Wondering what to get the cybercriminal in the family this Black Friday? There are great deals to be had on stolen credit card numbers — and don’t forget the accessories.
A U.S.-based Visa or MasterCard number is going for about $4, research by Dell SecureWorks found. It’s $7 for an American Express number or $8 for Discover — all prices include the CVV security code.
Hackers have become so adept at filching data that prices are even falling for birthdates and Social Security numbers, which can be used with account numbers. There are also bargains on full packages of ID theft information known as “fullz” that will help that larcenous rapscallion on your gift list get past online security protocols.
“As always, there is no shortage of stolen credit cards, personal identities, also known as Fullz, and individual Social Security numbers for sale,” said a Nov. 16 blog post from Dell SecureWorks titled “The Underground Hacking Economy is Alive and Well.” The blog detailed research on the market for stolen personal data, conducted by Joe Stewart of Dell SecureWorks and independent researcher David Shear. They sampled prices on the anonymous online bazaar where hackers supply information to scammers who run up victims’ credit card bills and empty their bank accounts.
The look at the black market has frightening implications for anyone trying to keep their accounts out of the grubby hands of digital crooks. SecureWorks thinks that wider availability of stolen data is helping drive prices down. A set of “fullz” that used to cost $40 to $60 in 2011 now goes for $25 to $40. For $300 you can get credentials for a U.S. online bank account containing $70,000 to $150,000. That price would only buy you access to an account worth $7,000 a couple of years ago.
“Dell SecureWorks believes the drop in prices further substantiates that there is an abundance of stolen bank account credentials and personal identities for sale,” the company said. The list of illicit goods also includes malware-infected computers that do the bidding of email spammers, at $20 for a network of 1,000 bots, plus kits that let the user compromise computers on their own.
But there are some glimmers of good news on the security front, and some new advice designed to block all intrusions into your finances.
Hackers are expanding the array of personal information they sell because having only a card number and security code is no longer sufficient. The thieves who turn the digits into dollars now need backup information such as your birthdate and Social Security number. “Having this additional information would allow a hacker to answer additional security questions or produce a fake identification, to go along with a duplicate credit card,” SecureWorks said.
How to guard against the cyber crook army? In addition to the usual tips about using an updated anti-virus program and being cautious about what you download from the Web, SecureWorks recommends designating one computer to handle online banking and financial chores only. “That computer or virtualized desktop should not be used to send and receive emails or surf the Web, since Web exploits and malicious email are two of the key malware infection vectors,” SecureWorks said.
The quarantined computer approach gets the endorsement of Bhavani Thuraisingham, a cyber-security expert and professor at the University of Texas at Dallas. “I use a separate machine for Web surfing and email,” she said, and one for sensitive tasks including Web banking and health care. Email about these subjects is sometimes encrypted, she said, and is stored on the computer’s hard drive instead of with a Web-based provider such as Yahoo.
Thuraisingham, the executive director of the university’s Cyber Security Research and Education Institute, recommends checking the designated computer with a full virus scan, erasing the cache and browsing history, and disabling tools such as cookies. In addition to increasing security, doing without cookies will make it more difficult to slip and use the machine for routine information gathering. The basic security steps of creating strong passwords — a unique one for each site — and changing them periodically should still be followed.
“You need to take care of your machine in the same way that you maintain your car with tuneups,” Thuraisingham said.
If buying a new computer sounds like overkill, many people have an older laptop or a Windows box gathering dust somewhere. Designating it for secure Web banking and other sensitive tasks could turn out to be a gift to yourself, and coal in the stocking of a cyber-thief.