It’s never been easier to swipe a credit card number or remotely access a computer, which you’d think was good news for hackers who make a living on pilfered data. But as cybercrime comes into its own as a commodity—technical novices can now outsource anything from a DDoS attack to a doxing—competition has increased, and prices have dropped.
Joe Stewart, Dell SecureWorks’ director of malware research for the counter threat unit, partnered with independent researcher David Shear to analyze trends in the shadowy market for such services and found that they’re getting more affordable. A stolen personal identity costs 37 percent less than it did in 2011, when they last gauged pricing: $25 for a U.S. citizen, $40 for someone from another country. Such “fullz,” dossiers of credentials for an individual that include “[p]ersonal Identifiable Information (PII), which can be used to commit identity theft and fraud,” had once fetched $40 and $60, respectively.
When anyone’s information can be appropriated, as it turns out, you aren’t really worth much. On average, it’s about $4 to get someone’s Visa card details, $11 to snag a date of birth, and $90 to infect 5,000 computers with malware. Even hiring someone to hack a website and siphon out data can be as cheap as $100, though operators with enough of a reputation tend to charge more. All the same, as more people acquire these skill sets, the more we’re likely to see a Walmart effect, with basement bargains an increasingly common sales tactic.
“I expected to see the drop,” Stewart said, given the increasing commonality of major data breaches and digital vandalism. “The best thing we could hope for was for these prices to be very high. It would be a more encouraging trend if the prices increased.” Even worse, the products offered have been enhanced, and now take into account additional security measures designed to disrupt this exact sort of activity:
“[H]ackers have come to realize that merely having a credit card number and corresponding CVV code (Card Verification Value–the 3 or 4 digit number on one’s credit or debit card) is not always enough to meet the security protocols of some retailers. Hackers are also selling cardholders’ Date of Birth and/or Social Security Number. Having this additional information would allow a hacker to answer additional security questions or produce a fake identification, to go along with a duplicate credit card. VBV (Verified by Visa) data is also being sold. VBV is another password or piece of data assigned to Visa card holders to help defend against online fraud.”
Cybercriminals have evolved along with the digital landscape, and perhaps unsurprisingly, created a cutthroat, zero-sum economy in the process. What value will the Internet have when every website can fall under hostile control and anyone can become someone else? One imagines a worldwide game of musical chairs. Whatever the outcome, we’re bound to found out soon enough.
Photo by Giorgia <3/Flickr