(테크놀로지) 사이버 범죄자들은 목적을 달성하기 위해 가상 아이디를 만든다

출처: http://www.bbc.com/news/technology-33639440

4 August 2015

Is the digital double posing as you stealing your cash? 사이버 범죄자들은 목적을 달성하기 위해 가상 아이디를 만든다

By Mark WardTechnology correspondent, BBC News

You surrender more than you realise when you use a pet's name as part of your login 로그인의 일환으로 애완동물의 이름을 사용하면 당신이 아는 것 이상의 것들을 (적에게) 양도하는 꼴이 된다

When we go online to tweet, post, like, email or chat we surrender small pieces of our identity as we do so - a surname here, a nickname there, the name of our favourite pet. 당신이 온라인에서 트윗을 하거나 포스팅을 하거나 이메일을 주고 받거나, 채팅을 하게 될 때, 당신은 개인정보의 적은 부분들(성, 별명, 애완동물의 이름 등)을 (적에게) 양도하는 꼴이 된다.

These tidbits of data seem harmless by themselves because they are spread thinly across many different places. It would be impossible to tie them together and turn them against you, wouldn't it? 이런 소량(토막)의 데이타는 그 자체 위험이 없어 보인다. 왜냐하면 이런 것들은 많은 각기 다른 곳에 조금씩 산재되어 있기 때문이다. 이런 널려 있는 것을 한데 묶어 당신을 해치는 것이 된다는 건 불가능하다. 과연 불가능할까?

No. Not at all. 그렇지 않다. 결코 불가능한 게 아니다.

Cyber-thieves are getting very good at compiling all these pieces of you and adding to them to other stolen data to create a shadowy whole, a digital double or doppelganger; a phantom copy of you living in cyberspace.

They can then use these phantom identities to steal your cash, buy things, and apply for loans, mortgages and state benefits.

The fullz monty (먹잇감이 확실한 데이타)

These thieves and fraudsters have a growing appetite for what are known as "fullz", says Ryan Wilk, a director at security firm NuData Security, which has studied how those pieces of personal data are bought and sold. 사이버 도둑들과 사기꾼들은 "풀즈"로 통하는 것들에 입맛을 다시고 있다고, 보안업체 누데이타 시큐리티의 디렉토인 라얀 윌크는 말한다. 이 업체는 어떻게 이런 개인정보의 파편들이 수집되어 팔리는지 연구를 진행했다.

As the name implies, fullz are complete data profiles of potential victims. "풀즈" 라는 이름이 암시하듯이, 풀즈는 잠재적 희생자들의 완전한 데이타 프로파일이다.

"They take chunks of data about a person and see how it can better be substantiated so they can add more value to it," he says.

A fullz profile might include your: 풀즈 프로파일에 포함되는 것들

• social security number 사회보장 번호
• name and address 이름과 주소
• date of birth 생년월일
• phone number 전화번호
• credit card number 신용카드 번호
• local bank branch name and sort code 이용하는 은행지점 이름과 코드
• bank account number 은행계좌 번호
• social media likes and dislikes 소셜미디어 상에 밝힌 좋아하는 것과 싫어하는 것

Thieves are targeting health insurers because the data they hold is so complete

The more complete the profile the higher the price it can fetch on the black market. A stolen credit card number, for example, will sell for a dollar or so, but a fullz will go for $27-$100 (£17-£64).

"Credit cards are very valuable on day zero, but as the days go by the value goes down quickly," says Mr Wilk.

By contrast, fullz have a longer shelf life and give fraudsters more places where the information can be used and abused.

Data glut 데이타 범람

NuData estimates that more than 675 million data records have gone astray in the US in the last 10 years, either because hackers have managed to bypass companies' security systems and raid their databases, or simply because a company has mislaid them.

"Breaches are just one part of the whole supply chain," says Mr Wilk.

They give the bad guys a massive pool of data to trawl through when compiling those fullz. They look for overlaps between data from different breaches to see if someone uses the same login name, password or other identifier on different sites and services.

Dating site Ashley Madison is in a long line of companies to have suffered data breaches

Sometimes, he says, websites and companies inadvertently help this sifting process because of the way their online login systems work.

Many respond to a failed login attempt with an error message that reveals if a valid email address or name was used. Many cyber-thieves use these as a first stop filtering system to weed out the bogus addresses as they compile their fullz.

Leaky systems 줄줄 새는 시스템

"There's a lot of data that is out there by accident," says Alastair Paterson from security firm Digital Shadows.

"I'm always surprised by how much just leaks out in various ways with people not meaning to expose it or share it."

Some of these leaks come about via home workers accidentally exposing home data stores to the web and businesses using cloud-based document-sharing systems, he says.

US politicians have held inquiries into the scale of recent data breaches

Looking through those can secure all kinds of useful information about a company, its employees and how they structure data - all useful for any cyber-thief drawing up a dossier on a target.

Sometimes, says Mr Paterson, the leak is not the fault of the company that gets hit with a data breach.

One bank that Digital Shadows works with has more than 17,000 suppliers, he says, making data security even harder.

"Even if [the bank is] bullet-proof they are sharing a lot of information with that big supply chain and some of that will just get out," he adds.

Tracking the data 데이타를 추적함

So where does all this stolen and lost data end up?

To find out, security firm BitGlass digitally watermarked a tranche of fake data that outwardly resembled the real deal.

It included a spreadsheet of 1,568 fake employee credentials, including social security numbers, addresses and credit card numbers, and was made to resemble the data stolen from health insurer Anthem.

BitGlass then posted the data on a few of the places cyber-thieves are known to hang out on the "dark web" to see if anyone took the bait.

They did. Within 12 days the data had been shared with people in 22 countries, was viewed more than 1,100 times, and the spreadsheet was downloaded 50 times.

Stolen data is shared around the world in a matter of days

Rich Campagna, a spokesman for BitGlass, says analysis of what was done with the data revealed that separate gangs in Russia and Nigeria were the most active in examining the contents.

"We saw eight-10 people in each country that were passing around the files," he says. "Primarily they were discussing it and trying to validate it."

Those efforts failed because the data was not real but, says Mr Campagna, it was indicative of the lengths criminals will go to in order to ensure the data they get hold of is useful or saleable.

Dodgy behaviour 꺼림직한(의심스런) 행위

Once they've compiled useable fullz profiles, thieves need to test that they work.

"We typically see three or four test logins for every fraudulent purchase made via that account," says NuData's Mr Wilk. "That's where you see the bad guys validating the data."

The first login will probably be automated to ensure the account is live, and the second will be by a human to see what access it grants.

How and where you log in to a service can stop fraudulent attempts to get at your accounts

"But it's the third or fourth login that is the time they go in and place the fraudulent purchase," he says.

The good news is that the pattern of those login attempts can be spotted, so many companies now log behavioural data so they can spot dodgy activity when it happens.

How someone types in a password, clicks a mouse, and navigates through a website adds up to a behavioural signature.

This, at least, will be something fraudsters find almost impossible to copy.