How Crooks Cash in on Stolen Data — Trends Altering the IT Security Landscape

Expanding Complexity

The Internet of Things or the addition of multiple new smart devices to your network can result in more opportunities for hackers to hijack your data and use it for ill- gotten gain. We all try to be vigilant to protect personal data belonging to our employees, customers, patients and other constituents, but what happens when the crooks get a hold of this type of information — what do they actually do with it and how do they make money? And what kind of data is most valuable to them? The logic and businesslike approach of their techniques might surprise you.

  • Selling the information on the black market:

Cybercriminals today work in large groups and many of the largest, most complex networks have skills and technology resources that rival Fortune 500 companies, according to Greg Wooten, CEO of fraud prevention technology corporation SecureBuy.

"In general, about a half a million data resources are being breached each day," he says. "The hackers extract the data, house it themselves and analyze it using analytics to match up information the best that they can and then monetize for the highest value possible when they go to wholesale it. This is a job for them, and they are very resourceful."

The data is bundled for bulk sale on black market sites, with prices varying depending on multiple factors, including the completeness of the information, the credit limits associated with the account and whether or not the information may already have been reported as stolen. This information can be sold for as little as a few dollars or more than $100 for a complete set of records.

  • Create fake cards:

For larger return from stolen information, the hacker needs to compile complete data sets. These sets, also called fullz, normally include not just an individual's name and Social Security number, but extend to birthdate, account numbers and other pieces of personal data. Here, all that’s needed is the information contained on the credit card’s magnetic strip, a form factor still in use in the US, unlike in most European countries. It’s a relatively simple process to read and transfer the information, but security measures are improving. These instances are typically time sensitive, requiring the thief to incur charges on the card before it is reported lost or stolen.

  • Perform online commerce transactions:
    Another example of card fraud is the use of e-commerce sites such as eBay and Craigslist to make online transactions, using an intermediary to receive and ship the item purchased with the stolen card. Once purchased, the item is relisted for sale at a below market price, with a direct wire transfer as the only accepted form of payment. With the intermediary receiving a small kickback, the transaction is difficult to trace, the criminal’s identity is protected and the profit is all theirs.
  • Open new accounts:
    The more personal information a fraudster can get collect, the more thorough and covert damage they can do. Using this information, criminals can open accounts of virtually any nature using the stolen information – accounts which may go undetected for extended periods of time.

"It's much more difficult to detect this type of fraud when the fraudsters have all the correct account application answers," Wooten says. "Having access to a full user profile makes it that much easier to pretend you are someone else and take advantage of them."

Again, for IT pros, keeping personal data secure for all of our constituencies should be a priority. There’s a checklist that can help you cover all of your security bases, contained in this white paper: Protecting Your Network and Endpoints with the SANS 20 Critical Security Controls.