Hackers steal 15 percent of money generated by Internet, study estimates
JPMorgan Chase Hack: Ways to Protect Yourself
A cyberattack at JPMorgan Chase put the accounts of 76 million households at risk. The breach, which was disclosed on Thursday, compromised a wealth of personal information like addresses and phone numbers. While nobody knows exactly what hackers will do with this data, consumers can take steps to lessen the potential damage.
What did hackers steal?
Hackers could potentially have your name, address, phone number and email address. While that may not seem quite as serious as having your financial accounts’ user names and passwords, some experts say it has the potential to be seriously damaging.
According to JPMorgan, there is no evidence that account numbers, passwords, user IDs, dates of birth or Social Security numbers were compromised. Trish Wexler, a spokeswoman for the bank, said it was not suggesting that customers change their passwords. “I think it is always good practice to regularly watch your accounts,” she said. “You won’t be held liable for any unauthorized transactions that you notify us of. That is just good financial hygiene to monitor your accounts.”
Is there anything I need to do right now?
Credit freezes are probably one of the smartest things consumers can do to protect themselves against identity theft. This prevents the big three credit bureaus from releasing your credit reports to any company that doesn’t already have a relationship with you — something that financial providers and other companies typically access before issuing a new account.
You need to individually approach each of the three credit bureaus, Equifax, Experian and TransUnion. You may need to pay a small fee, depending on where you live. .
What could hackers do with my information?
Pamela Dixon, executive director at the World Privacy Forum, a public interest research group, said hackers could sell your data to other unsavory characters who then layer it with other publicly available information, like census data. With that, they can create sophisticated — and very convincing — emails that aim at individual consumers, a practice known as spear phishing. Their goal is to extract even more sensitive information from you.
“I would be very conscious of the email you get in the next year, which could be related to this hack,” she said. “They are really hard to detect. It’s not like, ‘Send me money in the Philippines.’ ”
Selling stolen card info online? That's the least of it
High-profile cyberattacks, like the one JPMorgan Chase revealed that potentially compromised 76 million households, would logically lead one to think that bank and credit card data are a hacker's primary target.
Turns out that's the least of it. The easy availability of stolen data created a thriving underground marketplace for purloined information, and some cybercriminals are even going up the value chain and selling things like they're own hacking services.
Credit card data—so widely and often stolen that there's actually an abundance of it—can sell for as little as pennies. The going rate for a social security number isn't much higher: Only about $1.
Medical records—rarer and much more data-rich—can go for $50 or more. (All of this pricing data comes from security firm RSA.)
The marketplace for all this stolen data exists on the so-called "dark web"— which is buried within the "deep web." The "deep web," also known as the "hidden web," is the part of the World Wide Web that is not indexed by normal search engines like Google and is only accessible via special software.
The software commonly used to access the "deep web" is called Tor, which stands for The Onion Router. This Internet portal basically anonymizes the user's IP address making them almost impossible to trace.
"It is pure capitalism. It is driven by the purest laws of supply and demand. As long as there is a demand someone is going to step in on the supply side. It's the same economics you see in the markets," said Christopher Budd, Trend Micro's threat communications manager. Goods are often exchanged on these forums using virtual currency, and thus the transactions are harder to trace.
Credit card data is so cheap because there's so much of it, a result of the high number of breaches, said Daniel Cohen, the head of business development for RSA's Online Threats Managed Services Group.
Documents that provide more information about a person's identity usually cost more. Thus the reason medical records—which can contain your entire identity including your address, social security number, financial information, the names of family members and perhaps even your insurance policy numbers—have become so valuable, Cohen said.
"They are moving away from credit card theft and to more wholesale identity theft," Budd said. "As more of our lives become more digital it becomes more lucrative to steal someones entire identity."
But cybercriminals aren't just selling credit card data and medical records on the dark web these days. They're also increasingly outsourcing their skills as a service.
"Hackers understand they don't have to work too hard to attack a certain target," Cohen said. "We have seen this rise of what we call 'cybercrime as a service.' Everything from bulk credit card data to DDOS attacks are available to you as a service. It's a very, very mature market."
