While many of us have heard of, or even fallen victim to, cybercrimes such as data and identity theft, it seems that relatively few know the value of the information stolen from us. A new study from Kaspersky Lab has revealed that while our digital identity may not be worth a lot in terms of dollars, it is a significant asset to criminals in other ways.
The research uncovered an appetite among cybercriminals for data stolen from popular services – including via social media accounts and remote access to gaming websites. User confusion about what their data is worth could result in a haphazard approach to security, making it all too easy for thieves to steal data and commit crime.
Incidences of data breaches are also on the rise – in 2013 and 2014, three billion Yahoo! accounts were hacked in what was the highest-profile digital identity breach at the time. In South Africa, more than 30 million identity numbers and other associated financial information was leaked online only last year.
Even worse was the incident of Facebook getting caught sharing of up to 87 million members’ data to a third party in the service of the last US presidential election.
Stolen Digital Identities Can Cause Many Problems
Data stolen due to people’s lax security may have limited resale value, but can be put to many uses. This can cause huge problems for an individual victim, who may lose money and their reputation, find themselves being chased for debt that somebody else has incurred in their name, or even suspected of a crime that somebody else has committed using their identity as a cover.
Kaspersky Lab investigated Dark Web markets to find out how much personal data is worth, and how it is used by criminals. The company’s researchers found that criminals can sell someone’s complete digital life for less than $50; including data from stolen social media accounts, banking details, remote access to servers or desktops, and even data from popular services like Uber, Netflix, and Spotify, as well as gaming websites, dating apps, and porn websites which might store credit card information. Meanwhile, researchers found that the price paid for a single hacked account is lower, with most selling for about $1 per account, and with criminals offering up discounts for bulk-buying.
The most common way criminals steal this sort of data in the first place is via spear phishing campaigns or by exploiting a web related security vulnerability in an application’s software. After a successful attack, the criminal gets password dumps which contain a combination of emails and passwords for the hacked services. And, with many people using the same password for several accounts, attackers might be able to use this information to access accounts on other platforms too.
Digital Identities May Even Be Sold With Lifetime Warranties
Interestingly, some criminals selling data even provide their buyers with a lifetime warranty, so if one account stops working, the buyer will receive a new account for free.
As David Jacoby, Senior Security Researcher at Kaspersky Lab, puts it, ‘It is clear that data hacking is a major threat to us all, and this applies at both an individual and societal level, because stolen data funds many social evils. Fortunately, there are steps we can take to prevent it, including by using cybersecurity software, and being aware of how much data we are giving away for free – particularly on publicly available social media profiles, or to organizations.’
People can avoid such risks by taking several easy security steps, which should become an integral part of any Internet user’s digital life:
- To stay safe from phishing, always check that the link address and the sender’s email are genuine before clicking anything. A robust security solution will also warn you if you attempt to visit a phishing web page.
- To avoid one data leak harming all your digital identities, never use the same password for several websites or services. To create strong, hack-proof passwords and remove the struggle of remembering them, use a specific password manager application, such as Kaspersky Password Manager.
- To find out who has your personal data, use services such as me that automatically search for a user’s data across a large number of sources (The Beta version is available in the UK, with a wider roll out planned for 2019).