Debit and credit card details stolen from almost 85,000 unsuspecting Brits are available to buy online in a “brazen” criminal database.
For a $20 (£14) registration fee, anyone can access the numbers, expiration dates and names on more than a million cards around the world, alongside the names, addresses and even phone numbers of their owners.
The existence of Bestvalid.cc was first revealed by The Times, who alerted the National Crime Agency and MPs, but it was still online on Saturday.
After registering with a gibberish username and password, the Independent was able to access the database within minutes.
The website looks like any other business, complete with a FAQs page, rules, terms of service and “news”, although its products are far from normal.
Users can choose cards by country, bank, name, expiration date, city and even postcode for miniscule prices that “correspond to the material quality” (sic) according to the website.
A quick scan of the countries on offer included nations as diverse as the US, China, Greece, Argentina, India, Taiwan, Denmark, the Bahamas, Australia and Zimbabwe.
A search for the United Kingdom revealed 84,570 results - 78,318 debit, 6,239 credit and a handful of charge cards.
Barclays, Nationwide and Natwest were among the popular banks listed in packages of stolen information mostly costing between $7 (£5) and $9 (£6) each.
The Times found details belonging to a former senior adviser to the Queen as well as from doctors, lawyers, bankers and other professionals on the database.
With the permission of one of the victims, Laia Humbert-Vidan, the newspaper purchased her stolen information using bitcoin.
The radiotherapy physicist, from London, said that she felt violated after seeing her private details appear on Bestvalid.
“I don’t feel like the police are able to protect anyone from online fraud,” she added. “If they were, these types of sites would not exist in the first place.”
The website is believed to have been operating since June last year, despite the Government’s continuing fight against online fraud and investigations into the Carphone Warehouse and TalkTalk hacks, which have seen five suspects arrested so far.
The .cc domain is the country code for the Cocos Islands, an Australian territory in the Indian Ocean with just 600 inhabitants. It is reportedly used by several cycling clubs, Catholic and Christian churches because of the letters' associations, as well as in contested "Turkish Republic of Northern Cyprus".
Daniel Cuthbert, the chief operating officer of information security firm Sensepost, told The Times that Bestvalid was one of the biggest sites of its kind.
“Most illegal card emporiums are on the dark web, or they require a customer to be vetted or pay a fee to enter,” he added.
“What’s interesting about Bestvalid is that they’ve decided to operate on the open web…It’s completely brazen.”
UK news in pictures
UK news in pictures
1/18 23 June 2017
British Prime Minister Theresa May addresses a news conference at the EU summit in Brussels, Belgium, June 23, 2017
2/18 22 June 2017
Cosplay fans (L-R) George Massingham, Abbey Forbes and Karolina Goralik travel by tube dressed in Harry Potter themed costumes, after a visit to one the literary franchise's movie filming locations at Leadenhall Market in London, Britain
3/18 22 June 2017
Racegoers cheer on their horse on Ladies Day at the Royal Ascot horse racing meet, in Ascot, west of London
4/18 21 June 2017
A reveller walks among the tipi tents at the Glastonbury Festival of Music and Performing Arts on Worthy Farm near the village of Pilton in Somerset, South West England
5/18 20 June 2017
A police officer lays some flowers passed over by a member of the public, close to Finsbury Park Mosque in north London, after one man died and eight people were taken to hospital and a person arrested after a rental van struck pedestrian
The Borough Market bell is seen in Borough Market in central London following its re-opening after the June 3 terror attack
Two women embrace in Borough Market, which officially re-opens today following the recent attack, in central London
Mayor of London Sadiq Khan attends the re-opening of Borough market in central London following the June 3 terror attack
People walk through Borough Market in central London following its re-opening after the June 3 terror attack
News Corp CEO Rupert Murdoch, with one of his daughters, visit Borough Market, which officially re-opened today following the recent attack
A woman reacts in front of a wall of messages in Borough Market, which officially re-opened today following the recent attack, in central London
Vivenne Westwood walks the runway at the Vivenne Westwood show during the London Fashion Week Men's June 2017 collections
Millwall fan and London Bridge hero Roy Larner on 'Good Morning Britain'
Richard Arnold, Roy Larner, Piers Morgan and Susanna Reid on 'Good Morning Britain'
15/18 11 June 2017
England players celebrate after defeating Venezuela 1-0 to win the final of the FIFA U-20 World Cup Korea 2017 at Suwon World Cup Stadium in Suwon, South Korea
16/18 11 June 2017
England players celebrate with the trophy after the final match of the FIFA U-20 World Cup 2017 between Venezuela and England at Suwon World Cup Stadium in Suwon, South Korea
17/18 11 June 2017
Great Britain's Alistair Brownlee celebrates winning the Elite Men Columbia Threadneedle World Triathlon Leeds
Danny Lawson/PA Wire
18/18 11 June 2017
Two men drink beer outside the Southwark Tavern which reopened for business today next to an entrance to Borough Market which remains closed in London
A spokesperson for the NCA, which is responsible for fighting cyber crime and fraud in the UK, told the Independent he could not confirm whether the site was under investigation.
“The NCA, alongside UK and international law enforcement partners and the private sector, are working to identify and as appropriate disrupt websites selling compromised card data,” he said.
“We will work closely with partners of the newly established Home Office Joint Fraud Task Force to strengthen the response.
“This may include the provision of information to the appropriate authorities of countries hosting the server.
“As part of a prevention approach, alerts to financial institutions providing the details of compromised cards will be considered.”
Anyone who believes they are a victim should report to Action Fraud by going to its website here.
- More about:
- cyber crime
- TalkTalk cyber attack
- TalkTalk hack
- Carphone Warehouse
- credit cards
- Online banking