And buying an attack against a website can be pretty cheap, too. For example, buying a denial-of-service attack can cost as little as $7.00 per hour, according to RSA.
$50 for half a million spam emails. Man.
I thought that those guys are getting at least a bit more. They way they are sending them is amazing knowing that they are getting 1/100 of a cent per email
Hackers who hit JPMorgan attacked some nine other firms: report
About nine other banks and brokerageswere infiltrated by the same group of hackers who recently attacked computer systems at JPMorgan Chase & Co, the New York Times reported late on Friday, citing unnamed people briefed on the matter.
The report, which could not be independently verified and did not identify any of the victims beyond JPMorgan, said it was not clear how serious the attacks had been.
JPMorgan said on Thursday that names and contact information for some 83 million household and small business customers were stolen, making it one of the biggest data breaches in history.
The New York Times said the breadth of the attacks and uncertainty about the motives of the hackers are troubling U.S. policymakers and intelligence officials.
Representatives with the U.S. Secret Service could not be reached for comment on Saturday morning. The Secret Service is investigating the attack on JPMorgan.
Hackers’ Attack Cracked 10 Financial Firms in Major Assault
The huge cyberattack on JPMorgan Chase that touched more than 83 million households and businesses was one of the most serious computer intrusions into an American corporation. But it could have been much worse.
Questions over who the hackers are and the approach of their attack concern government and industry officials. Also troubling is that about nine other financial institutions — a number that has not been previously reported — were also infiltrated by the same group of overseas hackers, according to people briefed on the matter. The hackers are thought to be operating from Russia and appear to have at least loose connections with officials of the Russian government, the people briefed on the matter said.
It is unclear whether the other intrusions, at banks and brokerage firms, were as deep as the one that JPMorgan disclosed on Thursday. The identities of the other institutions could not be immediately learned.
The breadth of the attacks — and the lack of clarity about whether it was an effort to steal from accounts or to demonstrate that the hackers could penetrate even the best-protected American financial institutions — has left Washington intelligence officials and policy makers far more concerned than they have let on publicly. Some American officials speculate that the breach was intended to send a message to Wall Street and the United States about the vulnerability of the digital network of one of the world’s most important banking institutions.
“It could be in retaliation for the sanctions” placed on Russia, one senior official briefed on the intelligence said. “But it could be mixed motives — to steal if they can, or to sell whatever information they could glean.”
The JPMorgan hackers burrowed into the digital network of the bank and went down a path that gave them access to information about the names, addresses, phone numbers and email addresses of account holders. They never made it into where the more critical financial information and personal information are stored.
The bank’s security team, which first discovered the attack in late July, managed to block the hackers before they could compromise the most sensitive information about tens of millions of JPMorgan customers, said several security experts and others briefed on the matter. The attack was not completely halted until the middle of August and it was only in recent days that the bank began to tally its full extent.
American officials say they have been working with JPMorgan since the intrusion was detected, chiefly through the Treasury, the Secret Service and intelligence agencies that seek to find the source of the attacks. But that is slow work and one official cautioned against leaping to conclusions about the identities or the motives of the attackers.
“We’ve been wrong before,” he said.
J.P. Morgan found hackers through breach of corporate event website
J.P. Morgan Chase & Co learned about hackers who stole the bank's contact information for 76 million households and 7 million small businesses through a corporate event that it sponsors, the New York Times and Wall Street Journal reported, citing people familiar with the matter.
According to the reports, the bank discovered that the intruders had used some of the same offshore servers to hack both the bank and the website of the JPMorgan Corporate Challenge.
The New York Times said the breach was part of a repository of a billion stolen passwords and usernames from some 420,000 websites that a Milwaukee-based security consulting firm, Hold Security, had traced to a gang of Russian hackers.
Further investigation by Hold and JPMorgan security specialists revealed that in April the hackers had obtained the website certificate for the Corporate Challenge site's vendor, Simmco Data Systems, allowing hackers access to any communications between visitors and the website, including passwords and email addresses, the Times reported.
