Where the data flow: the consequences of the grand Equifax
2017 was remembered by a series of serious leaks of users' personal data. The two brightest events of the second half of the year are the release of information about the “overflow” of a huge database of stolen passwords and an attack on one of the three main US credit bureaus - Equifax.
The organization has not reported data theft of more than 140 million people for several months. The liability of Equifax for the incident and silence is still being discussed. Now the US authorities are only recommending companies to notify customers about leaks.
But soon the situation may change - in January, a bill was introduced in the United States that sets fines for companies that have diverted. If he acted at the time of the "plum", Equifax would have to pay in excess of $ 1.5 billion.
')
Even if such a law is approved, it will not cancel the fact that the stolen data have already fallen into the hands of intruders. In this article, we will look at how leaked information is used against the will of their owners and what measures are being taken to reduce damage to users.
/ Wikimedia / US Navy photo / CC
In 2016, Bitglass, a security company, presented the results of its research “Where is your data?”. In order to trace how stolen personal information falls into the hands of intruders, the company simulated data leaks from a fictional bank clerk. Under the scenario, he allowed the discharge of an internal corporate document containing 1,500 credentials of company employees. Fake information leaked into the darkweb with the Bitglass label, which allowed you to determine the IP and country of residence of the potential buyer.
The company found that within a few days after the leak, the data spread to more than 20 countries on different continents. Every tenth owner of “stolen” information tried to enter Google services, access to which was “merged”. During the day, five attempts were made to enter the internal portal of the fictitious bank. Thus, Bitglass once again confirmed: personal and corporate data is a demanded product for which there is an extensive international market with high demand.
The Equifax situation is called the “worst leak of all time.” She touched the main documents used by people: social security numbers, credit cards and driving licenses. Following in the footsteps of the incident, it was predicted that the data would go on sale in open darqube. Often, information reaches the market months or even years after a leak, so after recognition, Equifax could only assume when the personal data of tens of millions of people would "pop up."
Not so long ago , the first messages from the "victims" of the leak began to appear . Hundreds of victims are going to sue Equifax. One of them told CBS News about how she received credit card notifications for two months, which she did not even use. Someone was shopping on behalf of the victim, paid for accommodation in a hotel in Las Vegas, and she could only deal with the bills.
A similar scenario unfolded after a serious leak from a large retail network Target in 2013. At that time, 40 million buyers and another 70 million more personal data were merged with payment cards information. The situation was resolved due to the fact that payments made without the knowledge of cardholders were compensated by banks.
The information leaked from Equifax is called "Fullz" in hacker language, that is, a complete data set. The approximate value of the base exceeds $ 32 million. At the same time, the value of personal information of different people may differ depending on factors such as credit history and bank account balance. The data can enter the market both fragmentarily and in a convenient database navigation format, as was the case with the largest aggregated database of “merged” passwords.
Brian Krebs, an investigative journalist, spoke about how they sell the stolen information. There are underground forums in which attackers trade their credentials and passwords from them. For relatively little money (in dollars or cryptocurrency), you can purchase someone else's personal information.
One of the participants of the popular exchange, discovered by Krebs, earned more than $ 288 thousand in the first seven months of 2017, having sold accounts an average of $ 8.19 "per share" to 9 thousand customers. At the same time, the service charged half the cost as a commission. Thus, the average cost of accounting data listed on the exchange is approximately $ 15. As Krebs found out, the service organizes the credentials in accordance with the credit rating, and the information of people with a good credit history “go under the hammer” for $ 150.
According to Quartz data from 2015, on average, a pair of “credentials-password” on the black market was estimated at $ 20. Roughly speaking, for two and a half years, the assessment of personal data as a commodity has decreased by 25%. Probably, competition between sellers influenced the dynamics.
/ Flickr / Chad Cooper / CC
Soon after the “plum”, Equifax developed a separate portal on which the company's customers could check if their data was not compromised. To do this, enter your last name and the last six digits of the social security number.
The company also canceled the charge for freezing the loan at the bureau and offered free credit monitoring for one year. This step prevents attackers from using information for a year, but does not guarantee that one day, after the expiration of the offer, someone will not return to the information stolen earlier.
In December 2017, Umpqua Bank, which has about 300 branches in five western states, organized a “freeze day”, including in connection with the situation in Equifax. Thus, it encourages consumers to freeze their loans. Freezing does not allow hackers to open new accounts in the name of consumers. However, it will not help if someone tries to file a tax return on behalf of the victim or uses someone else’s health insurance without the owner’s knowledge.
It is worth noting that 2017 was a record year for the number of reflected cyber attacks. However, no natural or legal person is fully insured against leaks. According to the US Department of Justice, identity theft costs the victim an average of $ 1,343. Obviously, someone has to pay for it.
Now in the United States, reimbursement for expenses from a bank or a company that has made a “drain” comes in over a long period of time and in court. Therefore, there is more and more talk about tightening responsibility for leaks.
New measures to protect users from the effects of leaks can be taken in Russia - Vedomosti reports that by July it is planned to introduce mandatory insurance against the case of “discharges” for all personal data operators.
One way or another, insurance will not stop attackers from attempting to use stolen data. Based on this logic, we recommend that you take care of the security yourself: implement two-factor authentication, use password managers and avoid re-using the same passwords on different sites and services. Equifax also has a list of recommended actions . This includes regular checking of bank statements, destruction of all unused documents containing personal information, safe storage of current documents and other tips.
By the way, here we collected several recommendations on how to enhance the security of our personal data and gave sources for additional reading on the topic.
