Adam Benson remembers the first time his credit card number was stolen. Someone had opened up his parents' mailbox and found his credit card statement. That theft now seems quaint to Benson, deputy executive director of the Digital Citizens Alliance, who researches online black markets and the preferred tools of a hacker.
The mailbox danger still exists but has largely been replaced by the anonymous hacker working in the shadows to take, and then sell, troves of personal information online.
"There's always been a market for data. A Social Security number had value to a criminal in the 1970s just as it does now," said Benson. "What's changed is, technology has made it possible for some skilled people — or even not so skilled, in some cases — to get a hold of this data and utilize it."
Health-care records; credit card numbers; login credentials to Netflix, Uber and Skype accounts; and even people's frequent-flyer airline points are just some of the types of personal information popping up on a booming, and ever growing, black market.
The proliferating black markets for hacked personal data — anonymous internet marketplaces that sit inside the "dark net" — are working like any economy should, creating a range of prices for different types of data, based on the laws of supply and demand.
"This is not just some kid in the basement," said Benson. "This is a business. People can make a living, and a comfortable living, doing this."
Stolen personal data can be used for a variety of reasons. In some cases, stolen login credentials to an Uber account guarantee a person can charge their Uber rides to someone else. In other cases, stolen credit card information or health-care data helps hackers commit identity theft.
Ultimately, the hackers who sell such personal information online are interested in one thing.
"This is all about money — hackers are only selling things that can be monetized relatively quickly," said Kyle Soska, a Ph.D. student in electrical and computer engineering at Carnegie Mellon University whose research has focused on the types of products traded over internet black markets.
Credit cards paired with CVV numbers sell for no more than a few bucks, in large part due to the thousands of credit card numbers that are available at any one time on the black market. But markets for personal data are much like stock and bond markets that value securities, "with prices rising when demand is high and falling when it is low," as a recent report from the RAND Corporation put it.
"Right after Target was breached, some of those credit cards were worth between $100 and $200 each," said Lillian Ablon, lead author of the RAND report, referring to the late 2013 hack of Target customer data. "As time goes on, the markets get flooded with data. They're sophisticated, and they do follow the laws of supply and demand."
Stolen person information such as credit card numbers and Netflix credentials are categorized as "digital goods," and they remain a small but growing percentage of dark web transactions. Soska estimates that $30,000 per day in digital goods is transacted on the data black market, which would make this niche about 5 percent of the $600,000 he estimates is transacted daily by hackers.
This free market dynamic helps to explain the recent increase in other types of personal data finding their way into the black market. Stolen Uber accounts sell for an average of $3.78 per account, according to a recent CNBC report. Stolen Netflix accounts go for about 76 cents. A stolen PayPal account with a guaranteed $500 balance goes for an average of $6.43 per account.
The ease with which the data can be changed is likely to also influence pricing, Ablon said. Someone's credit card number can always be changed easily, whereas someone's phone number or email address are likely to remain the same. There is also a reliability factor: Credit card users know fairly soon afterward if their information has been stolen, while a Netflix viewer might not know if someone is streaming movies on their dime.
"Credit cards tend to be pretty cheap per card number mainly because it's more of a gamble. You don't know which ones have already been flagged for fraud; you don't know which ones have high credit limits," said Ken Deitz, Dell SecureWorks' director of corporate cyberintelligence.
This is not just some kid in the basement. This is a business. People can make a living, and a comfortable living, doing this.Adam Bensondeputy executive director of the Digital Citizens Alliance
For several years Dell SecureWorks has tracked the costs of different types of personal data and has found a variety of prices for different digital goods. Skype accounts sell for as much as $10. A person's frequent flyer account — if it's with a large U.S. airline and has at least 1,500,000 points — costs as much as $450. Health-care data that includes a person's Social Security number might go for anywhere between $30 and $50.
"When you have somebody's full health record, you know that's their real record — there's not a question about how effective or useful the data will be," Deitz said.
What the data can be used for also influences its cost. Health-care data can be used to create fake identities, which in turn can be used to illegally bill companies. With different login credentials, like a person's email username and password, a hacker can send convincingly credible yet malware-infected emails to friends and family, potentially grabbing more personal data in the process.
A spokesperson for Uber referred to a statement provided by the ride-sharing service earlier this year. A spokesperson for Skype said the service includes multiple layers of security features to help protect customer information, including encryption, firewalls and digital authentication. "In addition, we encourage customers to set strong passwords, change passwords regularly, and keep Skype up to date," the Skype spokesperson said. Neither PayPal nor Netflix responded to a request for comment from CNBC.
"Black-market evolution mirrors the normal evolution of a free market, with both innovation and growth," RAND wrote. "Despite increased efforts by law enforcement to disrupt and shut down various parts of the market — from its financing to popular marketplaces — the hacker economy has proved to be quite resilient."
Stopping the flood of stolen personal data remains a challenge. Soska said the FBI does "a good job of finding these marketplaces and taking them down," such as the Silk Road. But new online marketplaces hawking the same hacked data appear relatively quickly afterward. The FBI declined to comment.
— By Andrew Zaleski, special to CNBC.com
