Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/10/2019
02:00 PM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Data Is the New Copper

Data breaches fuel a complex cybercriminal ecosystem, similar to copper thefts after the financial crisis.

If you feel as if there's a new data breach in the news every day, it's not just you. Breaches  announced recently at Capital One, MoviePass, StockX, and others have exposed a variety of personal data across more than 100 million consumers. This has spurred lawsuits and generated thousands of headlines.

Other companies compromised this year include Citrix, which lost 6TB of sensitive data, First American Financial, (885 million records exposed), and Facebook (540 million records exposed). The attack vector or leaked data might vary, but these breaches all have one thing in common: the information exposed provides raw materials that fuel a complex cybercriminal ecosystem, and these headlines are just the tip of the iceberg.

Most victims don't know how cybercriminals use their stolen data. One way to understand this is to consider the epidemic of copper theft that hit the country following the mortgage crisis. As buildings were left abandoned, thieves stole copper wiring and piping. The copper could then be sold for $3 a pound to buyers willing to not ask questions about where it came from. It's a similar story with data, where the breach itself is rarely the end goal of cybercriminals but simply provides a means to obtain money through a multistage scheme. And unlike copper, the same data can be stolen, sold, and used, many times.

Copper thieves use crowbars and wrenches. Cybercriminals use programs that exploit software vulnerabilities and automatically test millions of passwords to opportunistically take over online accounts. Copper thieves find industrial middlemen to sell their wares, while cybercriminals find underground marketplaces to connect to other criminals who specialize in using stolen data in different ways. Addresses and birth dates are used in identity fraud, such as applying for loans. Stolen credit cards can be used to make fraudulent purchases, and stolen passwords are keys providing entry to other accounts, that when compromised, enable criminals to empty bank accounts or turn gift cards into cash.

Cutting Off the Supply
Curbing the trade of stolen copper is easier than cutting off the supply of stolen data. With copper, law enforcement goes after the resellers, fining them when stolen materials are found in their possession. For data, the mitigation options vary considerably depending on the type of information that is exposed.

With stolen credit cards, the damage can actually be somewhat contained. Increased EMV (chip-based) adoption and improved fraud-detection helps limit the impact of any given breach of credit card data.

Personal data being in the wrong hands is harder to mitigate. You can't change your birth date. Your physical address is often publicly available information, accessible to cybercriminals with no data breach required. The fact that these data types, as well as "security questions" like mother's maiden name, are still commonly relied on for authentication purposes reveals a systemic problem that must be addressed.

Credential theft (e.g., stolen email addresses and passwords) is the most pernicious and least understood type of breach. Most people have lost track of all of the different places where they have reused passwords. You can't blame them: The average user has more than 100 accounts with various websites, apps, and services that they have created over time. This means that cybercriminals using automated fraud tools in credential stuffing attacks have a reliable rate of success when they try passwords from one site against another, often around 2%. With only 1 million stolen passwords from any one website, a criminal can quickly take over tens of thousands of accounts on a completely unrelated website and repeat this on other sites to ultimately breach more accounts than the original breach.

Protecting the Data
Governments are trying to address these problems. The EU's General Data Protection Regulation prohibits some insecure data storage practices. The California Consumer Privacy Act grants consumers more control and insight into how their personal information is used online. The Digital Identity Guidelines from the US National Institute of Standards and Technology recommends that companies check passwords against lists of known stolen passwords. The US Federal Trade Commission settled its complaint against a company last year for having inadequate protection against credential stuffing, which led to compromised customer accounts. These efforts will all help over time.

The complexity of our online lives poses many challenges, and the global situation may get worse before it gets better. As long as there's a market for copper or data, there will be criminals trying to steal them. But by improving corporate security standards, defending against the use of exposed information, and adopting better security practices, we can make it much harder for cybercriminals to turn stolen data into gold.

Related Content:

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Phishers' Latest Tricks for Reeling in New Victims."

Shuman Ghosemajumder is CTO at Shape Security, which operates a global defense platform to protect web and mobile applications against sophisticated cybercriminal attacks. Shape is the primary application defense for the world's largest banks, airlines, retailers, and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
Google Lets iPhone Users Turn Device into Security Key
Kelly Sheridan, Staff Editor, Dark Reading,  1/15/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5647
PUBLISHED: 2020-01-22
The Chrome Plugin for Rapid7 AppSpider can incorrectly keep browser sessions active after recording a macro, even after a restart of the Chrome browser. This behavior could make future session hijacking attempts easier, since the user could believe a session was closed when it was not. This issue af...
CVE-2011-3612
PUBLISHED: 2020-01-22
Cross-Site Request Forgery (CSRF) vulnerability exists in panel.php in UseBB before 1.0.12.
CVE-2011-3613
PUBLISHED: 2020-01-22
An issue exists in Vanilla Forums before 2.0.17.9 due to the way cookies are handled.
CVE-2011-3614
PUBLISHED: 2020-01-22
An Access Control vulnerability exists in the Facebook, Twitter, and Embedded plugins in Vanilla Forums before 2.0.17.9.
CVE-2011-3621
PUBLISHED: 2020-01-22
A reverse proxy issue exists in FluxBB before 1.4.7 when FORUM_BEHIND_REVERSE_PROXY is enabled.