By Darren Guccione, Co-founder and CEO of Keeper Security
By now most everyone is aware that failing to properly password-protect access to sensitive digital materials can have severe consequences. The damage of having one’s identity stolen or having personal financial or health records purloined can take months or years to repair.
But just what is the value of stolen data on the digital black market today? How is this data passed from hackers who steal it to fraudsters who can make your life miserable?
The answer to the first question of the value of stolen data is, surprisingly, “not as much as you might think,” as we’ll see. That’s good news and bad news. The good news, for fraudsters, is that they can get more stolen data for less money. The bad news, for victims of data theft, is that more fraudsters have access to more stolen data at ever-cheaper prices. And the reason there is so much stolen data available is that hackers simply do not have a difficult time stealing it.
Where is stolen data sold?
But first, it’s important to understand how and where your stolen data is resold. It happens in a part of the World Wide Web called the dark web. Accessed only by using special software that hides the identity of visitors, the dark web is a vast marketplace for anything and everything illegal. Much of it looks very familiar, like any other e-commerce site. Sellers often have ratings given by previous buyers. You can even purchase software to set up your own hacking business. Payments to sellers are arranged using bitcoin, a digital currency that all but assures buyers and sellers remain anonymous.
Once you are in this illicit emporium and you have some bitcoin digital currency, buying stolen identities or access to bank accounts is easy. Let’s take stolen credit cards, for example. As when buying anything else online, buyers specify the type of card (Amex, Visa, etc.); the CVV’s or three-digit code on the backs of cards; whether you want associated login and password information; names; expiration dates; credit score; Social Security numbers; mother’s maiden name; credit limits; date of birth; specific geographies of usage; and so on. The cost per card varies with the information the buyer wants. Click “buy now,” download your stolen goods, and off you go.
What does stolen data cost to buy?
How much do these cards cost on the dark web? The variations are wide, and also fluctuate depending upon the supply of stolen cards. So if there were a major hack resulting in the compromise of 10 million cards, the price could plummet if the hackers flood the market. But generally speaking (and these figures are derived from a number of publicly available sources), the cost of stolen credit card data is roughly $13-$21, or the bitcoin equivalent thereof. These prices tend to be higher for stolen European Union, Canadian and Australian credit cards. Buyers pay the most for cards with so-called “fullzinfo” or just plain “fullz” – meaning the stolen record has a very complete set of information about the cardholder.
But as detailed in a groundbreaking report by McAfee on the market for stolen digital information, credit and debit cards are not necessarily the usual target of hackers and fraudsters today. Increasingly the targets are the password-protected online payment service accounts. Unlike with credit cards where the cost per card is determined by the different factors the buyer selects, the cost of this stolen data is related largely to the balances in the online accounts.
As you might expect, the price for bank login credentials is another matter. They can be had for as little as $100 for access to accounts with $2,000 or less. Or they can cost upwards of $1,000 for access to accounts with $15,000 or more.
A strong market for stolen health information
Both credit card and bank access data have a shelf life, which ends abruptly once the victims discover they’ve been hacked. But there is another record of digital identity that has more permanent information, and that is any kind of personal health information or PHI, including the very valuable electronic medical records or EMR. These contain highly sensitive information about an individual’s health history. And as such, they can be used to blackmail individuals; to publicly humiliate certain people; to undertake massive insurance fraud with fake claims; and to create many other forms of chaos and harm to victims.
Like other stolen digital data, the cost of such health records is subject to the same supply-demand dynamics as any other traded goods. According to Michael Ash, associate partner of Security Strategy Risk & Compliance at IBM, a stolen EMR can fetch up to $350 on the dark web.
However, due to a large number of such records having been stolen recently and then dumped onto the dark web for sale, prices have dropped, according to recent research. Also, law enforcement authorities have stepped up efforts to locate and apprehend both buyers and sellers of this highly personal health information, which has spooked some buyers. Thus recently, some EMR have been purchased for as little as $100 apiece. But as mentioned, this is a highly dynamic market in which prices of stolen digital data will vary over time, often wildly.
In any case, the incentives for stealing this data and then selling it to the highest bidders will remain in place for the foreseeable future. Perhaps the single best defense for individuals seeking to protect these assets remains high quality, virtually bullet-proof passwords, and the right password “hygiene” that ensures passwords are changed often. In this regard, it is wise to consider a free password manager to take all the guesswork out of password management, so you can stop the hackers cold.