What's your life work to an ID thief?
During 2002, JP Martin decided to analyse every bit of information his company had about its customers. The firm, Canadian Tire, had its own credit card and Martin discovered patterns in his customers' purchases.
Customers who bought carbon monoxide detectors for their houses or felt pads to stop chairs scratching the floor rarely missed a payment, but those who bought chrome skull decorations for their cars were almost certain to fall behind.
Martin's discoveries became the data mining industry, and today almost every bit of data about you is worth money to somebody. How much is personal information worth?
If you ask Tesco, the answer might be £3.8 billion: that's its annual profit before tax, and if it weren't for its Clubcard loyalty programme that figure might be much lower.
Clubcard isn't just about bombarding you with coupons for days out at Legoland: the firm also uses it to decide what it should stock, when it should stock it and where it should put it. As the BBC reports, Clubcard data can even help the firm "work out whether, for instance, the inhabitants of a town objecting to a new store were shopping at another Tesco some miles away."
Tesco isn't the only firm using your data to keep tabs on you. TFL stores details of Oyster card users' trips, credit reference agencies track our transactions, and most of the firms we do business with will cheerfully flog our details if we forgot to tick a tiny little box in an obscure corner of a form.
So where does our data end up, and how much is it worth? Tesco's enormous customer database is a trade secret, closely guarded, but many firms sell on customer data to firms like Data HQ, which promises "precision targeting" of businesses and consumers.
It isn't kidding: available mailing lists include lists of people interested in specific kinds of charities, people who holiday by going camping, people who buy plants and bulbs through mail order, people who have back pain, people who have had an industrial accident within the last two years and so on.
The back pain list has 391,900 entries, and offers "more than 300 selection criteria from age and income to interests and travel through to the preferred newspaper to the value of their quarterly electricity bill."
Expect to pay £130 per 1,000 addresses for a standard mailshot, and another £100 per 1,000 if you'd like a list of phone numbers too.
Eight out of 10 cat owners
The range of available lists is eye-opening. Firms like Consumersketch can tailor lists of contact details to almost any requirement. Prices are per 1,000 records, and start at £110 for basic list rental. Mobile phone numbers are an additional £70, details of ISPs are £40, and extra selections - geographical area, marital status, income bracket, house, favourite newspaper, hobbies, charities, magazine readership and leisure activities - are £50 a pop.
That data is clean, checked and legal, and it's from people who've opted in by completing questionnaires. The value of such data to marketers is clear: being able to target people who belong to particular demographics or who have particular interests means you're less likely to waste your marketing efforts.
For example, if you're selling medical lotions and potions, it makes sense to target people who are suffering from the conditions your products are designed to treat.
Unfortunately, some marketers can be a little bit too greedy in their pursuit of data. In 2009, ITV's Tonight programme found that electronic medical records from some private hospitals were being sold on the underground market for £4 apiece. Of the 116 files purchased by the programme makers, 100 were real - and the records were being sold to unscrupulous medical and pharmaceutical companies keen to target the vulnerable.
As ITV discovered, not all data is circulating with its owners' permission.
Everything counts
If something is protected with a password or PIN, it's going to be worth something to somebody - so how much would the keys to your Facebook account be worth, for example?
The social networking firm would be nothing without its users, so it's reasonable to take its current market valuation - an estimated $55 billion - and divide it by the number of active users, which Facebook says is over 500 million. That would value an individual Facebook account at around $100.
Your Facebook account might be worth $100 in the eyes of potential investors in the company, but it's worth considerably less on the black market. Eddy Willems is a Security Evangelist with G Data Software AG.
"Normal Facebook prices range from $5 to around 10 cents," he says. "If the account includes an email account then it goes up to around $15, but the real money is if you can grab an account from someone famous."
The more connections you have, the more useful your account becomes. "If you can access lots of Facebook friends, you can try to get into those relationships," Willems explains. You can use these relationships to spread malware, or attempt to defraud the real account owner's friends.
McAfee has been tracking the price of social network accounts, and found that a Facebook account with 1,000 friends was worth between $5 and $25, while a World of Warcraft account with a high score could net between $120 and $200. Runescape accounts are worth more still: from $40 to a staggering $1,200.
Supply and demand for stolen data
Prices are hugely variable, as David Emm, senior technology consultant with Kaspersky Lab UK explains. "Prices for stolen confidential data in the 'dark market' vary depending on the conditions at play in the market," he says.
"In this respect, cybercrime markets are like any other - prices vary depending on supply and demand, the activities of law enforcement agencies and anti-malware vendors, and so on. For example, the prices for stolen online games characters and virtual assets have been falling as the market becomes more saturated."
The more you do, the more your identity is worth. "Overall, my 'value' in the dark market will also depend on the size of my overall online footprint," Emm says. "Do I just bank online? Or do I also shop online frequently? Or do I also socialise using Facebook, Twitter and so on? Even if I do none of these things, I still have value for cybercriminals - they can use my computer to deliver spam, or as part of a distributed denial of service attack on an online organisation."
The rate for that? Just $15 for 10,000 infected PCs. If price is a reflection of supply and demand, the news that the price of off-the-shelf attack kits is falling is deeply worrying.
McAfee's latest Underground Economy report found that some exploit packs - collections of tools that can be used to inject code into websites to intercept data or reroute browsers - were changing hands online for as little as $25. Most tools are more expensive than that, but not by much: most off-the-shelf tools go for a few hundred dollars.
