Digital thieves’ most crucial adaptation in recent years has little to do with their technical tools and everything to do with their business model.
It’s a good time to be a cybercriminal. There are more victims to target, there is more data to steal, and there is more money to be made from doing so than ever before.
It would seem to follow, then, that there’s been very little progress since 2007, when hackers stole at least 45.6 million credit-card numbers from the servers of TJX, the owner of TJ Maxx and Marshalls, catapulting the now-commonplace narrative of the massive data breach to national prominence.
But the truth is that the forces of cyber law and order have made lots of headway in the past decade. There are still large-scale data breaches, but credit-card companies are getting better at detecting them early and replacing customers’ cards as needed, payment networks are pushing microchip-enabled cards that render transaction data worthless to criminals, and law enforcement has gotten smarter and savvier. Just ask Albert Gonzalez, who masterminded the TJX breach and is currently serving a 20-year prison sentence.
The biggest shift in the past decade is that it has gotten much less profitable to do what Gonzalez did—namely, steal millions of payment-card numbers and sell them to fraudsters. According to the cybersecurity firm Intel Security, the price of a stolen payment-card record has dropped from $25 in 2011 to $6 in 2016. “We’re living through an historic glut of stolen data,” explains Brian Krebs, who writes the blog Krebs on Security. “More supply drives the price way down, and there’s so much data for sale, we’re sort of having a shortage of buyers at this point.”
Cybersecurity is often framed as a matter of keeping up with the rapid evolution of online attacks—patching software vulnerabilities and identifying new malware programs. But cybercriminals’ most crucial adaptation in recent years has little to do with their technical tools and everything to do with their business model: They have started selling stolen data back to its original owners. To keep cybercrime profitable, criminals needed to find a new cohort of potential buyers, and they did: all of us. At the heart of this new business model for cybercrime is the fact that individuals and businesses, not retailers and banks, are the ones footing the bill for data breaches.
This represents quite a departure from the model for most cybercrimes 10—or even five—years ago. It used to be that someone would steal a huge cache of stored data, usually credit-card numbers and billing information belonging to U.S. customers, and sell this data to other criminals, who would use it to manufacture fraudulent credit cards overseas. Those cards would then have to be brought back to the U.S. to be sold, in order to avoid triggering fraud alerts. Each stage of this process provided law enforcement with an opportunity to track the payments made between buyers and sellers of stolen information and monitor the movement of money between national borders. (Following this money trail ultimately led to the identification and prosecution of several cybercriminals, including Gonzalez.)
So, historically, the riskiest stages of cybercrimes have been the ones that come after the perpetrator has already successfully stolen data from a protected computer. Finding a way into a computer system to steal data is relatively easy, but finding a way to monetize that data—making sure that credit-card companies don’t cancel stolen card numbers before they’re sold, identifying buyers willing to pay a good price, and hiding those profits from the police—can be much harder.
But the calculus changes if victims can be persuaded to buy back their own data, in some cases because of a ransomware attack, which encrypts their computers until they pay a ransom. In other cases, some individuals and companies monitor the black market to see if their own stolen data is up for sale, and purchase it to prevent it from falling into the wrong hands. Whether victims are coerced into paying a ransom or voluntarily make a bid, the sale of stolen data back to its original owner solves a pressing problem for cybercriminals: It transforms data that was nearly worthless into a very valuable asset. The contents of any given person’s hard drive, for instance, would be unlikely to fetch a large sum on the black market. But to that person, that data is probably worth at least a few hundred (or even a few thousand) dollars. Conveniently for criminals, this also often means dealing not with a small group of fellow criminals, but instead with a much larger population of lay users who are unlikely to disappear behind bars.
Hello, my name is Jack Sparrow. I'm a 50 year old self-employed Pirate from the Caribbean.
Tidak ada komentar:
Posting Komentar