CNBC Disruptor 50

Stolen Uber accounts worth more than stolen credit cards

Stolen Uber accounts worth more than stolen credit cards
Stolen Uber accounts worth more than stolen credit cards

Cybercriminals don't care that much about your credit card number anymore.

Uber, PayPal and even Netflix accounts have become much more valuable to criminals, as evidenced by the price these stolen identifiers now fetch on the so-called "deep Web," according to security company Trend Micro.

Stolen Uber account information on underground marketplaces sells for an average of $3.78 per account, while personally identifiable information (PII) was listed for $1 to $3.30 on average, oddly down from $4 per record in 2014, according to data compiled by Trend Micro for CNBC last week. (PII includes any information that can be used to commit identity fraud, like Social Security numbers or date of birth and varies in price depending on the specific information for sale.)

Federal Reserve vulnerable to hackers: Inspector general

So how could a criminal use a stolen Uber account? Those credentials can either be used to build a fuller picture of a victim for identity theft, or they can be used to charge phantom rides, experts said. A phantom ride is when a criminal sets up a fake driver account, and charges nonexistent rides to stolen accounts.

They also found the following accounts for sale at these average prices per account; PayPal — with a guaranteed $500 balance — ($6.43), Facebook ($3.02), Google Voice (97 cents) and Netflix (76 cents). By contrast, U.S. issued credit card credentials, sold in bundles, were listed for no more than 22 cents each.

"It's an incredible underground ecosystem. There is a high level of competition for these criminal buyers and there are a lot of different types of forums. It's incredibly diverse, but incredibly mature," said Ed Cabrera, the company's vice president of cybersecurity strategy.

"They are doing their own market research on where they can find the data that's most valuable in the criminal underground and they develop their attacks accordingly," he said. The company issued a report on the phenomenon last October.

Hackers advertising stolen data on YouTube to buy

A quick search for tweets with the hashtag #uberaccounthacked reveals a number of complaints related to "ghost rides," in which users claim their Uber accounts have been charged for rides they did not take. These are often in far flung locations across the globe.

"This also highlights the need of these providers to be more cognizant of sudden changes in the accounts' behavior," said Forrester research analyst Andras Cser. "If a user suddenly takes a cross country ride versus following their usual movements, that should spark an alert."

"On the other hand, that's incredibly hard — maybe I am traveling, or my wife is using my account," he said.

The reason why credit cards are worth less to crooks at this point is because banks and credit card issuers have developed more sophisticated fraud detection systems, rending stolen cards worthless very quickly, said Cser.

Un-hack me: Tips for staying cyber-safe at Thanksgiving

Tech companies are aware of the threat, and many (including Uber) employ teams to monitor accounts for strange activity, alerting users when accounts may have been compromised. They also encourage users to adopt additional security measures and use different passwords for different accounts.

In some markets, Uber is testing its version of two-step authentication, so when a user logs on from an unknown device, they are prompted to enter additional credentials. The company plans to roll this out in other markets soon.

"Our security teams are laser focused on protecting the integrity of our community's Uber accounts," an Uber spokesperson said. "We use technical measures to detect any issues and are always enhancing the measures we deploy to protect our users' accounts."

Aetb | iStock | Getty Images

Facebook advises users to turn on its version of two-factor authentication called login approvals and to run a security checkup, a tool that walks users through security options to add extra account protection.

"We use a variety of methods to detect and prevent compromised accounts, including those that sometimes appear on these types of forums, and we've developed tools to help people secure their accounts in just a few steps," a Facebook spokesperson told CNBC.

Netflix encourages concerned users to contact customer service and has posted user guidelines for keeping accounts secure.

"Netflix employs numerous tactics to prevent and detect fraudulent activity," a Netflix representattive told CNBC. "We also encourage people to avoid third parties making claims about lifetime accounts. While this is a limited issue that occasionally generates press, members who want to check the security of their account can contact customer service."

Neither PayPal nor Google responded to a request for comment.

A man checks his heart rate on a FitBit Charge HR wearable activity tracker and monitor.
There's a hack for that: Fitbit user accounts attacked

The fact that people often use the same password across multiple accounts makes security particularly challenging. Experts say companies should employ to new technology to offer users better protection from hackers.

"The time has come to move away from passwords. They should be looking at behavioral biometrics solutions to authenticate users — how the user actually behaves, how they hold a phone, how big their fingers are and how hard they press the touch screen," said Cser.