Researchers at the Eindhoven University of Technology (TU/e) in the Netherlands have discovered a Russian online marketplace where criminals trade in hundreds of thousands of highly detailed user profiles. What are referred to as ‘fingerprints’ enable criminals to bypass state-of-the-art authentication systems. This gains them access to valuable information, such as credit card details.
According to a recent estimate (from 2017), some 1.9 billion stolen identities are sold via underground websites each year. Banks and other digital services have therefore come up with complex authentication systems. One of these systems is commonly known as two-step verification.
‘Fingerprint’ of an online user
Lots of people find that extra step too much trouble and do not register it. That is why internet giants such as Amazon, Facebook, Google, and PayPal have opted for a different system. This system, known as Risk-based Authentication (RBA), looks at what is termed as fingerprints to check someone’s identity. Fingerprints include basic technical information. It involves, for example, the type of browser or operating system. But also behavioral characteristics, such as mouse movements, location, and the speed at which keystrokes are made.
If the fingerprint corresponds to how the user behaves during a new log-in attempt, a username and a password are all that are required. If this is not the case, an additional confirmation from the user will be needed.
Profiles that retain their value
So far, this has worked well. However, researchers at TU/e have now found evidence of a large-scale and highly sophisticated online market that can crack this type of security. The Russian website offers more than 260,000 highly detailed fingerprints, along with other user preferences, such as email addresses and passwords.
“What is unique about this underground website is not only its scale, but also the fact that all the profiles are continually updated, which means they retain their value,” says Luca Allodi, a researcher in the Security group at the Mathematics and Computer Science faculty at TU/e. He was in charge of the research together with Ph.D. candidate Michele Campobasso.
“In addition, customers can search the database, so that they select precisely the internet user they want to target, enabling highly dangerous spearphishing attacks. They can also download software that automatically loads the purchased user profiles in the targeted websites.”
Fear of reprisals
Research into the marketplace did not go without a hitch. In order to gain access to the lists of available user profiles, researchers had to obtain special invitation codes, which are issued by the existing users. Collecting the data from the database was also difficult because operators actively monitor ‘malicious’ accounts. The researchers also decided to keep the real name of the website secret, out of fear of potential reprisals.
The price of a ‘virtual identity’ on the website varies from US$1 to around US$100. Access to cryptocurrency profiles and web money platforms appears to be valued the most. User profiles that provide access to more than one service and profiles with ‘real’ fingerprints are also expensive, as opposed to the fingerprints ‘synthesized’ by the platform.
Security conference
In their paper, the researchers also describe a few examples of how criminals monetize these profiles. They found these examples on a secret Telegram channel used by platform clients. In one of the reported attacks, an attacker describes how he establishes special filters in a victim’s email account so that any Amazon reports of purchases made by the attacker using the victim’s Amazon account are concealed.
Allodi and Campobasso will present their research at the virtual ACM CCS security conference. This is to take place from November 9 to 13. The paper can already be read on the Arxiv site.