Consumers have become desensitized to hearing about large-scale data breaches when the news breaks. It has become an almost weekly occurrence to the point of being unable to keep up. On one hand, the constant media cycles have helped to raise awareness among consumers to be more vigilant as it pertains to their personal information. On the other hand, it is likely that most consumers are not inclined to take action, such as changing their passwords, because they would be doing so every week. I’m lucky if I find the time to log in to my various accounts and pay my bills before the due date, never mind having to stay on top of which of my accounts could potentially be targeted for account takeover. That is, unless something like an unauthorized charge happens to show up on your bank or credit card statement.
So what actually happens to the information stolen in a data breach? How is it used, what does it sell for and what are the most lucrative types of data to cybercriminals?
When caches of data are breached, most often email addresses, usernames, and passwords, they likely make their way to a storefront in the black market where they are sold in bulk or as individual accounts. There are hundreds of these stores across various fraud forums, and they appear to be like any other legitimate e-commerce website one would visit complete with a virtual shopping cart and checkout process. However, the stolen credential trade is not just limited to operation in the dark web. It is also a thriving business occurring in plain sight across most social media platforms.
Some fraudsters actually buy stolen credentials in bulk and then take the time to check the validity of account credentials across multiple websites with the help of automated tools. This practice is often referred to as credential stuffing. Relying on the fact that most consumers reuse the same username and password combination across multiple sites, fraudsters are able to gain access to other accounts the victim may hold. These “verified” accounts can then be sold at a premium price.
Other factors affecting the price of stolen credentials are the consumer brand, type of good or service, and whether there is a payment card saved on file.
While an organization may not have been the target of a data breach, they can still suffer the consequences and financial losses associated with account takeover. Some recent cyber attacks demonstrate this risk.
RSA conducted extensive research across some of the most popular dark web stores to learn more about the average selling price of stolen credentials across various types of consumer accounts and which ones are most lucrative. Here is what we found.
Retail: Major retailers, fashion, entertainment, home goods, auto
$0.20 - $6.00
Social: social media, emails, dating sites, instant messaging
$1.00 - $10.00
Hospitality: Airlines, hotels, and travel
$0.70 - $10.50
Financial: Bank accounts, money transfer services, credit cards
$0.50 - $15.50
Technology: Telecommunications, mobile devices and electronics, business services
$0.40 - $4.50
When we look at the breakdown by category, retail accounts are by far in the most abundance, representing 51% of all stolen credentials for sale.
The specific type of stolen credentials that are most popular are e-commerce accounts which represents 18% of accounts for sale and includes most major online retailers that sell a variety of goods and services. This is followed closely by fashion and business services as well as telecommunications and entertainment accounts. Reward points accounts represent 4%, however, airline and hospitality accounts are often tied to reward points. Therefore, rewards points accounts more likely represent 13% of stolen credentials for sale.
With holiday shopping season in full swing, there are a few simple tips organizations can employ to prevent financial losses and protect their customers.
Use infinite factors to determine identity
Data breaches have proven time and again how vulnerable static data is as a form of identity proofing. In today’s interconnected world, every trace of metadata we leave behind in our digital footprint can be leveraged as a better means to “know your customer.” Think about what you are doing today to validate your customer’s identities and what other attributes you could leverage to improve identity assurance. It could be the use of SMS text, biometrics or transaction signing – or even the way a customer navigates through your website.
Be prepared for credential testing
Just like other organizations, criminal networks are constantly looking for ways to operate more efficiently. Credential stuffing tools allow fraudsters to check the validity of thousands of stolen username and password pairs in minutes. To help identify credential testing—which often heralds account takeover attacks—organizations should monitor web sessions for robotic behavior, multiple login failures, and login attempts from locations that aren’t usually associated with normal traffic.
Monitor for patterns of account takeover
It is not unusual to see an account takeover outbreak after a large breach as fraudsters use verified stolen credentials to take over existing accounts – and even create unauthorized new ones. RSA research on fraud patterns associated with account takeover and new account fraud show that new accounts have 15 times greater fraud rates in the first ten days. You can spot suspicious behavior on existing accounts by watching out for logins from new devices, password and other account profile changes, and for banks and payment service providers, the addition of new payees—which is when 70% of fraudulent payments are made.
Pay attention to mobile transactions
Today, 19% of retail e-commerce transactions originate from a mobile device and 55% of banking transactions originate from a mobile app or browser. However, fraud transactions from the mobile channel accounts for 73% of total fraud volume. As organizations move more services and consumers move more business to the mobile channel, fraud will continue to grow in parallel. When monitoring for fraud patterns, organizations should pay particular attention to the mobile channel.