The new economics of cybercrime

“We’re living through an historic glut of stolen data,” explains Brian Krebs, who writes the blog Krebs on Security. “More supply drives the price way down, and there’s so much data for sale, we’re sort of having a shortage of buyers at this point.”

…But cybercriminals’ most crucial adaptation in recent years has little to do with their technical tools and everything to do with their business model: They have started selling stolen data back to its original owners. To keep cybercrime profitable, criminals needed to find a new cohort of potential buyers, and they did: all of us. At the heart of this new business model for cybercrime is the fact that individuals and businesses, not retailers and banks, are the ones footing the bill for data breaches.

Here is the full Josephine Wolff piece.


Paying cybercriminals for stolen data is equivalent to paying the Mafia for "protection", although the latter is more efficient. Why not just pay the cybercriminals for "protection". Everything old is new again.

Cybercriminals can't credibly commit to protecting you from their competition.

Can the Mafia (i.e., a particular "family") credibly protect you against their competition? Or is the Mafia more respectful of "business ethics" (territory) than cybercriminals? Of course, to the extent the Mafia is respectful of "business ethics" it's to preserve the "peace"; "war" between the families being very bad for business.

Hard to justify paying for a copy of your data back, unless they actually stole, not copied it, from your data storehouse.


However, ransomware as referenced in the article, often involves the user accidentally downloading a malicious Trojan virus that quietly encrypts the local hard drive. Then after it's finished, it launches a popup with a timer and a phone number. If the user doesn't pay up, they don't get the encryption key to unlock their data. The data never goes anywhere, but if it's encrypted and you don't have the key then you've lost it.

If a user commonly or automatically backs up their data to another source, then this may not be an issue. But most people don't.


Just happened at the University of Calgary...

I thnk there are two things. I) they may be blocking your access and attempts to access will result in deletion. 2) Even if they only have a copy you probably would like to keep it out of your competitors (or families & friends) hands.

Article notes the ransom business model grew and was enabled by anonymous money. The hospital had to pay ransom in bitcoin to regain their system and patient data.

On several tech conference calls I've been reading, the companies indicate security is the top demand driver currently.

Are there any truely annonomis moneys any more -- other than printed currency? I thought all the digital currencies were either shout down or agreed to meet the requirements for AML.

I would pay a cybercriminal to steal from another cybercriminal--money or lists--and bankrupt the rival. Part of the payment would be for success, and another part would be the complete copy of the stolen data.

Or, you could pay one criminal to infect the other's hard drives so they locked up.

Serious question: given that so many people have had their data stole, why not put the burden of proof for any debt on the creditor and not the debtor? Wouldn't they have to innovate and come up with a system that required more than a 9 digit number to allow someone to borrow or spend money if they knew the loss would fall on them?

There was a time when you could reasonably blame the ordinary joe if his identity was stole. People I knew 10 years ago that had it happen really were the victims of people they knew that got ahold of their social security cards or credit cards.

Now, all you have to do to lose your identity is sign up for insurance through your employer or swipe a credit card at a national chain.
Why is the onus on a disputed debt still on the consumer?

Comments for this post are closed