Wednesday, January 20, 2016

Hacked Uber accounts worth more than stolen credit cards.


Cybercriminals don't care that much about your credit card number anymore. 

Uber, PayPal and even Netflix accounts have become much more valuable to criminals, as evidenced by the price these stolen identifiers now fetch on the so-called "deep Web," according to security company Trend Micro.

The price of stolen Uber account information on underground marketplaces such as the dark web, has risen to an average of $3.78 per account, while personally identifiable information (PII) has come down from $4 to just $1per record over the past year -according to data compiled by Trend Micro for CNBC last week. 
(PII includes any information that can be used to commit identity fraud, like Social Security numbers or date of birth and varies in price depending on the specific information for sale.) 


So how can a criminal make best use of a stolen Uber account? 
The hacked credentials can either be used to build a fuller picture of a victim for identity theft, or they can be used to charge phantom rides, experts said. A phantom ride is when a criminal sets up a fake driver account, and charges nonexistent rides to stolen accounts. 

Also found for sale are the following accounts, at these average prices per account; 
• PayPal — with a guaranteed $500 balance — ($6.43), 
• Facebook ($3.02), 
• Google Voice (97 cents)
• Netflix (76 cents). 
By contrast, U.S. issued credit card credentials, sold in bundles, were listed for no more than 22 cents each. 

"It's an incredible underground ecosystem. 
There is a high level of competition for these criminal buyers and there are a lot of different types of forums. It's incredibly diverse, but incredibly mature," said Ed Cabrera, vice president of cybersecurity strategy.

"They are doing their own market research on where they can find the data that's most valuable in the criminal underground and they develop their attacks accordingly," he said. The company issued a report on the phenomenon last October. 

Hackers are even advertising stolen data on YouTube to buy.

A quick search for tweets with the hashtag #uberaccounthacked reveals a number of complaints related to "ghost rides," in which users claim their Uber accounts have been charged for rides they did not take. These are often in far flung locations across the globe. 

"This also highlights the need of these providers to be more cognizant of sudden changes in the accounts' behavior," said Forrester research analyst Andras Cser. "If a user suddenly takes a cross country ride versus following their usual movements, that should spark an alert." 

"On the other hand, that's incredibly hard — maybe I am traveling, or my wife is using my account," he said. 

The reason why credit cards are worth less to crooks at this point is because banks and credit card issuers have developed more sophisticated fraud detection systems, rending stolen cards worthless very quickly, said Cser.


The biggest threats to your data while traveling
Tech companies are aware of the threat, and many (including Uber) employ teams to monitor accounts for strange activity, alerting users when accounts may have been compromised. They also encourage users to adopt additional security measures and use different passwords for different accounts. 

In some markets, Uber is testing its version of two-step authentication, so when a user logs on from an unknown device, they are prompted to enter additional credentials. The company plans to roll this out in other markets soon.

Facebook advises users to turn on its version of two-factor authentication called login approvals  and to run a security checkup, a tool that walks users through security options to add extra account protection.

"We use a variety of methods to detect and prevent compromised accounts, including those that sometimes appear on these types of forums, and we've developed tools to help people secure their accounts in just a few steps," a Facebook spokesperson told CNBC.

Netflix encourages concerned users to contact customer service and has posted user guidelines for keeping accounts secure.

"Netflix employs numerous tactics to prevent and detect fraudulent activity," a Netflix representattive told CNBC. "We also encourage people to avoid third parties making claims about lifetime accounts. While this is a limited issue that occasionally generates press, members who want to check the security of their account can contact customer service."

The fact that people often use the same password across multiple accounts makes security particularly challenging. Experts say companies should employ to new technology to offer users better protection from hackers. 

"The time has come to move away from passwords. They should be looking at behavioral biometrics solutions to authenticate users — how the user actually behaves, how they hold a phone, how big their fingers are and how hard they press the touch screen," said Cser.

Source : CBNC