The Underground Economy of Data Breaches

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.forbes.com/sites/frontline/2014/06/18/the-underground-economy-of-data-breaches/

Data breaches, such as the massive payment card breaches at Target and
Neiman Marcus, are some of the costliest crimes on the Internet. The Target
breach has already cost the CEO and CIO their jobs and the financial costs
may reach as much as $18 billion once all is said and done. These costs
stem from a variety of sources such as replacing customer credit cards,
credit monitoring for victims, lost business, declining stock prices,
lawsuits and fines. On average these costs amount to around $200 per
compromised record. When such a breach occurs, the natural instinct is to
analyze the breach itself. How was it orchestrated? Where was the critical
weakness and how can we make sure it doesn’t happen again? All sensible
questions, but they are not the only ones.

Unlike the victims, whose pain and costs are locked in at the time of the
theft, the profit to criminals is largely determined well after the theft
based on how well they can navigate the criminal underground. This is
important because the skills needed to infiltrate a network and steal data
are very different from the skills needed to turn stolen data into cash.
The former requires technical skills, while the latter requires connections
to organized crime or the criminal underground. Much like in the physical
world, just because someone can steal an item does not mean that they can
fence it. Given that criminal profit depends on monetizing stolen data, it
is just as important to understand this process as it is to understand how
the breach occurred in the first place.

The Life of a Stolen Credit Card Number

Stolen payment card data is a highly perishable asset, as banks and
consumers will rush to deactivate cards as soon as a breach is recognized.
As such, criminals are often in a race against the clock to extract as much
money as possible as quickly as possible. For Target, the thieves had
merely a few weeks to use stolen credit card data before Target customers
rushed to call and cancel their bank cards. Brian Krebs, who first broke
the news of Target breach, was able to show the quickly diminishing value
of cards that were observed in the breach. His analysis showed that in the
two months following the disclosure of the breach, the advertised price of
the exposed cards had dropped by as much as 70 percent. As a result, the
monetization of stolen card data tends to happen very fast. So how do
criminals convert stolen data into cash?

First, the card data is sold in bulk to other criminal outfits in a complex
underground economy, often on websites or forums exclusively for
cybercriminals. Once the data is passed on, the next owners can either use
it for themselves, or resell again in smaller batches. In this phase of
selling and reselling of card data, a variety of factors will influence the
price. From experience, one of the most important factors is the percentage
of cards that are still valid. This is typically determined through a
process called “carding”. Carding services represent yet another layer of
the criminal food chain focused on determining if stolen cards are still
active. These carders will take a batch of stolen credit cards and attempt
to use them to make small low-value purchases to verify the card works
without raising suspicion. Additionally, the more a criminal knows about
the owner of a stolen card, the more valuable the card is. For example, if
you know where the victim lives and where the card is typically used, then
the card is more valuable because the criminal can then use the card in a
way that will blend in with a victim’s normal buying behavior.

Eventually, the card data ends up in the hands of a group that uses the
cards to directly commit fraud. To do so, the gang uses the card data to
create physical payment cards that can be used to make purchases in stores.
Armed with these stolen cards, the outfit employs individuals who use them
to buy goods that are easily resold and hard to trace, such as gift cards
or popular consumer electronics. Once those goods are sold, the fraud of
the card is complete and the value of the card is realized. All of the
intermediate reselling of card data in the supply chain hinges on this
process ultimately being completed.

The Feedback Loop of Underground Markets

Sophisticated organized crime rings will often control all phases of the
supply chain for stolen credit cards, and as a result, can maximize the
profit from the crime. But quite often, these hackers may have the
technical background to steal the data but no sales skills to actually sell
it.

These attackers have to resort to selling their data anonymously on
underground forums where trust is very hard to come by. Microsoft
researchers analyzed these underground markets in terms of them being
“markets for lemons”. This term refers to markets where sellers have much
better information about the quality of a good than the potential buyer,
like when selling a used car. In the case of underground markets for
payment card data, buyers have very little insight into whether or not the
cards are valid, and have even less recourse if they are scammed.

This lack of trust, combined with the need to sell card data quickly, leads
to stolen data being heavily discounted and used primarily by the less
sophisticated criminals who have no other options. The research also
proposed that security companies have unintentionally driven even more
criminals into this lower tier of the criminal market by sensationalizing
and overestimating the actual profits of data theft. This has the potential
to create a staggeringly expensive feedback loop of cybercrime.

And of course, the cost to the victims remains high regardless of the
profit achieved by the criminal. Unfortunately, as more and more
opportunistic criminals enter the market, card breaches could begin to look
less like an Ocean’s 11 style of heist, and more like opportunistic vandals
who are willing to burn down your home in order to steal the copper
plumbing inside.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!