Going Price for a New Identity: $14 to $18

Symantec monitored the underground trade in confidential personal information, and found credit card numbers sell for as little as $1, while complete identities go for $14 to $18.

A new Security Threat Report (PDF) from software developer Symantec has for the first time attempted to monitor the clandestine online trade in stolen confidential and personal information. The findings show that even cybercriminals face competition, as online organize crime syndicates compete with each other to sell your personal data, driving prices down. Symantec found that the price for stolen U.S.-based credit card data (with verification number) ranged from $1 to $6 each, while the information needed to take over a complete identify (social security number, U.S. bank account, credit card, date of birth, government ID number, etc.) was for sale at prices ranging from $14 to $18.

Overall, Symantec found that online fraud and identity theft schemes are becoming more sophisticated, often taking the form of coordinated attacks combining elements of email spam, malicious code, and phishing. During the second half of 2006, Symantec found that 59 percent of all email the company monitored was spam (note this number is lower than figures reported by Postini and others a similar period), with some 30 percent of that spam being related to the financial services industry (particularly a rise in image-based "pump-and-dump" scams). Symantec also found phishing attacks tend to follow business email practices, increasing on weekdays but backing off in frequency during weekends.

Symantec also found more than 6 million bot-infected computers worldwide during the second half of 2006, which is a 29 percent increase from the company’s previous survey period. The company also found that so-called "underground economy" servers are being used by criminal organizations to sell confidential information, and found that outright theft of a computer or storage device (like a USB key) accounted for more than half (54 percent) of all identity theft-related data breaches. For the firs time, Symantec also tracked the locations of networks generating the most malicious online activity: not surprisingly, the United States led the pack, accounting for the origin of nearly one third (31 percent) of computer attacks. China came in a distant second with 10 percent, and Germany ranked third at 7 percent.