Russia's meddling in Ukraine political matters isn't the biggest threat to the world. Providing a home base for hackers stealing credit card data just might be, however.
That's the conclusion of a new report from Thomas Holt, a Michigan State University cyber security expert. Holt's report for the National Institute of Justice found many hackers and data thieves are operating in Russia or on websites where users communicate in Russian.
That presents huge problems for U.S. law enforcement, which is trying to track down and bring to justice those who break into credit card data bases.
The Wall Street Journal recently reported that the Target data breach, which compromised 40 million credit and debit card accounts during the 2013 holiday shopping season, may have originated in Russia.
Research from two security firms also showed that the purloined Target data was transmitted to servers in Russia.
Holt's research, conducted along with Olga Smirnova from Eastern Carolina University, suggests that there may indeed have been a strong Russian connection. The 2 researchers analyzed 13 Internet forums through which stolen credit data was advertised. Specifically, they found:
- Ten of the forums were in Russian and 3 were in English, though the forums were hosted across the world.
- Visa and MasterCard were the most common cards for sale.
- The average advertised price for a stolen credit or bank card number was about $102.
- The average price for access to a hacked eBay or PayPal account was about $27.
Stealing credit card data is big business, but it's sort of like selling seafood – it has to be done quickly. Hackers use Internet forums as a marketplace to hawk their ill-gotten wares.
Someone who buys stolen credit card data has little time to act, since many card holders will simply cancel their cards and get new ones, once the data breach is exposed.
Still, someone with a stolen card can quickly run up thousands of dollars in purchases or take a large cash advance before the card is cancelled.
“This is a truly global problem, one that we cannot solve domestically and that has to involve multiple nations and rigorous investigation through various channels,” said Holt, an associate professor of criminal justice.
However, Holt and Smirnova argue that there are some unilateral steps the U.S. can take. Hiring more Russian-speaking analysts and employing new technology at American law enforcement agencies, they say, will allow them to more effectively fight cybercrime.
Holt also argues for tougher state and federal cybercrime laws to improve security and increase corporate responsibility whenever hackers strike.
Currently 46 states require companies to report any loss of sensitive personal information after a security breach but Holt says the laws generally don’t go far enough to protect consumers.
“Greater transparency is needed on part of both corporations and banks to disclose the true number of customers affected and to what degree as quickly as possible in order to reduce the risk of customer loss and economic harm,” he said.
Consumers need to stay alert
In the meantime, he says consumers have to stay on their toes and be better informed about the cyber threats, which continue to evolve at a dizzying pace.
“There is a big need for public awareness campaigns to promote basic computer security principals and vigilance against identity theft,” Holt said. “Consumers need to understand the potential harm from responding to unsolicited email and clicking on suspicious web links as well as the need to run anti-virus and security tools on their computers.”