Bank details of 100,000 Britons for sale on internet

Banking details stolen from more than a million people worldwide can be bought from an website on the open internet, rather than on the "dark web", for as little as £1.67

By Patrick Sawer and Patricksawer 13 February 2016 • 9:28am

bank card — The website contains private information stolen from a former senior adviser to the Queen as well as from lawyers, bankers, doctors and other professionals. Credit: Photo: Alamy

Criminals are selling the stolen credit and debit card details of 100,000 Britons on the internet in new market said to be “the largest and most brazen of its kind”.

For as little as £1.67 banking details stolen from more than a million people worldwide can be bought from the website on the open internet, rather than on the "dark web", where much online criminality takes place, it is being claimed.

The website contains private information stolen from a former senior adviser to the Queen as well as from lawyers, bankers, doctors and other professionals.

According to an investigation by The Times the site, called Bestvalid.cc, appears to have been operating openly since at least June last year.

This suggests it has either flown under the radar of law enforcement agencies across the world or they have not been been able to shut it down.

The revelations will raise new fears that police are losing the fight against online fraud, which is estimated to cost Britain's economy at least £27 billion a year.

Keith Vaz, chairman of the home affairs select committee, said he feared the site could be funding terrorism and organised crime and it was deeply disturbing that the site had been allowed to trade online.

"The National Crime Agency must act immediately to get this site closed. I will be writing to the NCA to bring this issue to their attention,” he said.

Bestvalid.cc looks like any normal online retailer and even has a customer helpdesk and refunds for faulty products.

It sells stolen card numbers in bundles that frequently contain additional sensitive information. Some packages include the maiden name of the victim's mother, a common answer to online banking security questions.

A Times reporter bought the stolen information of one of the site's victims, with her permission, using bitcoin, the digital currency that is almost impossible to trace.

The package included the victim’s debit card number, security code, expiry date, mobile phone number and postal address.

The victim, Laia Humbert-Vidan, 30, a radiotherapy physicist from London, said that she felt violated after seeing her private details appear onscreen.

She said: "I don't feel like the police are able to protect anyone from online fraud. If they were, these types of sites would not exist in the first place."

There are increasing fears that cybercriminals profiting from hacked information on the dark web, a hidden part of the internet that can be accessed only with a special internet browser.

In recent months several British businesses, including TalkTalk and Carphone Warehouse, have fallen victim to hacking, with the loss of hundreds of thousands of private records. Some have surfaced on criminal dark web markets.

However, Bestvalid is on the open web, which means that it can be accessed in seconds with a standardweb browser, such as Google Chrome or Apple Safari.

Daniel Cuthbert, an information security expert, said it is by far the biggest site of its kind that he has come across in recent years.

Mr Cuthbert, chief operating officer of Sensepost, said: "Most illegal card emporiums are on the darkweb, or they require a customer to be vetted or pay a fee to enter. What's interesting about Bestvalid is that they've decided to operate on the open web. It's completely brazen."

"What's interesting about Bestvalid is that they've decided to operate on the open web. It's completely brazen"

Daniel Cuthbert, chief operating officer of Sensepost

The NCA refused to confirm whether it had begun an inquiry as it does not comment on individual sites.

The government has estimated cybercrime costs the British economy £27 billion a year, while the Centre for Economics and Business Research has put the figure at £34 billion a year for businesses alone.

However many frauds are thought to go unreported, making the scale of its impact harder to estimate.

Banks refusing to repay card fraud victims based on 'a hunch'

Businesses, including banks, are reluctant to undermine trust by revealing the true extent of fraud, while in some cases individuals are not aware they have of falling victim or are too embarrassed to admit it.

The hack of Carphone Warehouse, which came to light in August last year, led to the loss of about 90,000 customer credit card records.

TalkTalk admitted in October last year that hackers had stolen the private information of 157,000 of its four million customers, although it said no card details were taken.

"As part of a prevention approach, alerts to financial institutions providing the details of compromised cards will be considered"

NCA spokesman

A15-year-old boy was arrested in Co Antrim, Northern Ireland, in connection with the breach. Four men from England and Wales were also arrested. All five men remain on bail.

An NCA spokesman said: "The NCA, alongside UK and international law enforcement partners and the private sector, are working to identify and, as appropriate, disrupt websites selling compromised card data. We will work closely with partners of the newly established Home Office Joint Fraud Task Force to strengthen the response.

“This may include the provision of information to the appropriate authorities of countries hosting the server. As part of a prevention approach, alerts to financial institutions providing the details of compromised cards will be considered."