Digital thieves’ most crucial adaptation in recent years has little to do with their technical tools and everything to do with their business model.
It’s a good time to be a cybercriminal. There are more victims to target, there is more data to steal, and there is more money to be made from doing so than ever before.
It would seem to follow, then, that there’s been very little progress since 2007, when hackers stole at least 45.6 million credit-card numbers from the servers of TJX, the owner of TJ Maxx and Marshalls, catapulting the now-commonplace narrative of the massive data breach to national prominence.
But the truth is that the forces of cyber law and order have made lots of headway in the past decade. There are still large-scale data breaches, but credit-card companies are getting better at detecting them early and replacing customers’ cards as needed, payment networks are pushing microchip-enabled cards that render transaction data worthless to criminals, and law enforcement has gotten smarter and savvier. Just ask Albert Gonzalez, who masterminded the TJX breachand is currently serving a 20-year prison sentence.
The biggest shift in the past decade is that it has gotten much less profitable to do what Gonzalez did—namely, steal millions of payment-card numbers and sell them to fraudsters. According to the cybersecurity firm Intel Security, the price of a stolen payment-card record has dropped from $25 in 2011 to $6 in 2016. “We’re living through an historic glut of stolen data,” explains Brian Krebs, who writes the blog Krebs on Security. “More supply drives the price way down, and there’s so much data for sale, we’re sort of having a shortage of buyers at this point.”
Cybersecurity is often framed as a matter of keeping up with the rapid evolution of online attacks—patching software vulnerabilities and identifying new malware programs. But cyber-criminals’ most crucial adaptation in recent years has little to do with their technical tools and everything to do with their business model: They have started selling stolen data back to its original owners. To keep cybercrime profitable, criminals needed to find a new cohort of potential buyers, and they did: all of us. At the heart of this new business model for cybercrime is the fact that individuals and businesses, not retailers and banks, are the ones footing the bill for data breaches.
This represents quite a departure from the model for most cybercrimes 10—or even five—years ago. It used to be that someone would steal a huge cache of stored data, usually credit-card numbers and billing information belonging to U.S. customers, and sell this data to other criminals, who would use it to manufacture fraudulent credit cards overseas. Those cards would then have to be brought back to the U.S. to be sold, in order to avoid triggering fraud alerts. Each stage of this process provided law enforcement with an opportunity to track the payments made between buyers and sellers of stolen information and monitor the movement of money between national borders. (Following this money trail ultimately led to the identification and prosecution of several cybercriminals, including Gonzalez.)
Read on here: http://www.theatlantic.com/business/archive/2016/06/ransomware-new-econo...
Value is the only commonality in an increasingly complex, challenging and interdependent world.