Personal data is extremely valuable to the person from which it originates. We all have it (or at least pretend to…more on that in my next blog), and we all want it protected when we share it. There are global legal expectations for personal information protections, such as those provided by:
- The European Union Safe Harbor framework – this has been around for a while now but is still a privacy gold standard globally.
- Singapore, where personal information is protected for ten years after an individual’s death.
- Canada, where there are two primary personal data protection laws - the Privacy Act, which covers federal government departments and agencies handling of personal data, and the Personal Information Protection and Electronic Documents Act (PIPEDA).
These laws and standards (and others like them) have been enacted to protect an individual’s right to be left out of the marketing race to find, analyze, and sell personal preferences, habits, and spending patterns. They were created to establish a degree of trust between data owners and data users. However, it is relatively common to hear or read about broken trust relationships as a result of data theft. We see it almost every day.
The question for today’s topic is this: how much is that information really worth?
If we were to take a dive into the world of stolen information, we would find a wide range of pricing depending on details such as the type of data, the volume being purchased, and the target from which the data was collected. While prices vary widely, here are a few rough approximations for the current value of information.
Credit Card Numbers
You can purchase valid credit card numbers for around $.50. If the credit card comes with names, PINs and other vital information, the value increases to the $2.00 to $2.50 range per card number.
This was probably the largest data theft in history, or at least that we know of. We didn’t find out about this one well until after the fact, but according to various reports there were roughly one billion records stolen back in 2013. Three copies of the entire data set sold for about $300,000 per copy. That makes each record worth a whopping 1/3 of $.01 on a per-sale basis. Bulk sale stores have done well with the business model of offering volume discounts, and apparently stolen Yahoo! data validates that strategy. The basic premise is to provide customers with the ability to buy more so they will save more on a per-unit basis.
These are a little tough to value, but generally speaking a valid bank account, to include login credentials, varies according to the amount associated with the account. There is only one verifiable instance I know of, maybe there are more out there. An individual was incarcerated last summer for selling account credentials for $10. The accounts had balances of $100 to $500, so the payoff (if it could be realized) compared to the investment was relatively high. For accounts ranging up to $20,000 balances, the price jumped to the $70 mark for complete login credentials. Again, this is based on one person being arrested for selling them. There are bank accounts and associated names being sold relatively cheaply (under the $1.00 range). Typical bank account information is sold at a pretty low price.
These are a little more interesting, as they currently bring in from $10 to $20 per record. This is relatively steady and accurate compared to bank account information. It seems that medical records have an intrinsically higher value placed on them than the more common types of financial information.
The questions is…why?
Financial Information Issues
When we analyze financial information, there are a few issues that become readily apparent. The primary one relates to the longevity of the information’s usefulness. This includes credit card numbers/PINs and banking account information. Fraud detection, velocity of discovery, and tracing activity are the three major problems criminals encounter with financial information.
Banks live and breathe fraud detection. When it comes to credit card operations, we have all been prevented at one time or another from using our card due to a variety of circumstances occurring at the time of purchase. I was running from airplane to airplane and had to buy a birthday gift for a loved one. I was in an airport jewelry store a thousand miles from home and tried to make the purchase with a few minutes to spare to my next flight. The transaction was blocked and I had to jog off to catch the flight without purchasing a gift. It was halted because a handful of fraud prevention rules were broken, such as where the purchase was attempted, the amount of it, and other spend patterns that broke the rules and blocked the transaction.
Most banks offer fraud alerts on credit cards. Many of us have separate cards for business and personal use, possibly issued by different banks. Details regarding every card purchase I make are delivered as a text to my cell phone, typically within seconds of transaction completion. This is a relatively common customer service capability. The banks, of course, are interested in cutting the cost of fraud within their managed accounts. Regulators also play in the fraud prevention picture, adding pressure to apply technologies for creating fraud detection rule sets and alerts to the consumer. Consumers exert a high demand for implementing adequate financial protections. In order to stay competitive, banks have to keep pace with the marketplace, regulators, and consumer trends. Fraud detection is a competitive edge from a cost and customer confidence perspective.
Chip and PIN systems also assist in thwarting the bad guys. Even though cards and pin numbers can be bought, the chip also contains a variety of details the criminal may not know that is checked at the time of transaction. Some chips implementations validate the chip serial number and credit card pair back to the bank prior to releasing funds. There are a variety of potential barriers to block unauthorized use of the chip and PIN combination.
