ID – 50 cents, credit card – 6 USD, reputation – free? How much personal data costs online and how it enables doxing
December 2020 by Kaspersky
With offline and digital strands of our lives now completely intertwined, online actions directly influence the physical realm. One of the most affected areas in this regard is communication and the sharing of personal information, as any user’s details may be used against them. Kaspersky researchers dug into two major consequences of willingly and unwillingly sharing personal data in public: doxing, which is the public de-anonymisation of a person online and the selling of personal data on the dark web. Revealing how much a person’s security may cost online, it turns out that accessing sensitive data such as medical records or identification information can cost less than a cup of coffee.
While people’s awareness of privacy issues is rising, most of us still only have a general understanding of why it matters, with 37% of millennials thinking that they are too boring to be the victim of cybercrime. This is simply not the case. For instance, doxing, which, in a way, is a method of cyberbullying, can affect any user who is vocal online or does not conform to subjective stadards of other users.
Doxing occurs when a person shares private information about another person without their consent to embarrass, hurt or otherwise put the target in danger. Users typically do not expect personal information to leak out into the public domain, and even if it does, do not anticipate what harm that might do. But as practice shows, with especially determined abusers or malicious users, doxing may potentially turn as far as hacking into the target’s accounts – a service that is offered on the dark markets nowadays.
To get a better understading of how users’ personal information can be used in the wrong hands, Kaspersky researches analysed active offers on 10 international darknet forums and marketplaces. The research has shown that access to personal data can start from as low as 50 cents (USD) for an ID, depending on the depth and breadth of the data offered. Some personal information remains as in demand as almost a decade ago – primarily credit card data, banking and e-payment service access – with their respective prices unchanged in recent years.
The price range in USD for different types of data identified as a result of analysis of offers on the dark market forums
However, new types of data have also emerged. This now includes personal medical records and selfies with personal identification documents, which cost up to $40 (USD). The growth in the number of photos with documents in hand and schemes using them also reflects a trend in the ‘cybergoods game’. Abuse of this data potentially results in quite significant consequences, such as taking victims’ name or services on the basis of their identity.
Consequences of abuse of other types of personal data are also significant. Data sold on the dark market can be used for extortion, execution of scams and phishing schemes, and direct theft of money. Certain types of data, such as access to personal accounts or password databases, can be abused not just for financial gain, but also for reputational harm and other types of social damage, including doxing.
“In the past few years many areas of our lives have become digitised – and some of them, such us our health, for instance, are especially private. As we see by the increasing number of leaks, this leads to more risks for users. However, there are positive developments too – many organisations are taking extra steps to secure their users’ data. Social media platforms have made especially significant progress in this regard as it is much harder now to steal an account of a specific user. That said, I believe our research highlights how important it is to be aware that your data is in fact in demand and can be used for malicious purposes even if you do not especially have lots of money, do not voice controversial opinions and are generally not very active online,” comments Dmitry Galov, security researcher at Kaspersky’s GReAT.
“The internet has given us an opportunity to express our individualities and share our stories and that is fantastic. Yet, one has to understand that being and expressing yourself online is not exactly a private endeavor – it is more like shouting on a crowded street and you never know who might come your way, disagree with you and how they might react. With this, comes risks,” comments Vladislav Tushkanov, privacy expert at Kaspersky. “This does not mean that we should all delete and close our social media accounts, of course. It is all about understanding potential consequences and risks and being prepared for them. The best course of action when it comes to your data is this: know what they know, remove what you can and take control of what information about you goes online. It is that simple, but does require effort.”
To minimise the risks of having your personal information stolen, Kaspersky recommends:
• Be aware of phishing email and websites;
• Always check permission settings on the apps you use, to minimise the likelihood of your data being shared or stored by third parties – and beyond – without your knowledge;
• Use two-factor authentication. Remember that using an application that generates one-time codes is more secure than receiving the second factor via SMS. If you need additional security, invest in a hardware 2FA key;
• Use a reliable security solution like Kaspersky Password Manager to generate and secure unique passwords for every account, and resist the temptation to reuse the same one over and over again;
• To find out if any of the passwords you use to access your online accounts have been compromised, use a tool such as Kaspersky Security Cloud. Its Account Check feature allows users to inspect their accounts for potential data leaks. If a leak is detected, Kaspersky Security Cloud provides information about the categories of data that may be publicly accessible so that the individual affected can take appropriate action;
• Always consider how the content you share online might be interpreted and used by others.