In any traditional market, the yield or scarcity of a product influences its price. A recent report from Juniper Networks and The RAND Corporation looked at the economic maturity of the cyber black market – and it found product prices in this illicit market are no different.
What was surprising is that information that traditionally fetched a high price on the black market is decreasing in value, making way for new, high-priced items. According to the study, Twitter accounts can cost more to purchase than a stolen credit card because an individual’s account credentials potentially have a greater yield.
Traditionally, credit card information was the currency of the black market. It demanded a high price, ranging from $20-$40 on average. However, high-profile breaches have created a recent influx of available credit card data online. As a result the scarcity and value of the stolen information is decreasing. During a large credit card breach, the market becomes flooded with data causing prices to drop from $20 per record to $0.75 per record in a short amount of time.
Social media and other online accounts are now becoming more valuable. Although prices range widely, RAND found hacked accounts can be worth anywhere from $16 to $325+ depending on the account type.
So why is an individual’s Twitter or other online account information potentially more valuable to criminals than their credit card?
It typically comes down to a more sophisticated play, with leveraged data value:
- Depth: Social media and other credentials include usernames and passwords, which can often be used as an entry point to launch attacks on that person’s accounts on a number of other sites. Given the number of people that tend to use the same username and passwords, hacking one account can often yield other valuable information such as online banking or e-commerce accounts. By stealing Joe Smith’s account information on one site, the criminal might gain access to his information on 10 sites.
- Reach: An individual’s stolen account information can be used to spear-phish the accounts of friends, family and co-workers for additional financial gain.
So what can people to do protect themselves?
The most critical rule of thumb is to use different passwords for each site that contains personal or financial information. For example, one password for your bank, another for your investments. It is also important to be wary of opening emails or clicking on links from people they don’t know. Finally, monitoring personal and financial accounts closely will enable individuals to identify and report fraudulent activity.