What happens to a credit card number once it leaks onto the web? It's an important question, as data breaches dump more and more personal data onto the web each month, but there's still little understanding of how the information travels once it's outside a company's grasp. As security firms struggle to detect breaches earlier and faster, a new study is shedding light on how far and fast that data might travel in the wake of an intrusion.
"Is there really a liquid market for breach data?"
Earlier this year, security firm BitGlass decided to test the underground marketplace with a little experiment. The company created an Excel file with 1,568 fake profiles, complete with names, phone numbers, addresses, social security numbers, and credit card numbers. Along with the phony data, the file had a hidden watermark that would report back to BitGlass every time the file was opened, operating like a homing beacon. Then the company dropped the file onto a public Dropbox account and posted it to a few cybercrime forums and waited for the beacon to phone home.
"We were trying to figure out, is there really a liquid market for breach data?" Bitglass CEO Nat Kausik told The Verge. "If you go out there with a million social security numbers, what do you do with it?" Since Bitglass was already using the watermarking technology in its day-to-day breach prevention business, it was a cheap experiment to undertake — and, as it turned out, an enlightening one.
1,081 views in 22 countries
The results were surprising because of both the broad reach of the data and how slowly it traveled. Within the first eight days, the file seems to have stayed confined to the forums where it was posted, chalking up only 200 views in the first eight days after release. Then, suddenly, the file blew up, clearing another 800 views in the next four days. After 12 days, Bitglass's Excel file had been opened at least 1,081 times in 22 different countries.
In some cases, the patterns even indicated specific groups on the other end. Bitglass picked out two specific groups of related hackers — one in Russia and one in Nigeria — which appear as clusters in the data. In each case, the groups appear as disparate IP addresses within the same general region, and all the data points open the file within a few minutes of each other. To Bitglass, it's the footprint of a private chat room and possible evidence of a coordinated criminal enterprise.
Bitglass's data isn't perfect. The information in the excel file could have been pulled into a different file, bypassing the company's homing beacon. IP addresses could have been concealed through VPNs or the Tor network — and knowing the habits of the online criminals, it's likely many of them were. Still, even if the homing beacon data isn't complete, it's a valuable window into the relatively sluggish state of the dark web. If companies were able to detect and respond to the breach within the first week, when only 200 people had seen the data, they could have begun anti-fraud measures before most criminals even knew the data was in the wild.
Unfortunately, most companies' breach response is still measured in months rather than days. News of the Target breach surfaced 24 days after the first credit cards were stolen, while the Home Depot breach went undetected for almost four months. A similar breach at PF Chang's went undiscovered for 10 months, affecting credit cards used at 33 locations.