What Is Your Customer Data Worth?

[Inga Goddijn <inga () riskbasedsecurity com>]

http://www.darkreading.com/partner-perspectives/intel/what-is-your-customer-data-worth/a/d-id/1322990

Personal data about you, me, and, most importantly, your customers is being
openly sold via online marketplaces. Stolen data has become a mature
commodity market, not unlike oil or metals, with supply-driven price
fluctuations, different qualities of product, and a range of values and
scarcities. This market has expanded far beyond credit card numbers,
mirroring the growth of big data in legitimate organizations.

We recently published a report titled The Hidden Data Economy
<https://www.google.ca/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CB0QFjAAahUKEwiZnb3sqcfIAhWDGR4KHbeiCRM&url=http%3A%2F%2Fwww.mcafee.com%2Fus%2Fresources%2Freports%2Frp-hidden-data-economy.pdf&usg=AFQjCNEwAnkJdsRARIJjGXMSgaRP81_K>,
detailing key types of information that are available and how much they
cost. Since you cannot trust criminals, some of these marketplaces may be
scams or may be using reputable brand names to perpetrate a different type
of fraud, but that does not reduce the overall impression of a vibrant
cybercrime economy.

Credit card numbers and other payment information are the most common
stolen data, with the lowest price point and widest range of values. Large
scale thefts, the increasing use of chip-and-PIN cards, and rapid response
from credit card companies have driven down the value of basic card
information. After a big data breach floods the market with new numbers,
they may go for only a few dollars each.

However, add in some additional data and the price goes up quickly. Combine
payment card information with date of birth, which is a common fraud
prevention question, and the value jumps to $15 in the US and about $30 in
other major countries. Add in the billing address and the username and
password for the account, and the price goes up to between $30 and $45.
Many options are available for the discerning criminal, including issuing
bank, country, available balance, maximum withdrawal limit, and usability
at an ATM, store, or online.

*The Stolen Data Value Chain*

Credit card numbers are the base metal of stolen data markets -- widely
available but not worth that much without additional info. Moving up the
value chain are account login credentials for payment accounts or banking
services, which appear to be priced based on the balance in the account.
For less than 5% of the account balance, you can purchase login information
for an online payment account. More valuable are full banking services,
especially those with the ability to transfer funds to US banks, which sell
for about 8% of the balance. Some sellers offer replacements if the
purchased account no longer has the advertised balance, while others rely
on reputation rankings, purchase feedback, and other common tools of online
shopping to reassure customers.

High demand and automated theft operations have made the market for premium
content account information attractive and apparently profitable. Whether
you want to read some comic books ($0.55), watch online video (up to $1),
get access to premium cable channels ($7.50), or watch live professional
sports ($15), stolen login credentials are readily available. In an ironic
twist, you can even buy stolen credentials to Dark Web markets.

Rare and more specific are logins for individual companies, open
vulnerabilities to valuable systems at banks and airlines, access to
industrial machines or critical infrastructure, and even stolen enterprise
datasets. Just like rare art or jewels, this type of stolen data does not
typically carry a direct price tag; instead, value is negotiated between
the buyer and seller. Also like stolen art, the prospect of commissioned
thefts is probably not very far away, if it is not here already.

With such a significant number of data breaches making headlines over the
last two years, it’s not surprising to see so much consumer data for sale.
But the wide variety of data and related profit-making schemes never cease
to surprise those of us monitoring the Dark Web on an ongoing basis. Beyond
the aforementioned stolen data types, you can also find personal
identities, social media access, email accounts, medical information, and
much more.

I know from direct conversations with organizations that there is quite a
bit of apathy on the subject of cybercrime. Even today, after all the
headlines, cybercrime still seems intangible. Too many of us still fail to
realize cybercrime is simply the digital evolution of crime, and given the
widespread apathy, the emergence of an increasingly established hidden data
economy is the destination at which we are bound to arrive. It’s a constant
and important reminder for those of us committed to making our connected
world safe for our connected lives.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!