Crime pays

It's worth considering what makes cybercrime so compelling from the criminal's perspective.

In this short article we'll share some information about what your data is worth to bad actors, and what you can expect if you're successfully targeted.

The Basics: Market Values for Data Items

Let's start with an example you probably recognize from the news, a data breach leads to the theft of data such as a social security number or a credit card number. These single items of data each have their market value on the dark web, with some examples including:

• Average estimated price for stolen credit and debit cards: $5 to $30 in the US; $20 to $35 in the UK; $20 to $40 in Canada; $21 to $40 in Australia; and $25 to $45 in the European Union
• Bank login credentials for a $2,200 balance bank account: $190
• Bank login credentials plus stealth funds transfers to US banks: from $500 for a $6,000 account balance, to $1,200 for a $20,000 account balance
• Bank login credentials and stealth funds transfers to UK banks: from $700 for a $10,000 account balance, to $900 for a $16,000 account balance
• Login credentials for online payment services such as PayPal: between $20 and $50 for account balances from $400 to $1,000; between $200 and $300 for balances from $5,000 to $8,000
• Login credentials to hotel loyalty programs and online auction accounts: $20 to $1,400
• Login credentials for online premium content services such as Netflix: as little as $0.55

The Multiplier Effect: Driving Up the Price

Maybe your own company offers sell-up and value-added products and services. Well, the criminals do that as well, and the value add is based on how easy it makes for another criminal to benefit from the data. So for something like a credit card, the bad guys value also having things that provide identity and the increase in value can be as much as threefold depending on the country. In the US, a credit card number worth $8 can be sold for $15 with an associated bank ID number, and as much as $30 with "Fullz info". Fullz info is a slang term used by the criminals to describe a complete package of an individual's identifying information, including at a minimum the victim's full name and billing address, credit card number, expiration data and card security code. Just type the word "Fullz" into Google and you'll get nearly 300,000 hits back, the majority providing information on how to get this stolen data and how to use it to commit more crimes - and that's not even on the dark web!

Doing the Math: What's the Total Value to a Criminal?

Now we've figured out the unit costs, let's see how this ratchets up in terms of how valuable a given target company might look to a criminal gang. Consider the following:

• US company with 1,000 consumer customers.
• 60% pay by credit card, 20% by PayPal, 20% mail in checks.

From the criminal's perspective, this has a potential value of 1,000 x 0.6 x $10 = $6,000 for the basic credit card data. rising to $18,000 with additional information. Plus, they will likely get at least some email addresses for the remaining 40% of users, which they can try to hack in some typical online accounts like Amazon, PayPal, eBay and more (many users being fairly remiss at having complex, frequently changed passwords and a tendency to use the same password for multiple accounts). Worth hacking? Certainly, when you consider that the criminals are also going to attack thousands of other companies - if they are successful in only 100 companies like the one we describe they stand to gain $600,000.