived from data gathered by Symantec's Security Technology and Response (STAR) organisation, from underground economy servers between July 1, 2007 and June 30, 2008.

Mr Hor noted that the high demand for bank account credentials during this reporting period (18 per cent of all advertised goods) could be due to the ease that this information can be used to withdraw hard currency.

'Using wire transfers or services offered by cashiers, compromised financial accounts can be relatively easily cashed out online to secure and untraceable locations - sometimes in less than 15 minutes.'

Mr Hor noted that another possible reason for the popularity of bank accounts - both for sale and requested - is that some wire transfer companies, online payment services, and online currency services do not accept credit cards as forms of payment, and prefer that clients use bank transfers to fund their online accounts.

He added that credit card numbers accompanied by CVV2 numbers were the second most commonly advertised item, accounting for 16 per cent of all advertised goods. 'Many online site merchants require the CVV2 number as part of their authorisation process, and the number of sites requiring this authentication is increasing.'

He added that CVV2 numbers are not encoded in the magnetic strip of credit cards, nor permitted to be stored with credit card numbers in any database by merchants or agents.

'Thus, credit card numbers with their corresponding CVV2 numbers is especially attractive for fraud, which could explain their popularity as a requested good on underground economy servers.'

Mr Hor noted that another contributing factor to the popularity of credit card information is that it is typically sold in bulk packages on underground economy servers. 'Not only do advertisers offer discounts for bulk purchases or throw in free numbers with larger purchases, but having an extensive list of cards enables individuals to quickly try a new number if a card number does not work or is suspended.'

Mr Hor noted that attackers commonly use SQL (Structured Query Language) injection attack tools to harvest confidential information.

SQL injection is a type of security vulnerability that typically affects Web applications by exploiting improper input validation in database queries. 'A successful exploit will allow attackers to access, modify, or delete information on the database,' Mr Hor said.

The Symantec official noted that the value of fraudulent information is tied to factors such as the credit limit, in the case of credit cards, and the amount of money in financial accounts.

'Credit cards with higher limits and bank accounts with larger balances mean bigger gains for cyber criminals.'

He added that there is no way to track buyers of such information as they tend to act fast and are cautious of how they use this fraudulent information.

'Users of fraudulent credit card information will try to raise as little suspicion as possible in order to get the maximum use of the card, especially since credit card issuers routinely monitor the card transactions of their clients, looking out for unusual spending patterns, locations and/or amounts as part of their security practices.'

For example, with card-present transactions, suspicious activities such as consecutive purchases from more than one country will quickly alert the credit card issuer of potential fraud or theft and the card will be suspended, Mr Hor noted.

'However, this is more difficult to monitor for online stores that have no geographical boundaries, and the same credit card number can be used from multiple locations by multiple people with less likelihood of being detected immediately.

'Although many major online stores have adopted added security features such as online authentication services and billing address checks, there are still many smaller merchants that may not be taking such security precautions online,' the Symantec official added.

This story was first published in The Business Times on 27 November 2008.