Does Black Friday and Cyber Monday extend to the black market? According to new research, it does... with your identity and more

Why the value of stolen identities and the underground hacking economy matters with suggestions on making an investment to turn the tide

Ever wonder what it costs to buy a stolen identity on the black market? How about the going rate for credit card information?

You're not alone.

Dell SecureWorks published their findings on the state of the underground hacking economy [link] a few days before Black Friday and Cyber Monday. 

While not the traditional holiday bargains associated with Black Friday and Cyber Monday, the current value of a "fullz" identity is nearly 40% lower than last year - for the bargain price of just $25.

Check out the table [link] in the blog post for current prices on the black market for credit cards, bank accounts, and the going rate for different attacks. 

Why the price and value of identity matters

Value is a tricky concept. The decline in the price for a complete credential package could suggest that stolen identities hold less value because of lower utility for thieves.

What the research suggests, however, is that recent successes in attacks created a flood of supply, driving prices down. When it comes to the going rate for stolen identities and other information, that's not always a good thing.

Normally we seek to purchase goods at a price lower than the value.

Excess supply and low prices relative to value creates the sort of bargain that may entice more criminals into the marketplace to purchase stolen credentials. Once the excess supply is absorbed, those newcomers to the market may stick around, increasing demand and driving prices back up. Higher prices may lure more attackers.

Either way, stealing information is a thriving business and a growing problem.

Our information is at risk. The first step in turning the tide is connecting individuals to impacts by providing the context to make it personal.

Turn the tide: translate the value to individuals

Research about the underground provides evidence and the specifics necessary for credible stories. It's an opportunity to discuss the friction of the attacks -- and how lower friction for attackers leads to more breaches, more information compromised, and, at least for now, lower prices.

Ultimately, increasing the friction for attackers drives up the cost of the attack. In theory, it is possible to make the cost of the attack higher than the value of the stolen information. In practice, we can make a big difference by taking some small steps.

This is where awareness matters (real awareness, not the misconstrued 'security awareness' bantered about). To start to shift behaviors and create conditions for change, people need to realize the impacts of actions, in their own context. 

Questions are a great place to start. Consider this sequence:

  • If I gave you $25 right now, what would you go buy?
  • If someone stole your identity, what do you think they could sell it for?
  • If someone bought your stolen identity (for $25), what could they do with it?
  • Would it cost you more than $25 to deal with a stolen identity?
  • Does it make sense to take action to protect yourself?

The purpose is to engage someone in a personal way. The first two questions probe interest and provide cues to guide the conversation. The next two questions don't necessarily need answers. It's okay - maybe even good - to let the concepts hang a bit. Make a connection and get permission to continue the conversation.

It means translating experience into understanding; finding the common ground and helping to bring a global, faceless, nameless crime to the individual level.

Once the conversation is started (or interest signaled), the real work begins.

Make an investment now for benefit next year

This is the time of year when people rush to hit deadlines before a short break. It signals an opportunity to shift focus from corporate policy and challenges to individuals.

Meet the needs of individuals. Engage in conversations (like outlined above). Offer insights to help people protect their identities (where they have control) this holiday season. Show them how to set up their new purchases with security in mind. Provide a direct benefit while building a foundation for next year.

Learn from each connection and gather insights for future action:

  • Look for patterns in questions and trends to offer useful tips and steps for people
  • Schedule lunch and learn sessions focused on the needs and interests of people (instead of what we think they should know)
  • Plan more time for unstructured conversations

By taking time to understand the underground economy and making time to engage with people, we can bridge the gap. One step, one  person at a time. It makes a difference. Maybe next year Black Friday and Cyber Monday won't be as kind to attackers and thieves. 

Cybersecurity market research: Top 15 statistics for 2017