The Market for Stolen Passwords

Feb 8, 2018
Originally published on March 1, 2018 3:54 pm

Brian Krebs, a journalist and cybersecurity expert, recently published this list. It has hundreds of company names, in alphabetical order. And next to each name is a price.

This list comes from a site on the dark web where people buy and sell stolen usernames and passwords. It's a price list.

On today's show, we talk to Krebs about this list, and what it tells us about the market for your stolen passwords.

Music by Drop Electric. Find us: Twitter/ Facebook.

Subscribe to our show on Apple Podcasts, PocketCasts and NPR One.

Copyright 2018 NPR. To see more, visit http://www.npr.org/.

Transcript

STACEY VANEK SMITH (HOST): I have in front of me a list. It is 4 and a half pages long, and there are a bunch of company names on it, all in alphabetical order. It has banks, and airlines and clothing stores, and next to each company name is a price. This list comes from a site on the dark Web where people buy and sell stolen usernames and passwords. It is a price list. You can buy a stolen username and password for Advance Auto Parts for 10 bucks, Bank of America - 25 bucks - Bloomingdale's, British Airways - and these are just a few from the first page. There are hundreds of companies on this list.

I'm Stacey Vanek Smith, and this is THE INDICATOR, Planet Money's quick take on the news. Today's indicator is 15. For about $15, you can go online and buy a stolen username and password for almost any kind of company you can think of. Today on the show - the story behind this list and what it tells us about the market for your passwords.

(SOUNDBITE OF DROP ELECTRIC SONG, "WAKING UP TO THE FIRE")

BRIAN KREBS (KREBS ON SECURITY): Hello, my name is Brian Krebs. I am an independent investigative reporter and author of the website krebsonsecurity.com.

VANEK SMITH: And you spend a lot of time on the dark Web.

KREBS: Yeah. It's kind of an occupational hazard.

VANEK SMITH: Where did this list come from, this list that you compiled of passwords?

KREBS: That came from Seller's Paradise - or Carder's Paradise, excuse me.

VANEK SMITH: Which is a site on the dark Web.

KREBS: Yeah. It's invite-only, so you have to know somebody who knows somebody.

VANEK SMITH: You got invited to Seller's Paradise?

KREBS: Well, let's just say that - yeah, I got access to an account, and then I just basically cut and pasted their price list. It looks like a pretty nicely indexed e-commerce site where you might go and buy, you know, blenders or whatever it is you want to buy.

VANEK SMITH: Oh, yeah, I've got that list here. And so, like, if you want to buy a password, you just pick the company you want to buy a password from. It's, like, Amazon, Apple, Bed Bath & Beyond. There's Costco for 15, David's Bridal for 10. And what, like - what are you doing with these passwords if you buy them? So if you - if I buy someone's David's Bridal password for 10 bucks, like, what am I doing with it?

KREBS: Well, I think - and this isn't maybe the case in every instance, but I think what's going on is these things are priced according to a couple of things - one, how in demand they are, and then also how easy it is to turn a stolen credential pair into cash.

VANEK SMITH: Buying a veil or something? Like, what do you do?

KREBS: Well, no. If you think about it, if you were - one of the longest-running scams is the points. They go to use their points, and they're like, I don't have any points; I don't really know what's going on.

VANEK SMITH: This is, like, frequent-flyer miles with airlines, or what kind of points are we talking about?

KREBS: Oh, yeah, yeah, hotel miles, frequent-flyer miles. Cyberthieves think of really ingenious ways to cash these things out. And cash them out they do.

VANEK SMITH: So, like, if you buy someone's, like - I'm looking at Best Buy costs $13. Best Buy plus email access costs $25.

KREBS: Right. I could, in theory, sign into your Best Buy account, change your address, and you would be none the wiser when they send me, you know, a set of $400 Bose headphones. (Laughter) You know, there are lots of ways of skinning the cat. Like I said, you could buy somebody's eBay credentials, and you list a bunch of items for sale, you get paid for them, and you're off to the races. And meanwhile, the person who owns that account is stuck with the bad reputation. And, you know, the thieves made out because they got - they convince people to send cash or whatever.

VANEK SMITH: I mean with, like, Netflix, is someone just watching my Netflix? It's 15 bucks.

KREBS: (Laughter) You bet. Hey, look, you know, there are entire...

VANEK SMITH: You know, one time, I logged on to my Netflix, and the recommendations were really weird. It was, like, all of these, like...

KREBS: (Laughter).

VANEK SMITH: There was, like - it was, like, the bro movies with, like, machine guns and stuff. And I actually took a screenshot of it because I was like, what is going on with my Netflix? Did someone hack my Netflix account?

KREBS: It could be.

VANEK SMITH: Oh. Well, I'm happy to share my Netflix.

KREBS: Well - you know, the - one of the biggest pieces of feedback I get from, you know, mere mortals who don't really - you know, they take pride in the fact that they don't really understand computers or understand why anybody would want to hack their computer, and I just say, look, you have probably 20, 30 sets of credentials stored in your browser or on your computer that have value. You may not think that they do, but they absolutely do. And this service kind of, you know, puts a pretty fine point on that.

VANEK SMITH: I mean, how scared should I be about this, about my passwords being out there?

KREBS: Well, that depends. Are you the type of person who reuses the same password all over the place? Then you should...

VANEK SMITH: Let's say that I were that kind of person. How scared should I be?

KREBS: OK. Let's pretend that you are.

VANEK SMITH: Yeah.

KREBS: Yeah. I think you should be pretty, pretty concerned. I mean...

VANEK SMITH: Really? Do you reuse any of your passwords?

KREBS: Never.

VANEK SMITH: Never. Do you have, like, a booklet?

KREBS: Ever.

VANEK SMITH: How do you keep track?

KREBS: I don't think it's a good idea for me to talk about that, but...

VANEK SMITH: (Laughter).

KREBS: I will say that I don't use password managers. I have a pretty complex mnemonic for creating and remembering good passwords. I mean, I thought, at this point in time, we would have taken the password out behind the woodshed and, you know, shot it in the head or something. But...

VANEK SMITH: Sure.

KREBS: It hasn't happened yet. So...

VANEK SMITH: What does a post-password world look like?

KREBS: Yeah, well, you know, I think where we're headed with this is a greater emphasis on authentication coming from the mobile device because after all, these phones know everything about you, right?

VANEK SMITH: So essentially, you're saying your new password is going to be your phone.

KREBS: Yeah, or some kind of mobile device that you carry around with you - yeah - that knows you intimately.

VANEK SMITH: It just gets worse. It all just gets worse.

(SOUNDBITE OF DROP ELECTRIC SONG, "WAKING UP TO THE FIRE")

Transcript provided by NPR, Copyright NPR.