Three materials on the topic from our corporate blog 1cloud:
The organization has not reported data theft of more than 140 million people for several months. The liability of Equifax for the incident and silence is still being discussed. Now the US authorities are only recommending companies to notify customers about leaks.
But soon the situation may change - in January, a bill was introduced in the United States that sets fines for companies that have diverted. If he acted at the time of the "plum", Equifax would have to pay in excess of $ 1.5 billion.
')
Even if such a law is approved, it will not cancel the fact that the stolen data have already fallen into the hands of intruders. In this article, we will look at how leaked information is used against the will of their owners and what measures are being taken to reduce damage to users.
/ Wikimedia / US Navy photo / CC
What happens to the leaked data
In 2016, Bitglass, a security company, presented the results of its research “Where is your data?”. In order to trace how stolen personal information falls into the hands of intruders, the company simulated data leaks from a fictional bank clerk. Under the scenario, he allowed the discharge of an internal corporate document containing 1,500 credentials of company employees. Fake information leaked into the darkweb with the Bitglass label, which allowed you to determine the IP and country of residence of the potential buyer.
The company found that within a few days after the leak, the data spread to more than 20 countries on different continents. Every tenth owner of “stolen” information tried to enter Google services, access to which was “merged”. During the day, five attempts were made to enter the internal portal of the fictitious bank. Thus, Bitglass once again confirmed: personal and corporate data is a demanded product for which there is an extensive international market with high demand.
The Equifax situation is called the “worst leak of all time.” She touched the main documents used by people: social security numbers, credit cards and driving licenses. Following in the footsteps of the incident, it was predicted that the data would go on sale in open darqube. Often, information reaches the market months or even years after a leak, so after recognition, Equifax could only assume when the personal data of tens of millions of people would "pop up."
Not so long ago , the first messages from the "victims" of the leak began to appear . Hundreds of victims are going to sue Equifax. One of them told CBS News about how she received credit card notifications for two months, which she did not even use. Someone was shopping on behalf of the victim, paid for accommodation in a hotel in Las Vegas, and she could only deal with the bills.
A similar scenario unfolded after a serious leak from a large retail network Target in 2013. At that time, 40 million buyers and another 70 million more personal data were merged with payment cards information. The situation was resolved due to the fact that payments made without the knowledge of cardholders were compensated by banks.
How much are personal data
The information leaked from Equifax is called "Fullz" in hacker language, that is, a complete data set. The approximate value of the base exceeds $ 32 million. At the same time, the value of personal information of different people may differ depending on factors such as credit history and bank account balance. The data can enter the market both fragmentarily and in a convenient database navigation format, as was the case with the largest aggregated database of “merged” passwords.
Brian Krebs, an investigative journalist, spoke about how they sell the stolen information. There are underground forums in which attackers trade their credentials and passwords from them. For relatively little money (in dollars or cryptocurrency), you can purchase someone else's personal information.
One of the participants of the popular exchange, discovered by Krebs, earned more than $ 288 thousand in the first seven months of 2017, having sold accounts an average of $ 8.19 "per share" to 9 thousand customers. At the same time, the service charged half the cost as a commission. Thus, the average cost of accounting data listed on the exchange is approximately $ 15. As Krebs found out, the service organizes the credentials in accordance with the credit rating, and the information of people with a good credit history “go under the hammer” for $ 150.
According to Quartz data from 2015, on average, a pair of “credentials-password” on the black market was estimated at $ 20. Roughly speaking, for two and a half years, the assessment of personal data as a commodity has decreased by 25%. Probably, competition between sellers influenced the dynamics.
/ Flickr / Chad Cooper / CC
What is the result
Soon after the “plum”, Equifax developed a separate portal on which the company's customers could check if their data was not compromised. To do this, enter your last name and the last six digits of the social security number.
The company also canceled the charge for freezing the loan at the bureau and offered free credit monitoring for one year. This step prevents attackers from using information for a year, but does not guarantee that one day, after the expiration of the offer, someone will not return to the information stolen earlier.
In December 2017, Umpqua Bank, which has about 300 branches in five western states, organized a “freeze day”, including in connection with the situation in Equifax. Thus, it encourages consumers to freeze their loans. Freezing does not allow hackers to open new accounts in the name of consumers. However, it will not help if someone tries to file a tax return on behalf of the victim or uses someone else’s health insurance without the owner’s knowledge.
It is worth noting that 2017 was a record year for the number of reflected cyber attacks. However, no natural or legal person is fully insured against leaks. According to the US Department of Justice, identity theft costs the victim an average of $ 1,343. Obviously, someone has to pay for it.
Now in the United States, reimbursement for expenses from a bank or a company that has made a “drain” comes in over a long period of time and in court. Therefore, there is more and more talk about tightening responsibility for leaks.
New measures to protect users from the effects of leaks can be taken in Russia - Vedomosti reports that by July it is planned to introduce mandatory insurance against the case of “discharges” for all personal data operators.
One way or another, insurance will not stop attackers from attempting to use stolen data. Based on this logic, we recommend that you take care of the security yourself: implement two-factor authentication, use password managers and avoid re-using the same passwords on different sites and services. Equifax also has a list of recommended actions . This includes regular checking of bank statements, destruction of all unused documents containing personal information, safe storage of current documents and other tips.
By the way, here we collected several recommendations on how to enhance the security of our personal data and gave sources for additional reading on the topic.
Three materials on the topic from our corporate blog 1cloud:
Source: https://habr.com/ru/post/346814/
All Articles