Cyber crooks have their own economy, and your data’s probably part of it

Consumers, companies need to secure all channels of risk—cloud, mobile, networks

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

There’s no smashed glass or mud­dy foot­prints out­side the win­dow to tell you how cyber crooks broke into your busi­ness.

Maybe they duped you or an employ­ee into click­ing an email link or attach­ment con­tain­ing mal­ware that let intrud­ers access cus­tomer data.

Per­haps an unwit­ting employ­ee brought mal­ware into the work­place on their per­son­al phone or tablet, which was then passed on to the cor­po­rate net­work via the com­pa­ny Wi-Fi.

Mal­ware could even spread from phone to com­pa­ny with­in an instant mes­sag­ing app.

Accord­ing to Pro­fes­sor Alan Wood­ward, a lead­ing cyber­se­cu­ri­ty expert at Sur­rey Uni­ver­si­ty, U.K., and co-author of a new report “Hack­er-nomics: Intro­duc­ing the Dark Web,” some­thing as innocu­ous as using con­sumer instant mes­sen­ger apps like What­sApp or Face­book Mes­sen­ger in the work­place can be a route for covert­ly ex-fil­trat­ing sen­si­tive data.

A whole sup­ply chain has grown up around stolen data, accord­ing to the report. High­ly per­son­al details of ordi­nary cus­tomer lives are sim­ply a com­mod­i­ty to be traf­ficked.

Relat­ed pod­cast: The ghost in the machine: Dark­net evolves as por­tal into hacker’s tar­gets

Sup­plies of per­son­al data are so abun­dant that prices are falling.

In April 2016 it was report­ed U.S cred­it card details—card num­bers, account names and CVV secu­ri­ty digits—were sell­ing on the Dark Web for $21 each. Their val­ue falls quite steeply, and with­in just a few hours they would have fetched even less.

Like­wise, active accounts for the taxi ser­vice Uber report­ed­ly sold in bun­dles of 100 accounts for $54.

And when the hack­er sup­pos­ed­ly behind the breach of mil­lions of Twit­ter and LinkedIn account details was inter­viewed by Wired mag­a­zine, he or she revealed that only about $15,000 was paid for each batch.

Com­plete dossiers of infor­ma­tion, cov­er­ing names, address­es, Nation­al Insur­ance details, as well as finan­cial records—known as “fullz”—fetch a bit more.

These are gath­ered by consolidators—intermediaries in the sup­ply chain—who assem­ble pieces of hacked data into more com­plete records.

Con­sol­ida­tors oper­ate in a legal gray area—exploiting cross-bor­der data pro­tec­tion dif­fer­ences. Indeed, only about 100 coun­tries have any form of data pro­tec­tion laws at all.

Even the price of ful­lz is falling, Wood­ward says, down from $50 each to $10–15 in recent years.

So who are the peo­ple buy­ing the stolen data on the Dark Web? Crim­i­nals look­ing to prof­it from what’s been stolen are the final link in the sup­ply chain. They either approach the vic­tim ask­ing for a ran­som to be paid, or they sim­ply try to make fraud­u­lent trans­ac­tions and bank trans­fers from the com­pro­mised accounts. By one esti­mate, the return on invest­ment of acquir­ing stolen data is 1,425 per­cent.

To the hack­er, a vic­tim is just a statistic—one in a hun­dred, thou­sand or mil­lion com­pro­mised records. But indi­vid­ual cus­tomers whose data is com­pro­mised feel the intru­sion into their lives deeply. As ret­ri­bu­tion, they will expect the enter­prise to pay dear­ly for let­ting any breach take place.

The chal­lenge for enter­prise is to lock down all sources of risk—network, cloud and mobile.

That means edu­cat­ing staff about the dan­gers of click­ing sus­pi­cious links, and it means tak­ing a holis­tic approach to cyber­se­cu­ri­ty.

If Bring Your Own Device (BYOD) is bring­ing clear busi­ness ben­e­fits, then con­sid­er adopt­ing a busi­ness-ori­ent­ed app for team col­lab­o­ra­tion that has secu­ri­ty baked-in. For the last word on man­ag­ing the risks we return to Pro­fes­sor Wood­ward. His advice for enter­prise: Check every­thing; use sys­tems to spot sus­pi­cious behav­ior in real-time; and equip IT oper­a­tives to take pre­ven­ta­tive action.

More sto­ries relat­ed to data secu­ri­ty:
Despite height­ened aware­ness, most firms lack cyber risk man­age­ment strat­e­gy
Under­writ­ers, InfoS­ec offi­cers must close gap on risk man­age­ment

Com­pa­nies should assess their risk pro­file, align it to a secu­ri­ty solu­tion