By the time you get a text, email or other alert from your credit card company that your credit card may have been used for criminal or fraudulent activity, the criminals have probably already bought gas, groceries or other goods illegally with it.
Whether the card’s data was stolen from you personally, online through the bank or through a data breach at a store you visited months ago, chances are the thieves have already used the card for a shopping spree or have sold it to other cyber criminals.
You can still have the fraudulent charges reversed and have a replacement card issued with a new account number, but don’t think that your data has just vanished into the Internet never to be seen again.
Thinking about getting a new credit card? Check our hand-picked selection of 2015’s best.
What thieves do with stolen data
Credit card thieves have a few things they can do with stolen credit card information. The first is to add the data to their stockpile and sit on it. They may wait months before using it so you won’t yet suspect that your data has been stolen.
Credit card data thieves have used sites like Pastebin to discretely share stolen information with others.They can also sell a group of credit card numbers to other criminals in cybercrime forums. Buyers can resell them, use the data at online retailers or print fake plastic cards to use at stores. The goods they buy can be resold for cash.
To check if a card is still valid, thieves will try to use them for small purchases without raising suspicion.
A card can become more valuable if identifying information is sold with it, such as a cardholder’s address, so that the criminal can use the card at stores in the cardholder’s area and the illegal purchases will blend in with the victim’s normal buying behavior.
Other identifying information that could be valuable are a victim’s Social Security number, date of birth, mother’s maiden name and purchasing behaviors, such as if you routinely use the card at Target or a specific store in your area.
How quickly is stolen data sold?
An experiment conducted by IT security firm BitGlass earlier this year revealed the dark web where stolen cards are sold was slow, but not as slow as stores were in reporting the thefts.
BitGlass created a file with 1,568 fake profiles that had names, phone numbers, addresses, Social Security numbers and credit card numbers. The file had a hidden watermark that would report back to BitGlass every time the file was opened. It dropped the file onto a public Dropbox account and posted it to some cybercrime forums and waited to see what happened.
The company didn’t have to wait long, though it might be longer than you’d think. The fake data received only 200 views in the first eight days, but then in the next four days, it received another 800 views, adding up to 1,081 views in 22 countries. Hackers in Russia and Nigeria were regular visitors.
Those 12 days it took to get the information in the hands of criminals are less than how long it takes companies to report data breaches. In 2013, Target took 24 days to report that credit card data it had was stolen. A Home Depot breach went undetected for almost four months last year, and PF Chang’s took 10 months after credit card data was stolen.
The value of stolen data drops quickly once a breach is reported, so criminals have an incentive to act fast with stolen data. An analysis by security expert Brian Krebs found that in the two months after Target reported its breach, the advertised price of the stolen cards had dropped by as much as 70 percent.
The bottom line
Even if you’ve changed credit cards and your stolen card can’t be used anymore because it isn’t valid, any identifying information that was stolen with the card may still be available for sale online.
What to do then? Monitor your credit and never forget that your personal information may still be floating around for a criminal to attempt to use.
If your credit has taken a hit due to identity theft, you may want to contact a credit repair firm to help make sure your profile is in tip-top shape.
Editorial Note: Opinions expressed here are the author's alone, not those of any bank, credit card issuer, airline or hotel chain, and have not been reviewed, approved or otherwise endorsed by any of these entities.