- Hackers tried to use leaked data within nine minutes of it being posted, according to a new Federal Trade Commission study.
- Most attempted charges on compromised credit cards were for less than $10.
By the time you hear about a data breach, it's way too late to put measures in place to lock thieves out from using that data.
"If you post it, they will use it," concluded a Federal Trade Commission presentation on a new agency study. And quickly. When leaked consumer data like credit card numbers or email login details are made public, it's a matter of minutes (and at best, hours) before thieves make an unauthorized access attempt, it found.
"There's a real mystery of what happens to consumer data when it becomes public," said study co-author Dan Salsburg, chief counsel and acting chief of the FTC's Office of Technology Research and Investigation.
To see what happens to leaked data, researchers crafted a batch of 100 consumer profiles, each including a made-up name, an address from a national database, a phone number and email set up for the purpose of the study, and one payment mechanism also set up for the study — either an online payment account, a bitcoin wallet or a credit card. Each customer profile also included a password, although they didn't specify what the password was for.
"Our goal was to make this customer database look as realistic as possible," Salsburg said — as if it could have been stolen from a small business.
Researchers posted the faux database two times on a site they know thieves to frequent. Within 90 minutes of the first posting, thieves had started to try to access the email and payment accounts listed. On the second posting a week later — which a Twitter bot picked up — it took just nine minutes for thieves to start trying to use that data to make purchases and access accounts.
These three study insights on how thieves tried to use the leaked data could help consumers better protect themselves:
Thieves were most interested in the credit card numbers, with FTC researcher spotting frequent charge attempts even weeks after the data had been leaked. That's likely because card numbers were the only data that could immediately be converted into money, Salsburg said.
Setting up alerts for suspicious transactions — big purchases, those made abroad, etc. — can help, but don't stop there. Regularly reviewing your account for new charges might help you catch an early warning sign: small test charges.
The vast majority of the attempted charges in the FTC study were for less than $10, as thieves attempt to verify the account is usable before selling that data or trying for a bigger purchase, Salsburg said. (See chart above.)
(That's likely also why a few thieves tried the cards at charity sites, he said — because nonprofits may allow small-figure donations and offer quick feedback on whether a card was accepted. "Our identity thieves are unlikely to be big philanthropists," he said.)
Thieves in the FTC study were unsuccessful in their attempts to hack customers' emails.
"Every account was protected by a wrong password or two-factor authentication," Salsburg said.
Using two-factor authentication on not just your emails, but other bank accounts, social media accounts and others where available, can be a smart move, said Paul Stephens, director of policy and advocacy at the Privacy Rights Clearinghouse.
When that technology is in place, logging in requires not just a password, but a secondary point of ID – usually in the form of a texted code. In other words, unless the hacker also has access to your phone, he or she is out of luck.
The quick turnaround from the time researchers posted the data to the time thieves started to try to use it shows that it's better to be proactive rather than reactive about protecting your accounts and identity.
"The information is already out there by the time you find out about it," Stephens said. "Unless you've been proactive, it may be difficult to remediate the situation."
Smart steps include creating a unique and complex password for each account, he said. That keeps thieves from using one compromised password to crack your email, bank account or other retail logins.
Once you hear about a breach, best steps to limit the damage may include changing passwords, signing up for free credit monitoring or even placing an alert or freeze on your credit file. (See infographic below.)
"The nature of the data that has been leaked is going to determine what you can best do to protect yourself," Stephens said.