iStockphoto
Were you impacted by Cambridge Analytica’s misuse of Facebook FB, +0.78% data?
An estimated 87 million Facebook users will find out Monday whether the group improperly used their data, the social-media company said. All 2.2 billion Facebook users will get see a message on Facebook called “Protecting Your Information,” that lays out which third-party apps have access to your individual Facebook profile.
Whether or not you were impacted by the Cambridge Analytica incident, there’s a depressing aspect of many recent privacy violations: The most important parts of your identity can be sold online for just a few dollars.
Consumers have to spend hours of their time — and, sometimes, their own money — when they find out their driver’s license, Facebook “likes” or Social Security number have been exposed to hackers. But those who sell them are making only petty cash.
That’s according to a new report from the content marketing agency Fractl, which analyzed all the fraud-related listings on three large “dark web” marketplaces — Dream, Point and Wall Street Market — over several days last month.
The “dark web” is part of the internet that people can only access by using special software. To create this report, Fractl accessed the dark web through the browser Tor. People buy other risky or illegal substances on the dark web, including drugs, pirated content like movies or music and materials that help with scams, including credit-card “skimmers.”
Facebook logins can be sold for $5.20 each because they allow criminals to have access to personal data that could potentially let them hack into more of an individual’s accounts. The credentials to a PayPal PYPL, -0.38% account with a relatively high balance can be sold on the dark web for $247 on average, the report found.
One’s entire online identity, including personal identification numbers and hacked financial accounts, can be sold for only about $1,200 on the dark web, Fractl found.
That’s because so much personal information may already available to hackers, after repeated data breaches across a range of industries. It comes down to supply and demand, said Adam Levin, the founder of the security firm CyberScout and the author of “Swiped.” Hackers want to grab personal information and sell it as fast as they can, so they can move on, he said.
“With 5.3 billion records released due to accidents and 2.6 billion records released due to hacking last year, personal information is becoming cheap,” said Rick McElroy, a security strategist at the security firm Carbon Black.
Wealthier individuals are more valuable to criminals, and those without money are worth less, said Al Pascual, a senior vice president and research director at the security firm Javelin. But the more information hackers have, the more valuable the data.
“A college student with not a lot of money in the bank might be worth $50,” Pascual said. “If you’re near retirement, with a fat retirement account and plenty of money in the bank, you’ll be worth more.”
Voter data are also vulnerable and valuable during election season, Pascual said. There are more attempts to compromise voter records in the run-up to elections, including attacks against registrars’ offices. Electronic voting machines can also be compromised, he said.
| Type of account | Average price log-in goes for on dark web |
| PayPal | $247 |
| Costco | $5 |
| ASOS (clothing) | $2 |
| Airbnb | $8 |
| Uber | $7 |
| T-Mobile | $10.51 |
| DHL | $10.40 |
| $5.20 | |
| Gmail | $1 |
| Grubhub | $9 |
Logins for food delivery websites such as Grubhub can be sold for about $9 because they allow criminals to fraudulently order expensive food and alcohol.
And a login for the lodging site Airbnb can be sold for about $8 because it opens up “a world of scams,” Fractl said. Fraudsters have changed hosts’ payment details to steal their earnings, or have been able to assume the identities of well-reviewed guests in order to book their own stays. Airbnb has updated its security measures in the last year to combat fraud.
Consumers should always use two-factor authentication when possible, such as a password and a security question or a biometric login like a fingerprint, Pascual said. Amazon AMZN, -0.64% often asks consumers to re-enter their payment information when they are asking to ship to an unfamiliar address, he said.
Payment companies are coming up with their own strategies to combat online fraud. Capital One COF, -1.52% recently introduced virtual, temporary credit card numbers that consumers can use at just one retailer and then delete.
Pascual also recommended signing up for security alerts on every account that offers them, so consumers can keep track of transactions as they’re made in real time. “For better or worse, individuals have to be their own advocates for the security of their identity,” he said.