From marketers to black marketers, your personal information is a valuable commodity
29 December, 2014
category: Corporate, Digital ID, Financial, Government, Health
Most-wanted information
The most sought-after pieces of identity information on the black market are anything that can help a criminal perform a financial transaction on someone else’s behalf. For hackers, that would be name, date of birth and Social Security number.
In 2013, those ranked as the top three types of information breached, according to the Symantec report. “That information is all you need for identity theft. It’s used to set up credit cards, get into bank accounts and do many other things,” Haley says.
A thief can get a lot of value from stealing credit card information, but it’s a one-time thing and then it goes away, Haley says. “A credit card is very easy to change. It’s very hard to change your date of birth or Social Security number,” he says.
Other valuable pieces of information might include a mother’s maiden name, where you went for your honeymoon or a favorite movie. All of those details could contain answers to a security question, says Kayvan Alikhani, director of technology at Bedford, Mass.-based RSA, the security division of data storage firm EMC Corp. “That right now is being sold on an a la carte basis for $4 or $5 for each piece of info,” he says.
Alikhani points out that credit card information isn’t worth as much any more because they have been so heavily compromised and hacked. Today card numbers are worth about $5 apiece, and the final price is influenced by the cardholder’s credit limit and balance, he explains.
Value to theft victims
Banks and credit card companies can cover much of the loss a person suffers from an identity theft, but they can’t make up for the time and energy it takes to discover and correct those problems. “The anxiety that causes is tremendous. Those are things that can really shake people’s lives,” Haley says.
To the user, the value of their identity could be in the magnitude of about $5,000 because of the amount of time it takes to fix an ID theft issue, says RSA’s Alikhani.
On the corporate side, the combination of different pieces of identity information is of much higher value than an individual’s identity because it includes not just single users, but also the authorizations each person uses. “It can wreak havoc on a company on a much larger scale. It becomes much more important to protect pieces of information,” Alikhani says.
If a company loses that information to hackers, the business could be on the hook for any fraudulent transactions. There is also is the reputation risk and damage to the brand, like what Target experienced last year. “Fewer people have shopped at Target as a result of the hit they took to their reputation and their brand,” Ramirez says.
Multi-factor identity defenses
Security and data experts often cite consumer awareness as the best tactic for protecting identity. But Caserta contends that consumer data itself is playing a role, too. He believes Big Data analytics is helping prevent identity theft.
Caserta cites what happened to him recently when he made a credit card transaction in a different state at odd hours. While he was standing at the counter checking out, he received a call from his credit card’s fraud protection division.
“That’s 100% the result of Big Data analytics. They understand all of my buying habits, what hours I shop, and as soon as something outside of my normal behavior happens, they notify me,” he says.
Caserta says he would like to see more innovations to prevent fraud, adding that up to 90% of all logins consist of a user ID and password. “That’s not enough,” he says. “If we really want to prove it’s Joe Caserta at the keyboard, there are much more advanced ways of doing it,” he says.
Alikhani says multi-factor authentication forms set the bar higher so that hackers with information about you cannot impersonate your identity.
With the scope of information now available to criminals, protecting identity in the modern age is more about defense, he says. “You should assume that your identity is already compromised and out there,” he says.
