“Why would anyone want to hack us? What have we got that can’t be found elsewhere more easily?” Yes, those questions are asked countless times in boardrooms and bullpens and in companies both large and small. The simple fact of the matter is that for most companies, their secret recipe for SuperFunTimeSoda or the chemical formula for ElastoPop Drywall or even the designs for next season’s must-have polo shirt are of little to any value to anyone but them and their immediate competitors. But what is of value and is easily marketable is all the PII, PHI, and credit card data they have on file for their customers. Whether you are a globally dominant Internet retailer or just a one shop pizza joint, if you have data about your employees or your customers and it’s stored on a computer, then you are definitely a target. “Oh come on,” you say. “What could an evil hacker from Elbonia gain by hacking us?” Funny you should ask that…
Credit/Debit card details
Basic account number and expiration date details can net a thief around $5 per, which is nothing to sniff at when you consider some of the hacks that have obtained hundreds of thousands of these records. More detailed information, like you would expect to be stored in databases for repeat customers, including billing address, CVV2, SSN, etc. can go for $30 per US record and the equivalent can go up to $45 for European details. Even a sole proprietorship that only does business in a 5 mile radius probably has enough credit card numbers on file to be worth the effort.
Details on customers’ PayPal (and similar) accounts can go from a low of $50 to as high as $300 per, depending on the balance. Since PayPal usually ties to a checking or savings account, that’s particularly frightening!
Whether directly stolen or fraudulently created, gift cards are going from between 50 to 65% of their nominal value. This is particularly bad for individuals whose gift cards are targeted, as there is usually nothing they can do to get the monetary value back, so they lose out completely.
Think that RFID case is a silly extravagance? Consider an attacker can just walk through an airport with a scanner in their bag, long before they would need to clear security, and that they can sell scanned data at up to $2 per record and you can see that it may make sense to shield all your cards.
Whether for a train or a plane, tickets can go for $10 of face value, and can be easily duplicated from online images. Think about that before you Instagram the tickets to your dream vacation, or you could be facing a nightmare!
Hotel loyalty programs
Popular hotel chains’ loyalty programs can go for as little as $5 per to as much as $20 per. Since you can gift points or make reservations for others, and no one ever reads those monthly points statements too closely, someone could easily see the world using someone else’s nights and they wouldn’t notice until it’s time to book their own vacation.
The bottom has dropped out of the market for compromised email accounts. Back in 2007, a criminal could get up to $30 for a single email account. Today, it’s more like $10 for 1000, on the high end. Seems it’s so easy to get people to click on links that install malware on their systems which can be used to spam others, there’s no more value in getting creds to use the accounts directly.
Yes, using a lame password on your WoW account is a bad idea, since a stolen gaming account can go for $10 to $15. Once in, accounts are usually looted and the virtual goods are sold for profit, leaving your level 27 Ogre penniless and out on the virtual street.
Cloud accounts for IaaS
Attackers are leveraging cloud resources to stand up servers, launch attacks, host malware, and get access to more data stored online. An admin account on any IaaS service could go for $7 to $8 per. Always, always, always, use multi-factor authentication for admin accounts. Every single service in this space offers MFA as an option!
Accounts for the popular private cable channel’s streaming service can go for around $10. I bet the price has doubled now that Game of Thrones Season 6 has debuted! GASP (#nospoilers)!!
Sports network streaming service accounts
Depending upon the sport, accounts used to get access to online streaming of sporting events can go for around $15 per. Nobody likes blackouts in their local market, and I guess some are willing to do bad things to watch good games.
Where do the bad guys sell all of this stuff? There is a myriad of options available to them, from the “Dark Web” to direct handoffs to larger or more organized criminal elements. Russia, China, and Brazil are all countries where it’s relatively easy to do this, but if you are online and using a service like Tor, you can probably find a place pretty easily where you can connect anonymously to sell what you’ve got. Some require a referral from a trusted member, while others just require a certain number of stolen accounts be “paid” up front as the cost of admission (as well as making it much more likely that you are an actual criminal than law enforcement.)
Regardless, you can see that your company’s data has definite value on the black market, which means that yes, you are a target, just like everyone else. Remember that when you don’t want to stay up patching, or remind your boss when it’s time to approve the budget for the new security software.