Kamel Ibrahim answered the phone to hear that his Abu Dhabi-based bank had discovered foreign transactions on his credit card in the United States and Ireland.
“A large amount of money on two different accounts had been charged,” he said. The first purchase was at an Apple store in the US amounting to US$6,000 while the attempted Irish transaction totalled $4,000. “How they got my personal information, I’m not so sure. I had only used my credit card twice online through a hotel reservation website,” he said.
While Mr Ibrahim’s debit card remained in tact, it was his credit card that had been remotely hijacked.
He tried to figure out how his information had been obtained. The bank’s call centre agent had suggested that hackers had software that does nothing but generate numbers in a sequence to guess a valid card identity.
While these generating tools do exist, they are outdated and rarely used, according to Candid Wueest, Symantec’s Security Research expert. “These are not really used anymore as you need a card’s expiry date, CCV number (three digit numbers on the back of a card) and also the verification on the name,” he said.
The US-based software company released an internet security threat report in June that said more than 1.1 billion identities were stolen in data breaches last year, almost double the number taken in 2015. This translates to about 2,100 identities around the world stolen each minute.
The top culprit of personal information theft by the numbers are these large data breaches, such as the 2013 Yahoo incident that affected all of its three billion user accounts. Most recently, the ride hailing app, Uber, released information that 57 million people around the world had been compromised through its hack that occurred last year.
Yet access to one’s bank account is mostly via malicious malware on a personal computer. It can begin, for example, with an email stating that you owe money for a purchase. It asks you to review the attached invoice, which adds malware to your device. It remains in the background, unseen by the naked eye, waiting for the user to make an online purchase or other monetary transactions.
Mr Wueest said that a credit card was the most sought after because it is easier to make a profit in the underground marketplace. The group’s research shows that a single credit card can be sold for up to US$30, doubling the price if it includes full details (e.g. expiry date and CCV number) and more than tripling with the magnetic strip back and personal identification number (PIN) code.
The latest unsuspecting trend to emerge is the rise in Netflix and Uber accounts for the underground marketplace. Mr Wueest said that Symantec has noticed an uptick in attackers selling accounts on the gray market. Internet thieves take account information from the application to purchase vouchers, which are resold for a discounted price online appearing as a special promotion.
While these sort of gains may only result in about $1 per account, this adds up if a person has tapped millions of accounts from incidents such as the Yahoo breach. “Even if they only sell at $0.10, one million accounts would give a profit of $100,000,” he said.
Mr Wueest said that it was imperative that people use a variety of strong, unique passwords – changing with each account. He added: “Be vigilant, if you receive an invoice and you know you haven’t ordered anything – don’t open.”
Symantec anticipates the number of cyber threats to increase this year over 2016’s peak.
“Hackers are getting better,” he said. “Many of the attacks we see are very difficult to spot by the naked eye.”