
Russian Gang Said to Amass More Than a Billion Stolen Internet Credentials - GabrielF00
http://www.nytimes.com/2014/08/06/technology/russian-gang-said-to-amass-more-than-a-billion-stolen-internet-credentials.html
======
steven2012
How much rampant identity theft has to occur before our government admits that
it's broken? Leaving things like credit ratings in the hands of 3 incompetent
companies like Experian, Equifax and Transunion that control our livelihood is
an affront to common decency.

As a victim of identity theft, and as someone who took extreme measure to
protect himself from identity theft before it occurred, I can tell everyone
without a doubt that the only reason why you're not a victim of identity theft
is because of random chance. There is no mechanism to protect yourself, and
your information is readily available. The only reason why you haven't gotten
your identity stolen is because the thieves simply haven't gotten to you yet.

It's infuriating that these companies can get away with what is essential
libel and not have anything done to them. I shredded all my mail, I haven't
given any real information about me on any web site since 1997, never gave out
any information about me willy-nilly including applying for too many credit
cards, and I never fall for phishing attacks. And yet somehow I found myself
victim of identity theft, and it took 2+ years to clean up, and it's still not
over. Since so many web sites use Experian data to verify my identity, I've
lost a lot of opportunity to get credit, loans, etc, because Experian has
mixed my information with the fraudulent information, so I get answers to
those automated question wrong.

It's truly infuriating, and the system is completely broken, yet no one in
government cares.

~~~
sachinag
Lawyer up and sue. I'm assuming you're American because you referenced
Experian. FCRA gives you two years.

~~~
justin66
Or just camp out outside Experian's hq and try to destroy their headquarters
using psionic powers. Concentrate really hard!

Equal chances of success as suing them but considerably less expensive.

~~~
enraged_camel
>>Equal chances of success as suing them but considerably less expensive.

Also considerably more likely to get you arrested, possibly with overwhelming
force.

~~~
TeMPOraL
> _Also considerably more likely to get you arrested, possibly with
> overwhelming force._

Which could possibly cause media attention and Internet outrage, so it still
feels like a better option than suing.

------
smackfu
Wow, that is some photo the NY Times put on that article.

~~~
jcrei
Seriously, what is up with that picture? What is the message or point that
they are trying to get across with such a picture in that article? is it
supposed to add any credibility to the guy or his firm?

~~~
lifeformed
What picture? I'm not seeing it.

~~~
nostromo
They changed it.

Original (odd) photo:
[http://static01.nyt.com/images/2014/08/06/business/06bighack...](http://static01.nyt.com/images/2014/08/06/business/06bighack-
web1/06bighack-web1-superJumbo.jpg)

Current photo:
[http://static01.nyt.com/images/2014/08/06/business/06bighack...](http://static01.nyt.com/images/2014/08/06/business/06bighack-
web1/06bighack-web1-superJumbo-v2.jpg)

~~~
jonnathanson
That is the best photo I've ever seen in an NYT piece. The sheer absurdity of
it. The bleak banality. The couches. The wires!

It's like the opening shot of a Sofia Coppola film. In my mind, that guy is
played by a young Bill Murray.

------
r0h1n
Interestingly, Hold Security, the firm that apparently discovered this massive
trove of stolen records, has promptly offered a $120 service for those who
want to see if they're affected:
[http://www.forbes.com/sites/kashmirhill/2014/08/05/huge-
pass...](http://www.forbes.com/sites/kashmirhill/2014/08/05/huge-password-
breach-shady-antics/)

------
learc83
Imagine if they wanted to use this for a terrorist attack, or sold the data to
someone who did.

If they set up a bot net to log into as many bank accounts as possible and
transfer money around (even if it were just between a users own accounts or
accounts already setup for transfer), banks would basically be forced to
shutdown internet banking until they could come up with a solution. The
economic losses would be tremendous--it would take forever to sort out the
mess.

~~~
smt88
You've seen GoldenEye too many times. Evil is selfish, not indiscriminate.
Terrorists generally want control over some general area (or their own lives).
They don't want to destroy human society. Society is what gives them food,
shelter, and all the other things people like to have.

What you're describing would take not just one person who wanted to destroy
all of human society, but quite a few of them.

