Next time you sign up for a new website and it asks for a password, or your favourite social media site nags you for a phone number, or a site you use every day pesters you to set up two-factor authentication, take a pause.
What’s going through your mind?
Are you getting ready to jump at the chance to tighten up your security? Itching to drum up another impenetrable 14 character password? Reaching for your password manager? Pulling out your phone ready to read the soon-to-arrive verification code?
Hey, you’re a Naked Security reader so perhaps you are.
But what about the next person? Many of them won’t be doing any of those things. They’ll pass up 2FA and stick with their go-to password of 123456 or qwerty, even though they know what a strong password looks like.
They’ll do it and stay safe, in their own mind at least, because Elliot Alderson and his ilk aren’t interested in their Netflix account.
Hackers in popular culture are ideological, FBI-dodging cyber-swordsmen who penetrate the armour of sophisticated adversaries using precise rapier thrusts.
The problem (of course) is that real life is messy, dull and rarely telegenic. In the real world we have to worry about real criminals who aren’t carrying rapiers and aren’t interested in kudos or ideology.
The adversaries we have to worry about when we’re choosing our Twitter or eBay passwords are in it for the money and their approach isn’t so much cyber-fencing as carpet bombing – it’s untargeted and it doesn’t matter who gets hit because it’s “how many?” that matters.
Our accounts aren’t compromised one by one, they’re cracked en masse or exfiltrated in the millions and then bought and sold online.
According to account monitoring company LogDog, who recently took a fresh look at this burgeoning part of the underground economy, it’s such a lucrative trade that there are Dark Web sites selling nothing but logins, not even credit cards.
There are now stores completely dedicated to selling only online accounts, without even offering credit cards for sale. Fraudsters, it appears, have discovered the financial potential in targeting various online services instead of just banks and credit card issuers.
As you’d expect in any marketplace, prices fluctuate based on supply and demand, and the value that criminals can extract from the accounts they buy. But everything has a price:
While Paypal has, and still dominates … it is now possible to find Amazon, Uber, eBay, Netflix, Twitter, Dell and many more … Any account that can generate fraudsters money, or even help them receive a service for free, has a demand in the cyber underground.
…Uber, for example, are sought after by fraudsters simply because they provide “free taxi rides”. Demand for adult entertainment accounts is high due to interest for self consumption.
…eBay and Amazon are sought after … to steal money or credits from these accounts … Compromised dating site accounts are also often exploited for romance scams.
And here, according to LogDog’s research, is what your account is currently worth on the Dark Web:
|Service||Min. Price||Max. Price|