There is an established and sophisticated market for stolen data that is just as complex and with as many inter-relational dependencies as any legal business supply chain.
We asked Chris Pogue, CISO at cyber security forensics experts Nuix about what happens to all the stolen data that is doing rounds on the dark web
CBR: What happens to stolen data – can it be tracked?
CP Nuix: When hackers steal payment card data or CHD (short for Cardholder Data), they then sell it to a second group known as carders. These people maintain large databases full of stolen CHD from breaches all over the world. The data can then be sorted and sold according to age, card type, issuing bank, geographic region, or available balance. The price of the card will depend largely on how old the data is, which bank it was issued from, and what the available balance on the card is. Carders normally sell cards in bunches based on these factors as well as guaranteeing a certain success rate. For example, you would pay a higher price for a group of cards that had a 95% success rate than you would for a block of cards with only a 65% success rate.
The stolen data can potentially be tracked by law enforcement that have established a presence in underground carding forums or by the issuing banks or card brands after fraudulent transactions have occurred. However, this has become more complex with the increase in data commingling, where different customer data sits on the same server. For example, if I live in London, and my card is suddenly used in Dallas, Texas, a place that sits outside my normal spending pattern, the likelihood of that transaction being fraudulent is high. However, if I live in London, and my card is suddenly used in Camberley, this is inside what would be considered to be a normal spending pattern and is much less likely to be flagged.
Stolen CHD detection is based on where the data was taken from and the age of the data. Let’s say data was stolen from a grocery store in London two weeks ago, a video game store in Camberley last week, and a restaurant in St. Albans yesterday. All of that stolen data is subsequently lumped together in a carding database, and sold to criminals to start using it fraudulently. The fraudulent transactions are reported by the issuing banks or by the card holders themselves, and the brands try to identify what is commonly referred to as a common point of purchase (CPP), or place where the cards were last used legitimately. Knowing the location of the CPP helps investigators to determine who was breached, how long the cards have been used fraudulently, and where to focus remediation efforts.
But if the stolen card data comes from multiple locations, and different dates, identifying the CPP becomes exponentially more difficult. Even with these clever evasion strategies, card brands are still very good at identifying CPPs. However, the delay caused by the complexity of the data buys the carders enough time to sell their goods and the fraudsters to make purchases with a relatively high rate of success.
Content from our partners
http://www.cbronline.com/news/cybersecurity/breaches/three-mobile-hack-6-vital-questions-major-data-breach/
CBR: What technologies/methods are available to aid corporates to track data once it has been stolen?
CP: The issuing banks and the card brands have proprietary algorithms that they utilise to detect abnormal purchase patterns. Once these are detected, they attempt to ascertain the location(s) where the cards being used fraudulently were last used legitimately. Once identified, that location is called a Common Point of Purchase, or a CPP.
CBR: Has anyone ever successfully recovered stolen data – without paying a ransom?
CP: These are two different issues. Firstly, data is stolen so that it can be monetised on the black market. There is no ransom here. It’s a simple matter of theft and re-sale. Organisations that are victims of ransomware have their data encrypted by malware. The ransom they pay to attackers is to obtain a decryption key to unlock their data.
If an organisation is hit by ransomware, the chances of getting that data back without paying the ransom are slim to none. The only caveat is if that organisation has good backups and can restore the encrypted data using them. Otherwise, their only option is the pay the ransom.
http://www.cbronline.com/news/verticals/ebanking/tesco-bank-hack-6-vital-questions-need-answering/
Next: Will criminals ever be caught? Can stolen data ever be recovered?
