Know Your Enemy: The New Economics of Cyber-Crime

According to Paul Kocher, one of the leading U.S. cryptography experts, there has been a 10,000-fold increase in the number of new digital security threats in the last twelve years. ((Perlroth, Nicole. “Hackers vs. Hacked: Game On.” New York Times, December 2, 2014. So if you’ve been thinking there are a lot more data breaches in the news lately, you’re right. Twelve years ago, a significant percentage of data breaches occurred because businesses lost data: someone lost a laptop or disposed of digital media or paper records improperly, and the information fell into the wrong hands. But as businesses improved their security procedures and systems, criminals improved their methods to get their hands on sensitive information. Today, the most common cause of data breaches is cyber-attacks. ((Verizon 2015 Data Breach Investigations Report.

The Chinese general Sun Tzu said in The Art of War to know your enemy (which is ironic in light of the number of cyber-attacks coming from China, but good advice, nonetheless). If you’re concerned with data security or privacy these days, you can’t stay behind the corporate firewall and hope for the best. You need to understand the fast-changing world of cyber-crime, cyber-terrorism, and cyber-espionage. In this first installment of a three-part series, we’ll dig into the motivations and methods of cyber-criminals.

Follow the Money
You probably did a double take when you started reading this article. How could there be a 10,000-fold increase in threats in twelve short years? The answer is simple: money. Criminals have become incredibly adept at monetizing stolen identities on a massive scale. There are also threats from state-sponsored hackers, and we’ll tackle those in the third part of this series.

Two factors have provided the growing conditions for this problem. First, large-scale cyber-crime is a natural consequence of the massive digitization and integration that have been going on since the 1990s. Between mobile computing, ecommerce, the use of cloud services, and myriad outsourced and/or integrated business processes, there are massive amounts of information connected to or traveling across the Internet. The second factor is the “dark web,” the web content that exists on so-called darknets, limited-access sites that overlay the public Internet and are often used for illegal or criminal activity. The Dark Web offers cyber-criminals multiple global marketplaces in which to sell stolen personal information. The abilities to steal and easily sell massive amounts of personal information have transformed the economics of information theft.

Best Practices in a Bad Business
Cyber-theft used to require deep network skills. The brilliant, nerdy hacker has become a standard character in spy and crime movies. But today, anyone with basic skills can get into the business. Not only can you buy attack software and tools on the Dark Web, there are even the equivalent of professional journals where cyber-thieves share news and tips.

One interesting shift over the last decade is that identity fraud is now a multi-tier business. According to Tripwire, many people underestimate the complexity of these transactions. For example, credit card numbers are typically sold in bulk to brokers, who then sell the numbers to individual buyers. Information sellers are well known in the black market communities, and top sellers can even give away personal records as free samples so buyers can see the quality of their wares. This chain of distribution lets cyber-thieves concentrate on stealing information without the effort of exploiting it, and it makes it harder for law enforcement to trace the theft back to the source.

The buyers can exploit stolen information in a variety of ways. Stolen information has a “shelf life,” just like groceries and other perishable goods. At some point, the theft will be discovered, either because the business discovers their systems were compromised or because the victim becomes aware the information is being misused. Unfortunately, it’s usually the latter, and the damage is done long before a breach is discovered. ((Verizon 2015 Data Breach Investigations Report. Either way, the buyers have a limited time to exploit the stolen information, so there are a number of different schemes for monetizing it in a timely way.

Medical identity fraud either takes the form of fraudulent billing by unethical providers or misuse of another person’s medical records to obtain care. This kind of fraud may not be discovered for months or years, making stolen medical identities among the most valuable. Bank fraud is also less time-sensitive. If a buyer can get fairly complete bank information, they can clear out accounts before the account holder realizes it, and bank accounts don’t have as strong protection as credit cards. In contrast, financial companies now have strong algorithms for detecting credit card fraud, so buyers will often use stolen card numbers to quickly buy pre-paid gift cards to purchase goods, such as electronics, that can be sold through legitimate channels such as eBay.

The Black Market, Where Stolen Information is Commoditized
Cyber-criminals sell stolen information on black markets either individually or in lots, and the price varies depending on how much value the buyer can get from the information. For example, easily obtainable information such as birthdates will go for a few dollars, since it can’t be monetized by itself. According to an article in Disabled World, the going rate for a birthdate or Social Security Number is only about $3, a mother’s maiden name may sell for $6, and credit card numbers can sell for as little $1.50, although Tripwire claims that some credit card numbers can sell for as much as $1,000, depending how much additional information is included and the limit on the card. More valuable information such as a medical record can sell for $50. Business Insider reports that ready-to-use counterfeit Social Security cards can sell for $250 to $400, and bank account information sells for $1,000 and up, averaging 6 percent of the money in the account.

So how much can cyber-criminals make? In its 2014 report, the Center for Strategic and International Studies estimated that cyber-crime extracts 15 to 20 percent of the $2 to $3 trillion dollars generated annually by the Internet economy. That’s between $300 and $600 billion a year. Even if you simply take the price of $1.50 for a stolen credit card number and multiply it across the millions of records that have been stolen in the last year, it’s clear that cyber-crime is paying off big-time.

A Strategic Defense
In Nicole Perlroth’s New York Times article, Scott Borg, the head of the non-profit United States Cyber Consequences Unit, sums up the state of cyber-security: “People are still dealing with this problem in a technical way, not a strategic way. People are not thinking about who would attack us, what their motives would be, what they would try to do. The focus on the technology is allowing these people to be blindsided.” The last few years have certainly proven that cyber-criminals can outrun technology, and it’s also not financially feasible to defend your data on all fronts. To mount a strategic defense, you have to understand where the next attacks are likely to be coming from. In our next installment, we’ll dive deeper into the Dark Web where many of today’s cyber-attacks are born.

Originally posted on the ID Experts blog. Reposted with permission