Going once, going twice, SOLD to the gentleman with the black hoodie!
Isn’t it ironic that the latest victims of a privacy breach are the users of the massive eBay online auction service? It is estimated that the platform facilitates online auctions for 145 million users. Time.com and others broke the news early on May 21 that eBay suspected that it had been compromised and was urging its user base to change their passwords.
At this juncture, details of the breach remain scarce, and eBay is indicating that no financial information in the form of credit cards or Pay Pal accounts is in scope. This has caused them a fair amount of criticism. This investigation is just getting started. Those of us who have experienced an information security breach know that the scope can expand as forensics are completed to truly determine how much data has been exfiltrated from the crime scene. In a sick twist of events, the roles may just have been reversed on eBay users. Could their identities be up for auction in the cyber underground?
Trend Micro predicted that in 2014 we would see one or more major security breaches a month. Unfortunately, this current breach adds to an extremely long list of casualties of organizations and, subsequently, individuals who have fallen prey to sophisticated and stealthy cyber campaigns. These targeted attacks are aimed directly at compromising sacred datasets. Our identities continue to suffer serious flesh wounds, and many of us have experienced complete identity theft.
The news of the Experian data leak was probably most frightening -- even more so than the recent Target breach. Reports indicate that approximately 200 million Americans’ information was leaked, Social Security numbers included. When you couple all of these data breaches together, you can clearly see that a blueprint on your identity can and will be constructed to commit identity theft. We continue to see this impact on our friends and family, ultimately causing financial and emotional stress on our personal and professional lives. Time and serious investigative work will tell if the eBay breach becomes Top 10 worthy. The overall fallout could be staggering simply due to the sheer numbers of people who conduct online auctions with eBay.
Prices falling for stolen cards, rising for identity info
There has been plenty said about the price of stolen credit cards and how they are distributed and sold in the cyber underground. In fact, Trend Micro’s Forward-Looking Threat Research group has carefully profiled the Russian Underground in 2011 and again in late 2013. What is astonishing is that the price of stolen credit cards is falling. The reason comes down to basic economics. The supply of stolen cards is starting to balloon in the black market, thus prices are dropping. The cyberheists are piling up. However, the focus on quality and overall longevity of acquired datasets is shifting.
The shift seems to be more around identities and personal information housed in social media accounts or credentials used in many places. For example, prices for American credit cards were around $2.50 in 2011 and now are $1.00 and in some cases less. On the contrary, social media accounts like Facebook and Gmail accounts are going for $100 each. The main reason is that there is a tremendous amount of personal data attached to these accounts. Many use Facebook and Gmail accounts to authenticate and access other online services. This makes them extremely attractive for extending the attacker’s reach.
So what does a compromised eBay account go for? Here are the associated values in the cyber underground for compromised eBay accounts:
• 0-5 Feedbacks = $0.2 + mail = $1
• 6-20 Feedbacks = $1 + mail = $5
• 21-50 Feedbacks = $3 + mail = $15
• 51-70 Feedbacks = $5 + mail = $20
• 71-100 Feedbacks = $7+ mail = $30
• 101-300 Feedbacks = $10 + mail = $40
• 301-600 Feedbacks = $18 + mail = $55
• 601-1,000 Feedbacks = $25 + mail = $70
• 1,001-2,000 Feedbacks = $40 + mail = $100
• 2,001-4,000 Feedbacks = $60 + mail = $150
As you can see, these command some pretty steep prices compared to other black market datasets. In short, our identities and personal information should not be up for auction. Organizations like eBay continue to fight the endless battle against targeted attacks daily. Two-factor authentication and encryption will one day be ubiquitous for all services that store our personally identifiable information. Until then, we must take charge of monitoring our own identities, knowing that incidents like this are becoming the new normal.