These days we are bombarded with news of data breaches, from Facebook to Marriott to Yahoo.
A seemingly endless string of breaches have hit big companies and their users in recent years, The Wall Street Journal reported: 500 million potential victims at Marriott‘s Starwood properties; 117 million users in the 2012 hack of LinkedIn; three billion at Yahoo in 2013. Often, these attacks fuel a black market where stolen data is bought, sold and repackaged for criminal uses.
More than 24 billion credentials have been stolen or exposed, according to security firm Risk Based Security Inc. This leaves victims at risk of having their data used for a variety of reasons, including identity theft.
“Every American person should assume all of their data is out there,” said Elvis Chan, a supervisory special agent with the Federal Bureau of Investigation.
Once data is hacked it is passed on through the Dark Web, and sold for as little as $3. It’s cheap to buy things like credit-card numbers, webmail passwords, or Social Security numbers. “If someone wants to find my Social Security number, it will take them exactly $3 and five minutes,” said Andrei Barysevich, who works for the online investigation firm Recorded Future Inc.
Data breaches cost the average victim $776, according to Javelin Strategy & Research. In all, identity theft cost victims $16.8 billion in 2017.
It typically takes victims about 20 hours to fix any problems a hack has caused them, but identity theft can cause major complications. Hackers often produce fake passport and ID cards using stolen data.
Fake passports are only one of many products made from stolen consumer info. Criminals also assemble comprehensive victim files called “fullz” — internet slang for a full listing of someone’s data — that sell for about $100 each, Barysevich said. Fullz can include a victim’s date of birth, Social Security number, telephone number, driver’s license number, banking information and more.
There is more than one way to gain data. There is a new form of fraud known as SIM hijacking. Criminals convince mobile-phone companies they are legitimate customers who need a new SIM card.
“When the new SIM card is activated, criminals gain control of the victim’s phone number and quickly use it to reset online passwords and empty bank accounts,” the WSJ reported.
Hackers can use free downloadable tools such as Sentry MBA or Hitman to do their dirty work. “The software takes a bulk list of email addresses and passwords stolen from a site and tries, through a network of computers, to use them one by one to log into different websites. Stolen email addresses and passwords from LinkedIn, for example, could be tried against Amazon. Up to 2% of passwords found on any one site work elsewhere, according to the security company SpyCloud Inc. That can turn a single $100 record into a valuable skeleton key for a buyer,” the WSJ reported.
To make matters worse, there’s a guide for thieves on how to steal data. The “Bank Account Takeover Guide” costs $300 and is a step-by-step instruction guide.
So how can you tell if you’ve been hacked? There are several signs, such as your gadget starts to suddenly slow down, freezes, or crashes.
Another sign is that your data usage has spiked drastically.
“Every Internet provider has tools that can keep track of your monthly bandwidth consumption. Look at Data Usage Meter or Data Monitor, depending on your provider. Compare the amount of data used from the prior months, and if you notice sudden spikes in your data activity even though you haven’t changed your patterns, then chances are you are infected,” USA Today reported.
Are you seeing pop-up ads when you didn’t use to? Criminals can also use DNS hijacking to modify the ads that you see while browsing. Instead of the regular ads that you should be getting, they can be replaced with inappropriate or malicious ones, USA Today reported.
