How much is your personal data actually worth on the Internet?
HOW much is your personal data worth to you? A lot. (Thanks, Equifax.) And how much is it worth to an identity thief?
You may be surprised, or insulted, or enraged, to find out.
Verified high-limit credit cards from countries including the United States, Japan, and South Korea are selling on the dark web for the bitcoin equivalent of about US$10 to US$20 (RM41.92 to RM83.85), according to an annual report on cybercrime by Secureworks, a unit of Dell Inc.
The dark web is “the collection of Internet forums, digital shop fronts and chat rooms that cybercriminals use to form alliances, trade tools and techniques, and sell compromised data that can include banking details, personally identifiable information and other content”, as Secureworks defines it.
Verified means the seller has tested out transactions on the card and found it hasn’t been canceled yet. For scammers on a budget, there’s unverified stolen credit card data, which comes out to pennies when bought in bulk.
Credit cards generally were not selling any cheaper on the dark web these days, said Alex Tilley, a senior security researcher on Secureworks’ counter threat unit research team. But buyers are more likely to get higher-quality cards today, ones with sizable limits suitable for fraud.
It isn’t as hit-or-miss as it used to be — a welcome change for criminals, chilling news for us.
Business credit cards are in favour, since they sometimes have no limit on spending, Tilley said. Those and high-end cards — say, a Platinum American Express that has been verified and has an 85 per cent rating ( judged by the seller to have an 85 per cent chance of being successfully used in a fraud) — will go for US$15 to US$20. A regular Mastercard that doesn’t have a big limit might go for US$9.
But wait, there’s more. Underground markets also sell full identities of individuals just like you for as little as US$10 apiece.
They’re called fullz, “dossiers that provide enough financial, geographic and biographical information on a victim to facilitate identity theft or other impersonation fraud,” said the report.
Fullz can help a criminal get past those irritating “secret questions” that sites ask to verify your identity.
Recently, Secureworks’ researchers have seen more offers of bulk pre-verified card details, along with more identifying information about the owners. In some cases, offers even include the cardholder’s mother’s maiden name. Still, they cost just US$10 to US$12.
In fact, the prices Secureworks cites for these examples of personal data are lower than what fraudsters have been willing to pay for documents like W-2s, which can be used to file false tax returns.
Tax-filing data, which don’t expire, can go for about US$40 to US$50, according to a report from IBM’s security research group published earlier this year.
The researchers found one vendor selling W-2 and 1040 returns as a package for US$30; if a buyer wanted information on that person’s adjusted gross income it would be another US$20.
No piece of personal information is innocuous, said Tilley.
Criminals will amass bits of data on people, waiting until they have enough that their fraud attempt is likely to succeed.
“Everything is valuable,” he said. One bit of information “could be the last piece of a puzzle someone needed to take out a loan in your name. You don’t know how far along criminals are until it’s too late.”
Credit monitoring and freezes could be the only hope of protecting yourself, said Tilley. Bloomberg