Why do hackers do what they do, what value do they get? And, how are we affected?
Every day we read about new exploits, another data breach, sensitive information stolen; the hacking never seems to stop. We all seem to believe that the objective of all cyber thefts is money. That’s not entirely true. While the majority of hackers are in it for some easy cash, not all hackers share this objective.
Hackers come in various flavors:
The hobbyist who simply wants bragging rights. “‘Hey, look what I did. ”This person typically does not go the extra step of using any stolen data.
The “hacktivist” who hacks into a company or government site just to prove that their security is poor.There are hacktivist groups that spend considerable resources in these efforts. Again, most hacktivists do not use the data they steal; they just want everyone to know they did. The activities of hacktivists tend to hurt the reputations of the companies they hack, but do little harm to end users.
Information gathering – these hackers, usually associated with a government, steal data for political benefit or to further their technology progress.
The criminal is the hacker who wants to profit from their hacking. This is the type of hacker that we’ll look at a bit more closely.
So, for most hackers, it’s all about the money. But, most hackers are not the same people who end up using the information they steal from you…they sell it to others. There is a large and lucrative black market for all types of information. Symantec (the anti-virus people) has published some prices that hackers get on the black market, here are a few examples:
A block of 1000 email addresses: $0.50 - $10
Credit Card details: $0.50 - $20
A scan of your passport: $1 - $2
Stolen gaming accounts: $10 - $15
You probably didn’t realize that your email address has value. In blocks of 1000, they are sold to spammers that need good addresses to which they send their spam. Credit cards are a popular item on the black market. A hacker can get $10 for card data as long as the number, name, expiration date and security code are all known. If the security code is missing, the card data may only be worth about 10 cents. What may be surprising, is the value of your kid’s (or your) gaming account. Your virtual lives and bonus weapons are worth a lot to other gamers.
Most hackers do not use the data they steal; instead, they sell it off to other criminals. It’s easy to see from the numbers that a hacker requires volume in order to make any serious money. Once a hacker steals the data, they need to find a buyer. Since a number of high level stings have been made in the last couple years, the black market community has gone far underground. Finding a reputable buyer, who will not take advantage of the hacker, has become more difficult (yes, even hackers get scammed by the middle men). A new hacker will get a lot less for the same data as a more established hacker, simply because the buyer can trust them. It’s a convoluted web.
Most stolen credit card data is sold on internet forums. Only trusted buyers and sellers are invited to join the forums. Depending on the type of credit card, its expiration date and the date it was stolen, it may never be bought on the forums, which is why many credit cards were never used by any bad guys as a result of the Target and Home Depot intrusions. But then again, a smart shopper would have cancelled the card as soon as they found out it was hacked.
Before we leave this credit card discussion, let’s talk about how to protect yourself from fraud. Here are a few things to remember…
Limit the use of debit cards to your banks ATM. Don’t use them for purchases.
Use a different credit card for on-line purchases; it’ll be easier to spot fraud.
Review your card statements every month. Look for small dollar charges; these are your first clue that bad guys are testing the account.
If you suspect your credit card data has been stolen, call your issuer and have them cancel your existing card and send a new one.
Some security experts get a new card every year; they tell their card issuer that their card was lost. Since it usually takes some time from when a hacker gets your data till it’s sold and ultimately used, many months can go by. Getting a new card each year provides an extra level of comfort.
If you suspect that hackers got your credit card data and social security number, then it’s time to put a fraud alert in place on your credit report. The potential for identity theft is very high whenever you combine your social security number with other sensitive data.
Remember, not all credit card fraud is a result of cyber theft. Whenever you give your card to a restaurant waiter for instance, who takes your card out of your sight, you are taking a risk. It’s always safer to swipe the card yourself or watch it being swiped.
Lastly…don’t worry.If your credit card is used illegally, report it to the issuer as a soon as possible. They will typically reverse all suspect charges.
A New Twist
In the above discussion, hackers had to rely on a network of criminals in order to monetize their exploits. But that has now changed. The use of Bitcoins, a virtual currency, has allowed hackers to cut out the middle man and deal directly with the victim. The various Crypto viruses are an excellent example. These viruses encrypt the users’ data on their hard drive, rendering the data useless. Unless you have a good backup, the only way to get your data back is to pay a ransom in Bitcoins to the hacker. Once the ransom is paid, the hacker sends you a un-encryption key. It’s a novel approach that really took off in 2014 and shows no signs of stopping. Bitcoins have allowed hackers a whole new avenue for making money, without the risk of dealing with other bad guys.
It’s impossible to cover all the various ways that hackers use to profit from their exploits. New scams are being developed on a regular basis. In future articles we will look at the many ways that hackers try to scam us, and how to avoid them.
Till next time…stay safe.