Velocity of Detection
We now have the ability to rapidly identify suspicious behavior as it pertains to our financial transactions. As previously stated, we have almost instantaneous reporting of credit card transactions. We can set clip levels of transaction alerts for our bank accounts. These include the ability to block transactions based on transaction amount, location of purchase, time of purchase, and other parameters – all customizable by the account holder. Accounts can be frozen until the suspicious behavior is properly communicated, analyzed, or managed.
Gone are the days of receiving a mailed account activity summary that, if it included fraudulent activity, resulted in days of gathering details, submitting the information, and waiting for account restoration. Now the account or credit card is simply suspended until resolution of the issue. If fraudulent activity was perpetrated we can rapidly restore funds and operational use of the account within a short period of time.
Financial institutions have the ability to trace transactions with a high degree of accuracy as money flows between accounts. In the earlier example of the individual selling account information, it didn’t take very long to identify and incarcerate the perpetrator. The digital paper trail was a glowing set of arrows pointing back to the individual. Customers that had their accounts emptied reported it to the bank, who notified the authorities. They worked with the banks to back trace account transfers and arrest some of those individuals involved in stealing funds. All it took was one to talk to lead them to the kingpin of the operation that was selling account information. The path back to the involved criminals was relatively clear.
So if we look at bank account and credit card data from those three perspectives, the information has a very limited shelf life and poses a higher potential for identification of the individuals stealing money. It is simply a high risk model best left to amateurs or those criminals with little imagination.
Cyber criminals love medical records for several reasons.
Depth of Information
Medical records contain full names, date of birth, parental information, social security numbers, addresses, phone numbers, next of kin information, and a wide variety of other types of personal information. This information is useful for a wide range of cybercrimes. Tax season is upon us in the United States, and tax fraud associated with identity theft has more than doubled in the past two years. In order to fill out a fraudulent tax return, all a criminal needs is a valid name, social security number, and address. Medical records carry a great depth of information about an individual, allowing for a wide range of fraudulent crimes to be leveraged using the data. They provide information that can be used either directly or in a support role for a wider range of cybercrimes. More about that in a bit.
When details relating to a bank account or credit card are used to perpetrate fraud, the recovery is relatively simple. The financial institution simply stops the card from being used and issues a new card, changes account passwords, or closes the account and reopens a new one for the individual. When a medical record is stolen, recovery to an operationally restored state is extremely difficult (if not impossible). Your name will remain the same, and the likelihood is high of you retaining the same social security number, address, telephone number, blood type, and other details pertaining to you. The only viable recourse is to work with credit rating companies so you can be notified of suspicious behavior such as new loan requests, account openings, or credit card requests. Notifications to government agencies and law enforcement can help remediate a situation if your information is used fraudulently, but you are adopting a very reactive posture. The bottom line is that once your medical record information is stolen, it has a very long shelf life from a criminal’s perspective.
Medical records provide names, addresses, telephone numbers, and other important personal information, but they contain other pieces of extremely valuable data as well. One example is the medical plan identifier. This is typically represented by numbers or an alphanumeric, and relate directly to a single company’s medical plan. If a cybercriminal knows the company associated with a medical plan, it is relatively simple to discover other records using that same plan identifier.
Once that is completed, the resulting pile of medical records can be further sifted to provide an even stronger probability of linkage between individuals. The simplest method is to take the country code and next two or three digits of a phone number and cross reference them. In the US the area code is used, and other phone systems around the world use a similar approach for determining the locality or region of the phone user. It is also relatively simple to correlate home addresses and find people that have even a higher probability of knowing each other. Maybe they carpool together.
Once these steps are completed it is relatively simple to socially engineer a situation that results in malware being inserted into a corporate IT environment. Cybercriminals can create emails from one friend in a company to another with commonly used document formats harboring malicious code. They can even determine the department, such as finance, HR, receiving, etc., and leverage that to customize a malware delivery package that will have a very high potential of success.
Millions of medical records have already been stolen. With the static nature of the information contained in them, cybercriminals have years to analyze and mine data, then correlate that information to create highly customized malware packages. Employee awareness training, data backups, or the daily integration of malware signatures into firewalls may not be enough. Reactive measures fail.
Investigate technologies that employ automation to analyze suspicious attachments, Web sites, and other avenues of attack. Fortinet delivers proactive malware identification and an unparalleled depth of analysis capabilities. This includes machine learning analysis capabilities backed up by a dedicated team of human analysts. Ask how FortiGuard Cyber Threat Intelligence services can be leveraged with the Fortinet Security Fabric to provide the strongest malware protection available in the industry.