Reducing the Value of Cybercrime
Erik Boemanns
Leading you from IT risk to reward. A lawyer/technologist bringing executive expertise to IT GRC, privacy, and security. Together, we can reach your next level of success.
Back around 25 years ago, hackers were able to break into a wide variety of online stores and steal entire databases of credit cards. Back then, the databases weren’t encrypted – so if you stole it, you had access to all the information you needed. And of course, those same websites wanted to make it easy for you to buy from them again, so they did save everything – your name, address, credit card number, and expiration date. It was a virtual treasure trove of information for the cyber criminals who got their hands on it. The problems with credit card data theft got so bad, the major companies (Visa, Mastercard, Discover, JCB, and American Express) formed the Payment Card Industry which published a Data Security Standard, now known as PCI DSS, in 2004.
Those stolen credit card numbers were worth money, and the groups who stole them were able to sell them on the “dark web” for a price per card. The value was based on the likelihood the card hadn’t been reported stolen and the expiration date hadn’t gone by. Assuming the card information was good, others would buy the information to then go on their own virtual shopping sprees. Since it would eventually get blocked by the early fraud systems in place or reported by the customer, the inventory had to stay fresh with new stolen data. Those who harvested it had a steady job selling newly stolen data to those who knew how to leverage the data. Then, as today, cybercrime was a business. The asset of value: stolen information.
Before the PCI DSS even existed, the payment card industry realized they needed to help fight the use of stolen credit cards. In the early days of online payments, a credit card number and an expiration date were the minimum amount of information needed to process a transaction. If you wanted to pay a lower fee, you could add a zip code. Want to lower it even more? Add a street address.? The theory was the more you knew about the card holder, the less risky the transaction would be.? It also created a pricing tier on the stolen data. The more data you had in your stolen record, the higher value it would be as it would be accepted at more locations. The payment card industry had been quietly adding a new piece of information to credit cards. It was a three-digit number on the back of some or a four-digit number on the front of others. In the industry it was called a Card Verification Value (CVV/CVV2) or Card Verification Code (CVC/CVC2) or Card Identification number (CID). We know them now just as a “security code.”
The payment card industry decided to incentivize online merchants to ask for the CVV on transactions. And they added a new rule – you can’t store the CVV in your system. Now, there was a secret which only someone holding a card in their hand would know and the database thieves wouldn’t be able to get. In theory, if every online merchant adopted the CVV code, all of those existing stolen databases would become worthless. And there’d be no point in stealing the databases going forward, because no one would buy the information without the CVV. Of course, we don’t live in a perfect world, so not all merchants added it to their payment requirements. And criminals found other ways to steal the CVV, even if it wasn’t being stored in the database. So, the market for stolen credit cards survived and still is a healthy criminal business today.
Even though using the CVV codes didn’t end credit card theft, it did have the effect of changing the market value of stolen numbers. Databases without it become worth less money than those with it. Even today, credit card databases with a CVV are relatively low value, without all the other information. While adding CVV to the mix didn’t end credit card cybercrime, it did have the effect of changing the value, and as a result, affected the profitability of these activities. In a world where defending from cybercrime is a never-ending cycle, having a market-based approach is just another way to help in this fight. Devaluing the information impacted by cybercrime helps shift their market and changes the way they target victims. It increases cost or decreases revenue – both having an impact on the profit the criminals can make.
With the “breach of the week” headlines we face today, part of the strategy will continue to be how we demonetize the information stolen. More resilient businesses, better able to keep operations going during an attack, are less valuable targets than those who grind to a halt. Personal information, such as social security numbers, have less value when consumers are diligent about monitoring their reports or proactive in freezing or locking their credit reports. The industry could even add something like the CVV to our credit reports – making the ability to pull a report impossible – even if you know a lot about the person – without this additional “secret” which only the individual should possess. By limiting the uses of stolen information, we in turn devalue the market for it and reduce the incentives to steal it in the first place.
Criminals are creative, so it’s only ever a temporary solution, but it is a part of the puzzle we should be considering in how we approach cybersecurity. ?Instead of being a two-front engagement where companies put up defenses against the attacks, and law enforcement takes the offensive against the criminals, we can add a third front, where industry actively works to reduce the value of the stolen information or cyberattacks. Approaching the problem from multiple angles will only increase the wins on the side of consumers and businesses and increase the losses (metaphorically and financially) for those who wish to do harm and make a profit while doing so. And for all of us in the industry, that’s a high value target for us to try to achieve.
Happy Labor Day!
Labor Day: a day to honor those "who from rude nature have delved and carved all the grandeur we behold."
