
The Market for Stolen Account Credentials - C14L
https://krebsonsecurity.com/2017/12/the-market-for-stolen-account-credentials/
======
ourmandave
_Plenty of people began freaking out earlier this year after a breach at big-
three credit bureau Equifax jeopardized the Social Security Numbers, dates of
birth and other sensitive date on more than 145 million Americans. But as I
have been trying to tell readers for many years, this data is broadly
available for sale in the cybercrime underground on a significant portion of
the American populace._

So I can rest easy now, knowing I've been fucked since forever.

~~~
Matt3o12_
I know this is sarcastic but the answer is that this system is complete broken
and should be replaced by something that is made for authentication. Maybe
something that is somewhat secure and allows you to change your “secret
number” ones it has been compromised.

~~~
decebalus1
Others already did it

[https://en.wikipedia.org/wiki/Estonian_ID_card#Cryptographic...](https://en.wikipedia.org/wiki/Estonian_ID_card#Cryptographic_use)

Granted it's not foolproof but it's definitely a step forward compared to the
SSN bullshit.

~~~
scient
In the end its not the crypto that makes it more secure. Estonia still has a
national identifier number, just like US has the SSN. The difference is that
while I can know your name, DOB and the identifier (which actually contains
your DOB in it), I cant easily pretend to be you. And this is because the
process itself is different - when I got to open a bank account, I present my
ID card, the bank can plug it in and pull up my profile from the central
authority (ran by the government), and I need to pass the checks of being
there in person, with a matching ID, which also checks out from the central
system (including picture).

Combine this with for example strong proof via blockchain about who used to
check your info and from where, and you are at a pretty good spot. Note that
Estonia does not do that last part just yet.

As for the US, the chances of having a national ID card along with similar
infrastructure are slim to none. So don't hold your breath about major changes
any time soon. The best best would be to get closer to something like the
above solution via private companies or maybe the credit bureaus themselves
(once they are force to change their business model from aggregating and
selling data without your consent).

~~~
supreme_sublime
One crazy thing was when I got my mortgage and was transferring my down
payment to the mortgage company, my bank didn't require me to even show my ID.
There is probably a reason for it, as the documents all matched up on the name
and I had to submit a lot of information to the mortgage company. I still
found it very strange making that kind of transfer of tens of thousands of
dollars that I didn't have to show any kind of proof of ID.

------
hectorr1
I want a word for the type of anti-scale problem you see in identity. Most
people who don't work for Equifax can agree that ideally everybody should own
their own identity, control it, and be able to monetize it if and when they
chose to. The problem is the crypto doesn't scale up from a UX perspective,
and the economics don't scale down. So it makes sense to build Orwellian
centralized services from an economic perspective.

One of my hopes for the Bitcoin bubble is that someone figures out how to get
a 100x improvement on private key management, including the messy forgotten
password / lost 2FA device problems where crypto meets meatspace.

------
wand3r
> The most expensive credentials for sale via this service are those for the
> electronics store frys.com ($190). I’m not sure why these credentials are so
> much.

Anyone have any information on why these would be so expensive?

~~~
joshjkim
one way scammers make $$ is by using stolen accounts to purchase goods and
then re-sell them, but in general they have pretty much one shot before they
are found out and the credentials go stale (for their purposes). electronics
can be small in size, have high re-sale value and there's already a solid gray
market for them, so it's a particularly valuable credential.

i'd also venture a guess that fry's has less effective anti-fraud
software/defenses vs. amazon or ebay or other platforms where you can buy
electronics - would not be surprised if amazon was good at catching a
fraudulent iphone purchase on the first try, whereas fry's might let a lot
more slip through.

source: I've been involved with reducing fraud at various marketplace
companies.

------
caseysoftware
In the credit report screenshot, all the addresses are Georgia or Minnesota. I
wonder if that's just dumb luck or some specific system has been compromised?

