It is not clear whether any data stolen from CardSystems Solutions, the payment processor reported on Friday to have exposed 40 million credit card accounts to possible theft, has entered this black market.
But law enforcement officials and security experts say it is a safe bet that the data will eventually be peddled at sites like iaaca.com - its very name a swaggering shorthand for International Association for the Advancement of Criminal Activity.
For despite years of security improvements and tougher, more coordinated law enforcement efforts, the information that criminals siphon - credit card and bank account numbers, and whole buckets of raw consumer information - is boldly hawked on the Internet.
The data's value arises from its ready conversion into online purchases, counterfeit card manufacture, or more elaborate identity-theft schemes.
The Federal Trade Commission estimates that roughly 10 million Americans have their personal information pilfered and misused in some way or another every year, costing consumers $5 billion and businesses $48 billion annually.
"The story that needs to be told is the larger, long-term threat to the American financial industry.
Every day, at sites like iaaca.com and carderportal.org, pseudonymous vendors do business in an arcane slurry of acronyms.
Typically, a peddler of cobs is offering fresh bank or credit card accounts, along with the ability to change the billing address through a pilfered PIN.
"That way you have a full 30 days" before the victim is likely to look over his account again, explained one frank tutorial collected by the F.B.I.
A user going by the name "mindtrip" had cobs for sale recently: "I'm selling cobs from at this time only banks Discover and American Express t'ill further notice," he wrote in brusque English.