Those tools aren't just affordable - they're very effective. Kevin Bocek is product director with IronKey. "The proliferation of tools available to criminals like Zeus, SpyEye, OddJob, Sunspot and many more to directly harvest details is enabling criminals to immediately monetise their stolen information," he says.
"They may then look to resell this information to other criminals, but the tools have made sophisticated and successful attacks much easier for individual gangs to perpetrate their crimes."
Bulk buys
Most of our information is traded in bulk, with discounts for big purchases and regular customers. McAfee found that 500 Twitter accounts will net $65, while $100 gets you 1,000 MySpace logins and $160 pays for 10,000 AOL logins.
The biggest market is for email addresses, where accounts are traded for tiny sums. One hundred unverified Gmail logins are worth $20, rising to $120 for 1,000 accounts, while verified accounts are worth slightly more: $30 for 100 or $190 for 1,000.
Hotmail accounts are worth considerably less - $150 will net you 10,000 verified Hotmail addresses - and you can pick up 100 Yahoo email addresses for as little as $3. If you're not fussed about which email provider your addresses come from, Eddy Willems suggests that "one million verified email addresses range from around €30 to €250."
McAfee agrees, reporting figures of around $100 for one million addresses, and $1,500 for 32 million addresses. You can pick up email addresses for next to nothing because the amount of information they offer for exploitation is fairly basic.
When it comes to sharing our online information, the real money's in money.
Cloning cards
Your credit card is worth less than you might think. As David Emm explains, "Credit cards could fetch as little as $2 or as much as $50, depending on accompanying data like the CVV number, the available balance on the card and so on."
Prices vary from territory to territory too, so a UK card will command a higher price than a US one, and a central European card will command more still. "The higher the protection, the higher the possibility that you can use the details to gain money and the more it costs," Willems says.
Another reason for the disparity in prices is wealth. "The UK has a lot of wealthy people, and if you compare that with the US there's a real difference."
Credit card details are known online as 'dumps', which means the information copied from the magnetic strip on the back of your card. A UK dump including your card number, your full name, address, postcode, expiry date and CVV code costs around $4.
McAfee found that US cards with the same accompanying data are sold for $2, Canadian ones $4, Australian ones $7 and European and Asian cards $8. The more information is supplied, the more it costs.
The same card details with associated PayPal logins, bank details, dates of birth and so on command $25 for UK cards, $30 for German and Italian ones and $15 for American ones. A PIN code can treble the value of a card, while the combination of a PIN and a good available balance increases the price of a European Gold credit card from around $45 to $250.
A standard credit card with 'fullz' and 'COB' - that is, a card with all the associated information you need to use that card online and a login you can use to change the shipping/billing address - is around $200 for a US card.
Stolen to order
You can even buy custom data, like logins for a specific bank. That will cost you a $1,000 up-front payment and another $4,000 when the project is ready to go, and the price is already falling.
"Recent advertisements on underground forums are offering $2,000 per bank attack," Kevin Bocek says. "Hundreds or thousands of bank customers can be attacked easily, so the value of individual records is being driven down."
Gerhard Eschelbeck is Chief Technical Officer with Webroot. "Similar to a market economy, prices of online identities are a reflection of supply and demand, and vary from pennies to hundreds of pounds per unit," he explains. "Quality factors like verified-as-still-valid accounts, as well as accessible content (monetary or information) also drive pricing of online identities. The popularity of the application or account is also driving the cost of such stolen identities."
Where things get dangerous is when one account can be used as a key to unlock several others. "Sometimes a low priced identity can also yield access to multiple high priced accounts," Eschelbeck says, "especially if users are using the same password for different services."
It's a similar story with physical documents, as David Emm explains. "Higher prices are fetched for bundles of stolen IDs," he says, describing one market for stolen ID where "a UK passport was offered for €750. With a driving licence the price was €850, and with a licence and a photo ID card it was €950."
Who's sharing your stuff?
"Cybercrime is now a part of global organised crime," Kevin Bocek explains. "Cyber gangs are multi-tier, multi-national organisations."
Eddy Willems agrees. "You'll always have kids trying to steal or create malware, but most ID sharing is big business. You'll have programmers, people actually selling the information - two or three guys selling whatever their malware has intercepted, and even creating websites to sell it. It's a pretty well-organised business, because you can only make money if you're organised."
Thanks to the internet, criminals have a global reach - but they tend to be concentrated in specific areas. "It's more or less the same marketplace where you'll find back-door trojans and things like that," Willems says. "South America is big, and a lot of business is done in Asia now. Selling is mainly done on sites you can find in the USA."
You'll also find significant levels of activity emanating from Russia and Eastern Europe. The latest Symantec Internet Security Threat Report found that the average number of identities exposed in a corporate data breach is a massive 260,000, but even that's tiny compared to the millions of accounts exposed when Sony's PlayStation Network (PSN) was compromised earlier this year.
As Eddy Willems points out, "if you look at the big Sony hack, not only do you have the email addresses, you also have the passwords. If you have enough people, they can try these logins on other sites - Facebook and so on."
Such tactics will continue to be effective as long as most people don't take the security of their online accounts seriously.
"Most people just use one or two passwords," Willems says "That's the problem - if you look at it carefully, you could try a specific attack on a specific company. We have been very lucky. So far, the people behind the attacks are not too clever, and they haven't gained access to more data. It could be much more dramatic."
0 comments:
Post a Comment