Growth in stolen bank data pushes prices down

gallery

Criminals trying to sell on stolen or otherwise compromised financial data such as bank account details or credit card numbers have become victims of their own success.

Data thieves are having to slash the price of stolen financial data in order to sell it on, as the market for such information has become flooded following data thefts such as the ones reported at TK Maxx and Cotton Traders, pushing down the value of working stolen card and account data.

Researchers for security firm Finjan claim the high volumes traded had led to bank and credit card information becoming "commoditised" - account details with PIN codes that once fetched £50 or more each might now go for £5 or £10.

In its latest quarterly survey of web trends, the company said cybercrime had evolved into "a major shadow economy ruled by business rules and logic that closely mimics the legitimate business world".

The company said that new types of stolen data were now commanding a premium, such as healthcare data that can be used for insurance fraud or to acquire prescription drugs.

Other premium data includes business information, company personnel files and intercepted commercial emails.

The Finjan report, partly based on contacts the company established with five groups trading online in stolen data, described a Mafia-type cybercrime hierarchy in which bosses operate as business entrepreneurs and typically leave the actual online attacks to underlings.

An 'underboss', or second-in-command, provides the Trojan infiltration software for launching attacks. The workforce that carries these out is paid according to the rate of infections achieved and the country of origin of the infected computers.

'Resellers' then trade the hacked financial data, in the same way that a criminal 'fence' disposes of stolen goods.

In online exchanges with resellers, Finjan researchers were offered a menu of stolen data, with platinum, gold and corporate card details commanding the highest prices.

Sellers promised the data was "fresh" and one even offered a 48-hour guarantee to supply new details if those originally bought were rejected by payment systems as stolen cards.

"It's like in the regular business world. When you buy a good and it doesn't work, you go back and you want to replace it," Finjan's chief technology officer Yuval Ben-Itzhak said.

"It indicates a competitive environment...They need to build reputation, they want to show they're providing high quality data for your money so you can go back and buy from them rather than go to the other groups."

Ben-Itzhak predicted banks, which until now have shouldered the burden of compensating people whose data are hacked, would seek to put some of the onus for security back on the customer.

Email to a friend

Print this page