Cybersecurity experts with STEALTHbits, VASCO Data Security and NuData Security commented below on the recent Dark Web Market Price Index published by VPN ratings service Top10VPN.com’s consumer site “Privacy Central.” The index puts the price of a full online identity at $1,170, while hacked Uber, Airbnb and Netflix accounts go for $10 each, and hacked Grubhub, Walmart and Costco accounts go for between $5 and $10 each.
Ryan Wilk, Vice President of Customer Success at NuData Security:
“Among all the personally identifiable information available on the web, the most valuable one is your complete online identity, as it includes data to access all your online accounts. It’s not surprising that each account, each type of data, or the whole package are sold online as if they were a pair of sneakers. Fraudsters work hard to get that information, and by reselling it, they are increasing its value, just like any other industry would do.”
“To fight this wave of exposed data, many forward-thinking retailers and other major organizations are adopting a multi-layered approach to verifying their users online – such as passive biometrics and behavioral analytics. This approach makes online accounts more secure as they can’t be accessed by bad actors, even if they present the right credentials.
Because these technologies don’t rely on static data, they are devaluing it and, ultimately, they can affect the value of stolen data on the dark market.”
“This approach to online verification that uses behavioral data signals to verify a user is allowing companies to avoid account takeover with stolen credentials and focus on their good customers.”
“This report is a good reminder of the importance of having a multi-layered security and also underscores that fraudsters are highly evolved and sophisticated criminal enterprises.”
David Vergara, Director – Security Product Marketing at VASCO Data Security:
“The key take-away from this report is that cybercriminals understand the business of monetizing stolen data along with the related level of effort and ROI. The level of sophistication is increasing rapidly. Phishing emails were once riddled with spelling errors and pop-ups that easily flagged them as un-professional and suspicious; This is no longer the case as even security aware individuals are falling prey to more “polished” schemes. Also, the volume of breached data, and number of individuals effected, means individuals should assume their personal information is exposed and proactively check credit reports and, for the strongest defensive measure, freeze credit with all the major credit bureaus. Lastly, consumers should take advantage of multi-factor authentication security when available and businesses should prioritize efforts to deploy this strong security.”
Jonathan Sander, CTO at STEALTHbits Technologies:
“People are often scared of bad guys getting their credit card numbers. The truth is that a small bit of awareness can protect you from nearly any credit card fraud. Most of the risk is actually on your credit card provider – as long as you monitor your bills and raise your hand when there is suspicious activity. If you use one of the higher end cards, they will do that for you. And you can also hook your credit cards up to services like Apple, Google, or Samsung payments and get alerts for each charge to ensure you see something off color right away.
“The bigger risk in these data black markets is the deadly combination of leaked passwords and lazy users. If someone gets your email password from a black market and you have never changed it, then they can use that “forgot your password” link on the credit card website to take over your account without ever paying a dime for your credit card number. Same for your bank account, Netflix, and just about everything else you use online that’s linked to your email. The bad guys who are really dangerous know that. Luckily, bad guys are about as lazy as the average person – because they are just people, too.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.