Among the many things I’ve learned from security blogger extraordinaire Brian Krebs is the startling way that banks and credit card issuers uncover big data breaches these days.
When financial institutions see a fresh wave of fraud reports on consumers’ cards, they search for a common point-of-sale source on affected cards. To obtain more cards/data for this search, legitimate (and I assume regulated) financial institutions actually go onto black market websites and purchase stolen card numbers from the thieves themselves or the thieves’ agents.
For example, in the latest data breach that Krebs investigates, FIs purchased geolocated cards on the black market and found common charges at Dairy Queen. They infer from this that at least a portion of the Dairy Queen chain was breached. They then alert the authorities, who in turn alert the retailer.
This is a common method of inquiry used to discover most of the recent big retail data breaches of customer card info.
1) Aren’t there legal barriers to regulated financial institutions doing business with black market card thieves?
2) Does the presence of large financial institutions in this black market - with persistent demand and deep pockets - actually raise the prices of stolen credit cards, and therefore the incentive for hackers to perpetrate large data breaches?
Update: Brian and other security folks on his site respond to my questions.