~~~
learc83
>What you're describing would take not just one person who wanted to destroy
all of human society, but quite a few of them.

Woah...I'm not talking about something destroying all of human society, I'm
talking about a group of people who would like to harm specific countries
economically--of which there are more than a few.

Moving money around like what I'm talking about would result in billions of
dollars lost. Worst case scenario a stock market crash followed by a
recession, not the end of civilization.

------
RevRal
What do you mean that the computer accumulated the personal information of
every person on earth?

That’s it. It knows everything about us, and we think it did this consciously.
Yes sir, by manipulating people into doing specific things.

What can it do with this information?

Well sir, it is going to do what it can to establish the ability to keep this
information as up-to-date as possible. Nobody is able to escape.

The criminal gangs, Russia and Asia. They were the ones behind this?

Yes and no. They each collected enough information and stole it from each
other.

We have to warn the world!

We can’t. It controls everything.

What caused this?

A Meta-pattern within the human psyche reached into the computer and in turn
used the computer to amplify its own motives.

~~~
smt88
I'm resisting the urge to offer you a tinfoil hat or ask if you're joking.
Instead, I'm going to reason through this.

The scenario you describe is unlikely. Before such a global catastrophe
happens, it's likely that a smaller catastrophe will happen. Like the Titanic,
the world will be shocked into preventative action. Governments will make
laws.

After that, the difficulty in collecting such massive amounts of information
will be greater than the value in that information. Even now, requiring proper
software security practices would prevent information-theft from being a
viable business. You might get the occasional massive haul, but it wouldn't be
an epidemic.

------
trhway
> though the Russian government has not historically pursued accused hackers.

between a blogger criticizing Putin's regime and a hacker who stole a bunch of
millions from an American bank - who do you think the Russian government would
go after? :)

~~~
tmp1234519029
It would make sense to go after the blogger if you care more about your
ideology than some bank's money. I would go after neither of them though.

~~~
trhway
a government always goes after the ones who present the most danger to it.

------
joshwa
FTA:

"[T]he Russian hackers have been able to capture credentials on a mass scale
using botnets — networks of zombie computers that have been infected with a
computer virus — to do their bidding. Any time an infected user visits a
website, criminals command the botnet to test that website to see if it is
vulnerable to a well-known hacking technique known as a SQL injection, in
which a hacker enters commands that cause a database to produce its contents.
If the website proves vulnerable, criminals flag the site and return later to
extract the full contents of the database.

“They audited the Internet,” Mr. Holden said."

~~~
devindotcom
I called it the digital equivalent of training wild monkeys to steal wallets

------
MangezBien
Is there any report on what services were compromised?

~~~
ChuckMcM
Is there a service with a billion users? :-)

~~~
kqr2
Supposedly facebook:

