By Alain Penel, Regional Vice President – Middle East, at Fortinet
Personal data is extremely valuable to the person from which it originates. We all have it and we all want it protected when we share it. There are global legal expectations for personal information protections, and these laws and standards have been enacted to protect an individual’s right to be left out of the marketing race to find, analyze, and sell personal preferences, habits, and spending patterns. They were created to establish a degree of trust between data owners and data users. However, it is relatively common to hear or read about broken trust relationships as a result of data theft. We see it almost every day.
The question is: how much is that information really worth?
If we were to take a dive into the world of stolen information, we would find a wide range of pricing depending on details such as the type of data, the volume being purchased, and the target from which the data was collected. While prices vary widely, here are a few rough approximations for the current value of information.
Valid Credit Card Numbers can be purchased for around $.50. If the credit card comes with names, PINs and other vital information, the value increases to the $2.00 to $2.50 range per card number.
Yahoo! Accounts, is probably the largest data theft in history, or at least that we know of. We didn’t find out about this one well until after the fact, but according to various reports there were roughly one billion records stolen back in 2013. Three copies of the entire data set sold for about $300,000 per copy. That makes each record worth a whopping 1/3 of $.01 on a per-sale basis. Bulk sale stores have done well with the business model of offering volume discounts, and apparently stolen Yahoo! data validates that strategy. The basic premise is to provide customers with the ability to buy more so they will save more on a per-unit basis.
Bank Accounts are a little tough to value, but generally speaking a valid bank account, to include login credentials, varies according to the amount associated with the account. There is only one verifiable instance I know of, maybe there are more out there. An individual was incarcerated last summer for selling account credentials for $10. The accounts had balances of $100 to $500, so the payoff (if it could be realized) compared to the investment was relatively high. For accounts ranging up to $20,000 balances, the price jumped to the $70 mark for complete login credentials. Again, this is based on one person being arrested for selling them. There are bank accounts and associated names being sold relatively cheaply (under the $1.00 range). Typical bank account information is sold at a pretty low price.
Medical Records are a little more interesting, as they currently bring in from $10 to $20 per record. This is relatively steady and accurate compared to bank account information. It seems that medical records have an intrinsically higher value placed on them than the more common types of financial information.
The questions is…why?
Financial Information Issues: When we analyze financial information, there are a few issues that become readily apparent. The primary one relates to the longevity of the information’s usefulness. This includes credit card numbers/PINs and banking account information. Fraud detection, velocity of discovery, and tracing activity are the three major problems criminals encounter with financial information.
Banks live and breathe fraud detection. Most banks offer fraud alerts on credit cards. Many of us have separate cards for business and personal use, possibly issued by different banks. The banks, of course, are interested in cutting the cost of fraud within their managed accounts. Regulators also play in the fraud prevention picture, adding pressure to apply technologies for creating fraud detection rule sets and alerts to the consumer. Consumers exert a high demand for implementing adequate financial protections. In order to stay competitive, banks have to keep pace with the marketplace, regulators, and consumer trends. Fraud detection is a competitive edge from a cost and customer confidence perspective.
Chip and PIN systems also assist in thwarting the bad guys. Even though cards and pin numbers can be bought, the chip also contains a variety of details the criminal may not know that is checked at the time of transaction. Some chips implementations validate the chip serial number and credit card pair back to the bank prior to releasing funds. There are a variety of potential barriers to block unauthorized use of the chip and PIN combination.
Velocity of Detection: We now have the ability to rapidly identify suspicious behavior as it pertains to our financial transactions. We can set clip levels of transaction alerts for our bank accounts. These include the ability to block transactions based on transaction amount, location of purchase, time of purchase, and other parameters – all customizable by the account holder. Accounts can be frozen until the suspicious behavior is properly communicated, analyzed, or managed.
Traceability: Financial institutions have the ability to trace transactions with a high degree of accuracy as money flows between accounts. In the earlier example of the individual selling account information, it didn’t take very long to identify and incarcerate the perpetrator. The digital paper trail was a glowing set of arrows pointing back to the individual. Customers that had their accounts emptied reported it to the bank, who notified the authorities. They worked with the banks to back trace account transfers and arrest some of those individuals involved in stealing funds. All it took was one to talk to lead them to the kingpin of the operation that was selling account information. The path back to the involved criminals was relatively clear.
So if we look at bank account and credit card data from those three perspectives, the information has a very limited shelf life and poses a higher potential for identification of the individuals stealing money. It is simply a high risk model best left to amateurs or those criminals with little imagination.
Cyber criminals love medical records for several reasons.
Depth of Information: Medical records contain full names, date of birth, parental information, social security numbers, addresses, phone numbers, next of kin information, and a wide variety of other types of personal information. This information is useful for a wide range of cybercrimes.
Longevity: Medical records provide a much longer shelf life for the cybercriminal. It can take months for medical record theft to be discovered, and an even longer period of time to notify the individual that their data was stolen. This allows a deeper analysis of the information at an almost leisurely pace.
Limited Recovery: When a medical record is stolen, recovery to an operationally restored state is extremely difficult if not impossible. Once your medical record information is stolen, it has a very long shelf life from a criminal’s perspective.
Work Correlation: Medical records provide extremely valuable data. One example is the medical plan identifier. This is typically represented by numbers or an alphanumeric, and relate directly to a single company’s medical plan. If a cybercriminal knows the company associated with a medical plan, it is relatively simple to discover other records using that same plan identifier.
Once that is completed, the resulting pile of medical records can be further sifted to provide an even stronger probability of linkage between individuals. The simplest method is to take the country code and next two or three digits of a phone number and cross reference them. It is also relatively simple to correlate home addresses and find people that have even a higher probability of knowing each other.
Once these steps are completed it is relatively simple to socially engineer a situation that results in malware being inserted into a corporate IT environment. Cybercriminals can create emails from one friend in a company to another with commonly used document formats harboring malicious code. They can even determine the department, such as finance, HR, receiving, etc., and leverage that to customize a malware delivery package that will have a very high potential of success.
Millions of medical records have already been stolen. With the static nature of the information contained in them, cybercriminals have years to analyze and mine data, then correlate that information to create highly customized malware packages. Employee awareness training, data backups, or the daily integration of malware signatures into firewalls may not be enough. Reactive measures fail.