Nearly 10 per cent of the 4.5 million sets of stolen payment card details offered for sale on sections of the dark web were fraudulently obtained in Hong Kong, according to a new cybersecurity report.
The research by Panama-based internet security firm NordVPN ranked the city third out of the 140 places analysed last month for the prevalence of stolen credit and debit card data advertised on the black market, with 399,537 instances recorded.
Stolen details originating from Hong Kong and the Philippines commanded the highest price per card of almost US$20, the study found.
NordVPN’s chief technology officer, Marijus Briedis, said that Hong Kong’s status as a “densely populated key financial centre” made it a popular target for criminals.
“There’s a disproportionately high number of cards available [in Hong Kong] considering the population size, so there’s a much higher chance of any given card being on the [dark web] databases,” he said.
The United States topped the list with 1,561,739 sets of stolen card data up for sale, followed by Australia with 419,806, both of which have far bigger populations than Hong Kong’s 7.5 million.
The study published on Wednesday analysed 20 databases on the dark web offering a total of 4,478,908 sets of stolen details for sale.
Briedis said 99 per cent of the stolen card details from Hong Kong involved non-refundable types, reflecting many residents’ preference for such cards compared with the rest of the world.
Hackers might target places with more non-refundable cards given their owners were not allowed to be reimbursed by card issuers for the scammed or stolen money.
But he said that tendency did not mean that Hong Kong’s card security was poor.
“If a user’s bank has a multi-factor authentication, fraud detection or other AI-based [artificial intelligence] security measures in place – he can stay protected even if the card was ‘brute-forced’,” he said, referring to the use of computers to crack passcodes.
Researchers also calculated so-called risk indexes, reflecting how likely it is that payment card details from particular places will end up on the dark web. Risk factors include the per capita figure for cards from a jurisdiction already on the databases, how many cards are in use there, and the proportion of those that are non-refundable.
Hong Kong was found to be at most risk with a score of one, followed by Australia and New Zealand. The risk index is graded from zero to one, the latter being the most severe.
More than half of all the stolen Hong Kong credit cards were issued by Visa, followed by Mastercard and then American Express.
Explaining how hackers used computers to guess passcodes, he said: “First it tries 000000, then 000001, then 000002, and so on until it gets it right.
“Being a computer, it can make thousands of guesses a second. After a hacker has successfully brute-forced a card number they put it on a dark web for sell for other criminals to buy and misuse them.”
The research also showed that the average selling price of card details from Hong Kong is US$19.84, higher than the overall average of US$9.7.
Briedis said: “This is probably linked to the perceptions of Hong Kong’s financial connection that make it seems like you would get a better return on the cards.”
He said there was an upwards trend of payment card details being put on the dark web since 2014, adding the 20 databases featured in the study were only the tip of the iceberg.
“The answer is that hackers can easily make a lot of money,” he said. “Even if a card costs only US$10 on average, a hacker can make US$40 million by selling a single database, like the one that we analysed.”
Briedis suggested that cardholders keep track of any irregular transactions in their banking statements.
“Nobody is safe from it. The cards are brute-forced, the technology hackers use to do it is only getting better. So it is very important for users to keep track of their statements regularly,” he said.
Francis Fong Po-kiu, honorary president of the Hong Kong Information Technology Federation, suggested that locals possessing a large number of credit cards might be behind the city’s high ranking in the study.
He warned that some shopping websites did not provide “3D Secure” authentication, which offered an extra verification step before customers made their payments.
The Hong Kong Monetary Authority said it required banks to implement a “robust fraud monitoring mechanism” to spot suspicious credit card activity promptly and validate transactions with the cardholder before payment authorisation.
“For card-not-present transactions, banks are required to send timely notifications to customers to enable them to detect unauthorised transactions on a timely basis,” its spokesman said.
“Generally speaking, if cardholders have not acted fraudulently or with gross negligence, they will not be liable for losses arising from unauthorised transactions.”