[http://www.dailymail.co.uk/sciencetech/article-2703440/There...](http://www.dailymail.co.uk/sciencetech/article-2703440/Theres-
no-escape-Facebook-set-record-stock-high-results-beats-
expectations-1-32-BILLION-users-30-mobile.html)

~~~
anigbrowl
Daily Mail has great photojournalism. I wouldn't trust anything textual from
there, their reportage sucks.

------
smt88
I recommend BillGuard or something similar for anyone who is worried about
losing payment information. Also, use/promote
[http://twofactorauth.org](http://twofactorauth.org)

------
scoofy
Before my wall of text, i first understand the difficulties of network
effects, getting credit cards accepted world wide, much less state wide, but i
think with the advent of square, stripe, paypal, etc. the barriers to launch
are much lower than they were even 5 years ago. I'm sick of banks trying to
squeeze every last drop out of the customers, and i'd gladly pay for a banking
service rather than be the product it's selling.

Credit cards are surviving in the stone age, firms would rather make it easy
for you to get yourself in debt that to provide a service that prevents fraud
and abuse. So, VC people out there. If you want to make a billion dollars, you
should start a bank. People who work for the credit card community, there are
simple upgrades that would make life a lot safer.

Simple upgrades to make security safer:

Chip and pin is low hanging fruit in the US. The fact that most americas have
no idea what those threes words mean is an international embarrassment.

READ ONLY passwords for bank account information, in addition to different
read write options, that have an extra level of security. I'd gladly use
services like Mint, except i'd rather not give write power to anyone except me
and a browser i only user for banking only at home.

Tie credit cards to cell phones. Get a text after EVERY purchase (this would
honestly not amount to more than 10 or so texts per day). Have this as opt-
out, not opt-in. Yes, i would use this, yes it would effectively stunt any
fraud. You would not have to respond to the text at all, however, if you
suspect fraud, you can immediately cancel the card.

Voice recognition for phone calls. When you take out a card, you are require
to read a paragraph or two, and upload, or mail in a recording of your voice.
This could immediately alleviate much of the phone security nonsense that i
deal with when i'm on the phone. It's not a cure all for passwords, but it's
certainly an additional level of security.

IP zones for online credit card purchases. I know about five 100 mile radii
that i will be making an online purchase from. Add an extra level of security
for any time i'm outside of that.

As far as credit agencies are concerned, there is a serious issue with quasi-
oligopoly situations there. Extremely difficult to disrupt, but developing
secure credit vehicles could create incentives for the current oligopoly in
credit cards to improve security for their own cards.

At the end of the day, i'm more than willing to admit that people themselves
are a big part of the problem. Example: a year ago, watching a man freak out
on an apple store employee when he would not give a computer to him, that
apparently belonged to his son, who gave it to the apple store a week earlier.
The son apparently signed off that only he could receive the computer, and
only in person. The enraged father was rambling on about how insane it was
that they would not surrender the computer to him, and how he would never use
apple products again. I wish there were profitable business models for people
who actually like following the rules and read the contracts they sign.

tl;dr: I don't want a credit card that makes it easy for me to spend money. I
have cash for that. Give me a credit card that makes me feel safe entering the
number into any website, and i'll gladly pay a premium for it.

~~~
driverdan
A lot of these items are about protecting your own payment cards which are
kind of pointless. You are not liable for credit card fraud. It can be a bit
of a pain to replace a card but getting rid of fraudulent charges is now as
easy as a phone call. I'd rather have to make a single phone call every few
years to dispute a fraudulent charge then go through all this BS to use my
cards.

That said, chip and PIN is great and is coming to the US in 2015.

~~~
scoofy
I'd rather peace of mind so that i don't have to check my statements every
week to make sure that i don't have fraud.

------
zw123456
This might be wild speculation but it just makes me wonder what with the
recent sanctions against Russia, you just wonder if their government is
actually behind it.

~~~
chatmasta
Affiliate revenue (of the sort these criminals got from pushing weight loss
products) is pocket change to Russia. I am curious, though, so some quick
napkin math is in order..

1.2 billion accounts

Modestly estimate they sent emails/posts with 200 million

5 emails from each account

Click rate of 0.01%

Landing page -> offer conversion rate of 15%

Credit card details conversion of 5%

$15 commission on each lead

= $112,000

Even if you tweak that to send more emails or use more accounts, the number is
still going to be somewhere around $10-15 million. Not that much.

~~~
blumkvist
commissions are north of $45

5 emails from each account? CTR is WAY higher when email comes from someone
you personally know.

------
jchysk
This is why everyone needs to use LaunchKey.

~~~
pavel_lishin
I clicked around launchkey.com, and after five clicks, still haven't found any
useful content - what is it, how does it work, why should I use it.

As far as I can tell, I carry my phone around and it magically does everything
to let me into everyplace I'm supposed to be.

~~~
jchysk
It's a multi-factor authentication platform. The item, application, or website
would have to integrate LaunchKey first. The users would be able to login
without using passwords with far greater security. The implementer gets the
benefit of not having the liability of storing passwords and an enhanced user
experience for their users.

