The price of anything is always determined by the forces of supply and demand but when it comes to credentials that are for sale on the Dark Web some are worth substantially more than others.
A report from the research firm Comparitech that examines the sales prices for a full set of credentials that were stolen from Americans on average go for $8 each, which compares to a similar set of full credentials stolen from someone in Japan or the United Arab Emirates that on average can be attained for $25 each. The research included data from 40 different Dark Web sites.
The report identities a full set of credentials as being social security numbers and other national ID numbers, a person’s name, date of birth, address, phone number, account numbers, and other personal information that cybercriminals could leverage to engage in identity fraud.
The report finds that prices for stolen credit cards range widely from $0.11 to $986, while a hacked PayPal account ranges from $5 to $1,767. The median credit limit on a stolen credit card is 24 times the price of the card, while the median account balance of a hacked PayPal account is 32 times the price on the dark web. Of course, volume discounts apply. Stolen credit card data purchased in bulk as part of what is known as a “dump” can be had for as little as half of the cost of a single number.
Credentials have for years been stolen individually and en masse as part of ‘credential spills' involving large numbers of pairs of usernames and passwords stolen from providers of applications and online services. Over time, cybercriminals have become more adept at pulling together disparate pieces of data to create a full set of credentials that are employed to perpetrate a wide range of fraudulent activity. The price of those credentials reflects how easy it is to get this data. $8 for a full set of credentials for an American suggests the number of these credentials that exist on the Dark Web is likely substantial.
More troubling still, cybercriminals are getting better at extrapolating what a password for an account might be based on the passwords they’ve been able to associate with a specific username. It won’t be long before they are employing machine learning algorithms to detect password patterns they can then employ against any Web site that recognizes a specific username. Just like any other use case involving machine learning algorithms the more credential data that gets collected the smarter the algorithms will become.
It’s become increasingly clear, of course, that usernames and passwords as a tool for ensuring security and privacy is not working. Organizations may not be able to completely eliminate the current dependency they have on usernames and passwords any time soon, but most organizations should be moving down that path.
In the meantime, cybersecurity professionals should keep an eye on the going rate for various types of credentials on the Dark Web. After all, there no better barometer for determining what to protect most than the price someone is willing to pay to gain access to data after it’s been purloined.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.