Once the stolen data is posted online, the information is used in as little as 9 minutes after being posted
Over a three-week period earlier this year, the FTC traced what happens when hacked personal information is released online. Using made-up names, emails, passwords and some form of money – credit card, Bitcoin, payment account, the data was posted on 2 different dates and watched to see what would happen.
The first time it was tested, it took 90 minutes for the fake credentials to be used. The second time, it took 9 minutes for the first set of data to be used.
The FTC noted two types of thieves: 1) thieves who are after credit cards to resell them and 2) thieves who use credit cards to make big purchases.
Thanks to the Equifax breach of 145 million people’s records alone last September (2017), thieves have a treasure trove of new data to work with. Many other data breaches have augmented this mountain of stolen data.
It’s not just adults whose identities are being stolen. Even more sought after are children’s identities, and a recent trend that’s being marketed is infant’s details, such as social security numbers, birth dates, mother’s maiden names, etc. Sometimes fake names are attached to social security numbers. “Baby data” sells for $300 in bitcoin. The slang for complete sets of people’s personal information is "fullz."
The lure of this data is a clean credit history that can be used to get credit cards or large loans like mortgages. Also attractive to the thieves of infant’s and children’s data is how long the theft can go undetected – years, if not a decade or more can pass before the child is old enough to even become aware of what’s happened and that their identity has been hijacked for years. The rate of child identity theft is 51 times that of adults.
The dark web is the place to buy such information, using the Tor web browser, dedicated to the anonymity that supports this kind of criminal activity. Believe it or not, thieves can actually take classes to learn how to carry about identity theft and other cybercrimes. For example, a six-week program is taught in Russia with lectures on finding credit card data and hacking Pay Pal. A technique called “carding” is taught, which is the stealing and using of card payment information. A security firm found 5 instructors were teaching the class. The class goes for six weeks and comes with actual curriculum and training materials. Would-be criminals pay $945 for the class, including lectures, instructor chats, and materials.
It’s important to note that in the experiment test to see how long it took for credit card data to be grabbed and used, fake accounts requiring two-factor authentication were not breached by identity thieves. Two-factor authentication is a fairly robust means of identifying a true user, which is why many businesses, banks, stores, etc., have adopted it. The process often includes the step of sending a temporary additional passcode to the true owner’s phone that must be entered as confirmation of the real owner’s identity before access to the user’s private account is granted. (Should an owner’s phone be stolen as well, then risks increase.)
As good as it may be for additional authentication to be a useful security measure, far better still is avoiding data from being stolen and placed for sale on the dark web in the first place. Avoiding the massive data breaches we’ve seen in recent months – Equifax, HBO, Uber, Yahoo, Amazon Web Services, Deloitte and more – is far preferred than managing the crisis after the fact.
Virsec believes a completely different approach is needed for true proactive security, in order to change the current reactive, hindsight approaches used by so many of today’s solutions – completely ineffectively. Virsec changes the security game with an approach that would have stopped every one of the data breaches listed above and is also able to stop advanced persistent threats like the ransomware types of threats we’ve seen in attacks like Wannacry and Petya. Watch this 3-minute video to learn more.
And for the many, if not most, of us who likely have data already out there on the dark web, this guide offers steps to safeguarding personal and business information.
Identity thieves used stolen data 9 minutes after it was posted online
Cybercriminals can take a class on stealing credit cards
Cybercriminals claim to be selling the Social Security numbers of babies on the dark web