The Hacker Wish List

Nov 19, 2018 | by Heidi Bleau

All over the world the annual list-making has begun, by both the ‘nice’ and the ‘naughty’. Not surprisingly, the lists aren’t all that dissimilar between the two. While every day folks build lists of goods and services, so are the cybercriminals and malicious actors hoping to capitalize on the poor cyber hygiene of consumers.

In 2018, analysts expect U.S. consumers will spend slightly more during the holiday shopping season, but where many expect double-digit growth is in ecommerce, specifically mcommerce (mobile commerce). In fact, mobile shopping is expected to jump 32% and will represent nearly half of all ecommerce sales. A shift to mobile-based shopping is music to a cybercriminal’s ears as 73% of fraud activity in Q3 was in a mobile channel.

Based on the RSA® Anti-Fraud Command Center’s research into cybercrime behavior, across the Dark Web and in public domains, we’ve isolated the five most popular cybercriminal wishes this coming year:

1.      Passwords.

  • Did you know? Just 28% of consumers update their password after a confirmed data breach. This makes is quite easy for a fraudster to conduct account takeover.
  • Why is it on the list? The Achilles’ heel of security and privacy are weak, easy to guess passwords, and the re-use of those same credentials across your digital universe – from merchants to email client and social media accounts. After a major breach, it is not unusual to find cybercriminals posting credential dumps in a pastebin, a Dark Web forum, or even on social media where other cybercriminals can buy or access the information.
  • What you should do instead: Biometrics are becoming widely adopted and should be used if available. If a password is the only option, avoid using the same username/password combinations – no matter how inconvenient – to ensure you don’t become an easy victim of cybercrime. Need help remembering your passwords? Try utilizing a password manager. For sites where your data is more valuable (think: bank or healthcare records), use stronger, more complex and unique passwords to ensure they can’t be reverse engineered by a malicious actor. 

2.      Personally Identifiable Information (PII).

  • Did you know? 21 people are defrauded every minute because of oversharing on social media.
  • Why is it on the list? Sure, sharing your biographical information seems like a good idea as a way to help family, friends, or colleagues find and connect with you. However, being overly generous with your personal information (e.g. birth date, hometown, alma mater, employer) is fodder for cybercriminals to commit identity fraud.  Specifically, new account fraud, or opening new accounts in your name, is prevalent.  Also, since many organizations still rely on common biographical information to verify a person’s identity, cybercriminals can leverage this information to change a password on your account, for example.
  • What you should do instead: At the minimum, make your social media profiles private to just known friends and family. Exercise caution before over-sharing or disseminating information that can be used to easily identify you.

3.      Account takeover.

  • Did you know? Phishing made up 50% of all fraud attacks in Q3 2018, and overall phishing volume increased 70%. It remains the leading attack vector in digital channels as fraudsters seek to harvest fresh credentials to commit fraud during Cyber Monday and holiday shopping season.
  • Why is it on the list? Bad cyber hygiene impacts millions. Although it may not hit your wallet, a click on an unverified source (e.g. email attachment, display ad, etc.) could unleash malware onto your device and subsequently your network. From there, a cybercriminal can gain greater insight into your life and conduct account takeover or identity theft based on the information they’ve acquired about you – without you even knowing!
  • What you should do instead? Mind your click! Only open attachments from trusted sources and those you know. When online, avoid falling victim to flashy display ads or highly enticing offers. Instead, visit the source directly through their webpage. When in doubt: Don’t open or click!

4.      Rogue mobile apps.

  • Did you know? RSA detected over 17,000 rogue mobile apps through the first half of 2018, which accounted for 28% of all fraud attacks. The growth of this attack vector indicates that cybercriminals are increasingly deploying this tactic as a way to install malware on mobile devices.
  • Why is it on the list? Only 35% of consumers admit to always reading the permissions requested by an app before downloading them. Often designed as counterfeits of legitimate apps, your indolent behavior could be putting spyware, viruses or Trojans on your device as a way to steal your payment information or username/passwords.
  • What you should do instead? Aside from having antivirus software on your devices, read the permissions within the app profile. Be sure that the content it wants access to makes sense and is reasonable for that service.

5.      Payment cards.

  • Did you know?  Cybercriminals like to spend money – your money.  In the U.S., the average value of a fraudulent e-commerce transaction ($403) is nearly double that of a legitimate one ($221). According to the Federal Reserve Board, fraudulent card-not-present (CNP) transactions grew 31% from 2015 to 2016 and fraud losses also increased from $3.4 billion in 2015 to nearly $4.6 billion in 2016. While implementation of the EMV standard for card present transactions have reduced fraud at point-of-sale (POS), it has instead pushed it into online channels.  Adoption of the 3D-Secure 2.0 protocol by issuers, payment processors and merchants is critical to manage fraud risk for e-commerce transactions.
  • Why is it on the list? It may seem incredibly convenient, but by storing your payment information on e-commerce sites – even those that seem credible and safe – you’re putting yourself at risk. Should the retailer fall victim to a data breach, your payment information will likely be compromised and end up for sale in criminal marketplaces.  Even more, due to consumers’ tendency to reuse passwords across multiple sites (see #1), cybercriminals often test stolen credentials at multiple online retailers in the hopes of gaining access to other accounts.
  • What you should do instead: Put convenience aside and prioritize safety. Checkout as a “guest” next time you’re making an online purchase, or at least don’t select the option to store your payment card information in your account for future purchases. Using a guest account keeps a majority of your personal data off the merchants’ servers.

# # #

Cybercrime lurks in all corners of the world, especially on digital platforms. Learn more about nefarious habits of malicious actors and other cybersecurity trends in RSA’s report, “2018 Current State of Cybercrime.” 

Author: Heidi Bleau

Category: RSA Fundamentals, Blog Post

Keywords: Cybercrime, Cybercrime and Fraud, Fraud