It said Hold Security began informing its clients of the breach around August, and JPMorgan officials then told Simmco Data. The bank also looked at traffic on its own network and discovered the same hackers had breached that system.
The hackers had originally gained access to the bank's network by compromising the computer an employee with special privileges had used both at work and at home and then moved across the bank's network to access contact data, the WSJ reported.
The Corporate Challenge website was later taken offline after the hacking of the site was discovered, the Journal reported, but the site was restored by the bank ahead of upcoming races in Shanghai and Singapore, although payments have been moved to a Chase website. (J.P. Morgan Found Hackers Through Breach of Road-Race Website - WSJ - WSJ)
Officials at J.P. Morgan Chase were not available for comment.
Earlier this month, Reuters had reported that two U.S. states were investigating the theft of customer records in a massive cyberattack uncovered over the summer.
Those are absolutely insane numbers. It makes me wonder if that is the number, 15%, then where is all that money going?
Into two biggest laundry of all : sports clubs acquisitions and back to banks (so that Dimon can brag that he is so smart)
Mother Hackers!
- Free trading apps
- Over 8,000 signals for copying
- Economic news for exploring financial markets
You agree to website policy and terms of use
It's hard to estimate global economic losses to hackers, because many countries don't track cyber-crime and many businesses underreport it. But a new study puts the number at more than $400 billion.
Global cyber-crime likely costs nations more than $400 billion annually, with American losses counting for about one-quarter of the total, according to a new study.
Examples of the problem are easy to come by. Two banks in the Persian Gulf lost $45 million in a few hours. A British company reported losing $1.3 billion from one cyber-attack. India’s computer emergency response team reported 308,371 websites hacked from 2011 to 2013.
But the authors of the report by the Center for Strategic and International Studies acknowledge that the data they gathered was incomplete – simply because many countries don’t track cyber-crime, and companies often don’t report it.
To arrive at their estimate, the authors collected data from 51 nations that monitor the problem, then combined that with CSIS survey information of businesses and other organizations in countries that do not.
The results suggest that cyber-crime is taking a significant bite out of the cyber-economy, and that the impact varies by region.
“Studies estimate that the Internet economy annually generates between $2 trillion and $3 trillion, a share of the global economy that is expected to grow rapidly,” the report states. “If our estimates are right, cybercrime extracts between 15 percent and 20 percent of the value created by the Internet.”
Criminal damage from hackers falls into three main categories: theft of intellectual property, financial crime, and theft of confidential business. Total estimated losses ranged between $375 billion and $575 billion annually.
“Even the smallest of these figures is more than the national income of most countries and governments and companies underestimate how much risk they face from cybercrime and how quickly this risk can grow,” according to the report.
High-income countries lost perhaps as much as 0.9 percent of gross domestic product on average. For developing economies less connected to the Internet, and where intellectual property plays a smaller part in the economy, economic losses were about 0.2 percent of GDP, the study found.
“The disparities we found are explained in part by the fact that the best hackers prefer to target richer countries,” wrote James Lewis and Stewart Baker, the co-authors of the report, which was funded by McAfee, a security company.
While that disparity may just reflect better record keeping, it might also suggest actual global losses are higher than estimated. Companies often underreport damages after they get hacked.
To address the problem, the study recommends better technology and stronger defenses. For example:
Agreeing on and applying standards and best practices.
International agreement on law enforcement and state behavior that includes restraints on cyber-crime, as well as working through organizations like the World Trade Organization.
Governments doing a better job accounting for cyber-crime losses and companies doing a better job assessing their own risk.
“These are well within the realm of the possible if people decide to treat cybercrime seriously and take action against it,” the report states.
Unless such action is taken, the authors warn that cyber-crime can be expected to grow.
“Absent these changes ... we do not see a credible scenario in which cybercrime losses diminish,” the authors write. “The outlook for the world is increased losses and slower growth.”
read more