Credited to Peter J. McGuire in 1882, one of the two individuals believed to have first proposed today’s holiday*, which became a federal holiday in 1894.?In the years since, it became the celebration of the end of summer, the beginning of many sports, and a day to rest and relax.
Last year, I spent Labor Day weekend in nature, visiting the trailhead of the Appalachian Trail. This year, I spent a day the way much of Atlanta celebrates Labor Day weekend: DragonCon!
I hope your weekend is restful, whether from work or in getting ready to continue your job search!
New Podcast Episode
Episode 8 - Good Cyber Hygiene Makes You An Expensive Cyber Victim
Continuing the theme from today's article, Heather Noggle and I sat down in July, soon after the CrowdStrike incident, to talk about how good cyber hygiene can make you more expensive of a target for cybercriminals - and thus - a less desirable one. Give it a link on my substack here, or on your favorite podcast app.
Upcoming Event
This coming Friday is my webinar with Avery Rozar of TrollEye Security . We'll be talking about your hierarchy of cybersecurity needs.
Learn more and register here:
Week In Review
This past week had reminders of what outages can look like, even when its not CrowdStrike on Windows. Speaking of Windows, if you're running an old, unsupported version, you're not actually saving money - time to replace it! And, speaking of unsupported systems, Azure retired a lot of services this past Saturday - if something isn't working today, that just might be why!
Here's what was on the mind:
领英推荐
Celebrating Milestones!
Today is Edition #100 of my E. B. Spoke Newsletter. It's a fun marker to realize I've been putting this together for almost two years and sharing what's been on my mind during that time.
This week I also hit the 7,000 follower marker! It's amazing to see how much that metric has grown over these last two years as well. I appreciate each and every one of you wanting to see more about my topics of interest, and hope you each find some value when you do see my posts!
In Conclusion
Labor Day celebrates workers, and when you're employed, it's a great day off to relax and get ready for September. If you're unemployed or underemployed, it can be a far more stressful day, as it's one more day you know your job applications aren't getting looked at or your not billing your clients. Whatever your situation, I hope you're able to make today what you need it to be and stay safe!
If you are looking for a job and want to be in a You Just Found ME?? job seeker spotlight, please reach out!
As always, I'm grateful to all of you who spend the time sharing your thoughts, engaging with posts, and being part of the amazing conversations happening here. It's through this we are building an amazing community together!
As I'm growing my business, I'm looking at how to engage with private equity firms, law firms, and start-ups facing their next challenge - so if you're connected to any of these worlds, let's chat soon!
Don't forget! I am offering referral bonuses to any work you bring me through Mirability, LLC - if you're interested. If there's anything I can help you with, I'd love to hear about it.
I hope this coming week is exactly what you need it to be!
Thanks, as always!
Be sure to check out my new online merchandise. Remember, 100% of the profits for any You Just Found ME merchandise goes to support that program for job seekers!
If you want to keep up with everything I’m posting, click here and also the bell (??) to be notified when I post!
Follow You Just Found ME?? to help support job seekers!
Follow Mirability, LLC to learn more about how I'm solving unique technology problems!
Subscribe to my Substack here: https://ebspoke.substack.com/
I'm on Medium as well: https://ebspoke.medium.com/
Check out #EBSpoke for more of my recent posts here...
About Erik
Erik Boemanns is a technology executive and lawyer. His background covers many aspects of technology, from infrastructure to software development. He combines this with a "second career" as a lawyer into a world of cybersecurity, governance, risk, compliance, and privacy (GRC-P). His time in a variety of companies, industries, and careers brings a unique perspective on leadership, helping, technology problem solving and implementing compliance.
He's available to help you with any of this now too!
Leading you from IT risk to reward. A lawyer/technologist bringing executive expertise to IT GRC, privacy, and security. Together, we can reach your next level of success.
6 个月Here's a link to the webinar on the hierarchy of cybersecurity needs: https://www.youtube.com/watch?v=UjtkK4RkeU8&t=68s
Multiple time Best Selling Author and Ghostwriter, with more than 100 books published
6 个月Back when I was working at Trader Joe's, I was responsible for PCI/DSS compliance. we passed 8 years in a row.
What a great article! I love that you are advocating for the third line of defense from the industry. We need to protect our data and make it harder for hackers. Great stuff!
Technologist | Speaker | Writer | Editor | Strategist | Systems Thinker | Cybersecurity | Controlled Chaos for Better Order | Musician
6 个月I was so inspired by our talk that I wrote an article about this, and there's a great embedded Erik Boemanns quote. https://elnion.com/2024/08/05/devaluing-cybercrime/ Much more to be said.