But if you wield a credit card with a high limit or more of your details have been hacked, your personal information could be highly prized and traded.

The credit criminals, who steal more than $478 million from Australian consumers each year, are just some of the underworld industries investigated by Australian banks, telecommunications, insurance and tech companies every day in secret, unpublicised operational sites around the country.

News Corp gained exclusive access to the cyber security lab of the Commonwealth Bank, where this new criminal industry is hunted, threats shut down, and security experts try to make it “as expensive as possible” to defraud consumers.

Located in an unsigned office building on the outskirts of Sydney’s Central Business District, the centre is protected by two security checkpoints and features banks of computers, a videoconferencing facility, and a strategy room.

Experts in intelligence gathering, computer forensics, engineering, cyber security and cyber crime staff the facility, Commonwealth Bank Cyber Security Centre general manager Brendan Hopper said, and they were often at the forefront on attacks worldwide as “Australia is frequently an early target”.

Mr Hopper said in addition to ongoing threats from malware, targeted business attacks, and fraud attempts in phone calls and SMS messages, large stashes of Australians’ information was being sold on the Dark Web, including thousands of credit card numbers traded by highly organised, professional gangs.

The first tier of criminals steals “millions of credit card numbers and breaks them into blocks of 100,000” for sale, he said, while the next tier tests them with small transactions and sells them in smaller batches.

“When they’re good to go, a block of 1000 credit cards might be sold for $5 a card,” Mr Hopper said. “So even though they can do $1 million worth of fraud, they might pay just $5000 for that block.”

Customers at the end of the transaction could be ripped off for hundreds of dollars at a time.

But some stolen credit card details attracted even higher prices on the Dark Web, Mr Hopper warned, as some credit cards with no upper limits could be identified simply by their merchant code.

“It’s a business, but it’s also a hobby for some people,” he said. “The credit card fraud scene is filled with a whole series of people with banker skills.”

The CommBank’s cyber security team used tools to “trawl” the Dark Web for stolen credentials, he said, but also hired “cyber intel specialists” who had hacked criminals’ accounts to unlock access to sensitive information.

CommBank digital general manager Peter Steel said proactively “hunting for big batches” of hacked credentials allowed the bank to shut down accounts before money could be stolen.

“We’re at the front of the threat curve, searching the Dark Web for evidence of breaches,” he said.

“It’s scary. They’re getting more sophisticated and more organised. It’s an ongoing arms race between the defenders and the attackers.”

But Mr Steel said the bank regularly swapped information on fraud attempts with other Australian and overseas banks, technology firms, telecommunications and insurance companies, as well as the Australian Cyber Security Centre.

And it’s not just credit card numbers traded on the dark web — everything from Netflix and Spotify accounts to bank account and PayPal details are up for sale and, according to Darkest Web author Eileen Ormsby, often commands a higher price than credit card accounts.

“There’s a big market for premium porn site logins, for example,” she said. “They’re sold for about $5 each because the people who have those details are unlikely to complain to anybody about it.”

Health records and even land valuation details were also available for sale among criminals, she warned, and could be used to target individuals.

“If someone rings you, especially unexpectedly, do not give them any information over the phone, even if they seem to know a lot about you,” she warned.

Mr Hopper said to avoid becoming a victim, Australians should create strong passwords, avoid reusing them across multiple sites, and should opt for the most secure login option.

“Banks all require multi-factor authentication for the important actions but you should always turn it on,” he said. “That’s my top recommendation.”

TOP TIPS TO AVOID DARK WEB HACKS

— Create new passwords for every online account

— Use a password manager to keep track of them all

— Turn on two-factor authentication when it’s available

— Don’t reply to unsolicited phone calls, SMS or email messages from institutions

— Report unusual transactions as soon as you see them