Online criminals are more interested in getting their hands on stolen Uber, PayPal and even Facebook accounts, than credit card numbers and other personally identifiable information (PII). The price of these stolen identifiers on the underground marketplace, or “the Dark Web,” shows the value of credit cards has declined in the last year, according to security firm Trend Micro. Last week, stolen Uber account information could be found on underground marketplaces for an average of $3.78 per account, while personally identifiable information, such as Social Security Numbers or dates of birth, ranged from $1 to $3.30 on average – down from $4 per record in 2014, reported CNBC. Furthermore, PayPal accounts – with a guaranteed balance of $500 – were found to have an average selling price of $6.43. Facebook logins sold for an average of $3.02, while Netflix credentials sold for about 76 cents. By contrast, U.S.-issued credit card information, which is sold in bundles, was listed for no more than 22 cents each, said CNBC.
"It's an incredible underground ecosystem. There is a high level of competition for these criminal buyers and there are a lot of different types of forums. It's incredibly diverse, but incredibly mature," said Ed Cabrera, Trend Micro's vice president of cybersecurity strategy.
Cybercriminals will often use stolen Uber credentials to book “ghost rides,” in which they create a fake driver account and charge nonexistent rides to stolen accounts, experts say. Another way fraudsters leverage this information is to simply build a fuller picture of a victim for identify theft. “They are doing their own market research or where they can find the data that’s most valuable in the criminal underground and they develop their attacks accordingly,” said Cabrera. Meanwhile, Forrester research analyst Andras Cser adds these incidents highlight the need of these service providers to be more cognizant of sudden changes in user's account behavior. “If a user suddenly takes a cross country ride versus following their usual movements, that should spark an alert,” Cser said. To address the issue of fraudulent transactions, Uber is reportedly testing its version of two-step authentication, which would require users to enter additional credentials when logging in from an unknown device. Cser says the time has come to move away from passwords. "[Companies] should be looking at behavioral biometrics solutions to authenticate users—how the user actually behaves, how they hold a phone, how big their fingers are and how hard they press the touch screen," said Cser.
