So your financial information is being bought and sold on the internet. Now what?

Hackers are threatening to release the financial data of 90,000 BMO and Simplii customers. It isn't an isolated case. A growing online black market for personal information that has flourished in recent years. And once your financial information is out there, there's not a whole lot you can do.

If BMO and Simplii customer data is posted online, there's not much you can do but trust them to sort it out

A growing online black market for personal information has flourished in recent years. In some cases, fraudsters fit ATMs and gas pumps with cleverly disguised hardware to clone or skim customers' cards. In other cases, they never need to leave home. (Ryan Remiorz/The Canadian Press)

Malicious hackers claimed to have breached the security of two major Canadian banks this week — and then threatened to release the financial information of 90,000 customers if their million-dollar ransom demand wasn't met.

Whether the threat is real isn't clear (sample customer data released so far appears to be). Either way, customers generally aren't on the hook for fraud. 

But if the data was to be released, it would join a growing online black market for personal information that has flourished in recent years. Hacks and breaches are on the rise.

And once your financial information is out there, there's not a whole lot you can do.

"Consumers at an individual level don't have a lot of options," says Danny Rogers, the chief executive of Baltimore-based Terbium Labs, which monitors online markets for stolen data. The company includes financial institutions among its clients. 

You can certainly ask for new cards and change your passwords and PINs. But beyond that, you have to trust that your bank or credit card company has your back.

Premium pricing for premium cards

It's hard to say exactly how many forums and marketplaces cater to fraudsters online. Such sites tend to keep a low profile, with some accessible only via invite or hidden on the dark web. Rogers estimates about three to four dozen online fraud markets specialize in the sale of stolen payment card data alone.

Stolen credit card and bank account credentials can be priced as low as a few dollars each. They get more expensive depending on the type of card (for example, prepaid versus American Express), the issuing bank, the cardholder's location, the card or account's transfer limit, and how the information was obtained in the first place (some methods produce more reliable access to stolen funds than others). 

Premium cards that have been verified to work and have not yet been disabled are often worth about $20 each, according to cybercrime experts.

BMO warned customers this week that 'fraudsters' from outside Canada may have accessed certain personal and financial information of some of its customers. The bank says that it was contacted on Sunday by a person or group claiming to be in possession of certain data for a 'limited number of customers.' (Nathan Denette/The Canadian Press)

The U.S. Federal Trade Commission (FTC) recently found that in some cases, it took as little as nine minutes for users of one online fraud market to try and use fake credentials the agency posted to the market's website.

"The identity thieves tried to use our fake consumers' credit cards to pay for all sorts of things, including clothing, games, online dating memberships and pizza," the consumer protection agency found.

It's easier to steal than launder

Where does the data come from in the first place? 

In some cases, fraudsters install data-stealing malware on the credit card and debit readers that customers use to pay in retail stores. Others fit ATMs and gas pumps with cleverly disguised hardware designed to clone or skim your card.

Working online, fraudsters look for weak spots in computer systems that let them pull financial data — what the person or group claiming to have breached BMO and Simplii say they did. They also trick users into handing over the credentials themselves on phishing websites or by installing malicious software.

If that sounds like a lot of work, remember that the payout can be big. In one case, the cybersecurity firm FireEye found a cybercrime group they called FIN6 had listed nearly 20 million credit cards for sale in an online forum for $21 apiece. If even a fraction of those cards were sold at that price, it could easily add up to millions of dollars in revenue. 

Roman Sannikov, director of European research and analysis at the cybersecurity company Flashpoint, said that one fraudulent card shop his company has been tracking has released more than 10 million new credit cards since last December. They culled from U.S., Canada, and elsewhere.

But using that data is another matter. It can be easier to steal financial data than launder it.

"Even when actors do have access to your credit card information, it's still not always easy to perpetrate fraud," Sannikov says.

A detective with the New York City Police Department uses a detection device that indicates if a credit card reader has been compromised at a New York convenience store on April 18, 2018. The device is under development by the Florida Institute for Cybersecurity Research. (Mark Lennihan/The Associated Press)

In fact, experts say that financial institutions sometimes wait for evidence that a card has been abused before they act, rather than inconvenience customers by prematurely closing their cards.

"What that means is that the user now has to be more vigilant, and they do have to check their credit card statements more regularly," Roman says.

The 'go-to' way to make illegal money

Experts generally agree that the problem is getting worse, not better.

Rogers described so-called card shops as "go-to ways of making money illegally because they're just so ephemeral, so easy to execute, and you don't have to leave your basement." 

He pointed to the 2014 hack of Yahoo, in which criminals used their access to more than 500 million accounts in part to dig up credit card numbers and banking credentials. 

Law enforcement have had some success shutting down some notorious, high-profile markets, such as Alpha Bay, Hansa, and Silk Road.

But once data has been leaked, it's often packaged and resold, meaning it may just turn up somewhere else again later.

Bank hack: What’s at risk

CBC News

3 years ago
Why financial breaches are so worrying. 1:26

Terbium Labs has taken a proactive approach. It scours online markets for newly posted financial data so that its clients aren't waiting for fraudsters to figure out how to successfully use a stolen card before they disable it.

"Our goal is these carding markets don't work anymore because none of the cards that are up for sale actually do anything," Rogers says.

"I don't know if we'll ever get there, but that's at least what we're shooting for."


Matthew Braga

Senior Technology Reporter

Matthew Braga was the senior technology reporter for CBC News, where he covered stories about how data is collected, used, and shared.