This blog post is translated from an article in Geektime by Idan Ben-Tovim
In a shopping experience that at times feels like eBay, you can easily purchase biometric information and other Personal Identifiable Information (PII) online. In addition, personal data belonging to Israelis, such as high-balance credit cards, passports, and identity cards is available for purchase.
After hundreds or even thousands of data breaches and leaks, chances are that your user credentials are available on some database of the dark web, far away from Google’s watchful eyes and crawlers. But while your passwords or account settings can be changed quite easily, biometric authentication data, which has become more widespread in recent years, cannot be modified or replaced when it leaks. It turns out that not only has such data leaked, it is now being sold in dark web forums and marketplaces. And there is also more bad news for Israelis.
Biometric data that belongs to millions of people is already out there.
“Initially, the assumption was that unlike passwords, biometric data cannot be stolen. Biometrics are innate, physiological characteristics that were believed to be unstealable. But this is incorrect, and we are seeing more and more sensitive biometric information leak,” explain Daniel Shkedi and Ariel Shoham from Forter, a leading Israeli fraud prevention company. For example, in August 2019, Suprema’s Biostar-2 systems were breached, resulting in a data spill of 27.8 million records. Not only were passwords and personal records exposed, but also over a million fingerprint records, as well as facial recognition information.
This was one of the most significant events in the history of biometric authentication. It exposed millions of users around the world to a new kind of threat, and provided hackers and other malicious actors with high-quality information. In the meantime, this data, which was also available on the internet for a while and later removed, can be found on dark web forums and marketplaces.
Just before Shkedi and Shoham take me on a particularly unpleasant stroll through the dark web to see stolen fingerprints and face IDs for sale, they explain that hackers are typically interested in three types of compromised data:
- Something You Know – passwords, security questions/answers, personal information that only you know
- Something You Have – email or device information
- Something You Are – innate, unique, physical characteristics like fingerprints, palm prints, voice samples, facial recognition information, and iris scans.
What is a digital mask?
Until now, hackers had access to compromised data mostly in the “Something You Know” or “Something You Have” categories. However, recent breaches have given them access to “Something You Are” data as well. Our first stop in the dark web is a closed forum/marketplace by the name of Genesis. Access to Genesis is via invitation code only, so you can’t just stroll through the site and fill your cart like on Amazon. Among other data items, you can find “real fingerprints” that belong to people from all over the world, along with other items like passwords, cookies, logs and information that can help hackers create or synthesize fake digital identities.
Shkedi refers to these fake digital identities as “digital masks:” “Metaphorically, I like to compare the use of these so-called “masks” to what Arya Stark from Game of Thrones did as she sought vengeance – only in the realm of cyberspace.” This digital mask allows you to become a different person, a real person, or a synthetic digital entity created by hackers. With these masks you can open bank accounts or impersonate other people, while the hackers are limited only by their imagination.
The price tag on a digital mask – synthetic or semi-synthetic – is $12 to $42. With that being said, Shkedi clarifies that purchasing a digital mask with complete information on the victim is pretty rare, but technically feasible. Such a mask can be sold for hundreds of dollars.
Buying stolen data is as easy as buying something on Amazon
Some of the dark web marketplaces reminded us of legitimate e-commerce sites like eBay or AliExpress. Each listing provides information on the vendor, how long they have been active in the marketplace, the number of deals, and other rankings regarding anonymity, product quality, and more. In another marketplace, we found a listing with the header “how to fake fingerprints,” offering an online guide/tutorial for only $3. Shkedi examines the product listing, and asserts that it is a high-demand product and can be used for fraud. In another forum, a fraudster tries to sell fingerprints and other biometrics in a message exchange with Shkedi, and later invites him to continue the conversation in Wickr – an encrypted instant messaging app.
There are quite a few cybersecurity startups that identify users by behavioral profiling: mouse movements, keystrokes, and other interaction data. Apparently, this type of information is also in demand, as we found a post in one of the fraud forums about buying behavioral profiles to bypass these types of solutions.
Just like Telegrass’ verification process
Many illegal “services” (including illegal services in Israel, like Telegrass – a drug trafficking channel in Telegram) require a selfie and government-issued ID verification process. If you thought that these photos are stored safely, guess again. Because 10 selfie/ID pictures are sold for $120.
“There is great demand for these products,” Shkedi explains. The relatively high price tag on this type of information indicates that there isn’t much available. Afterwards, he shows me a listing for U.S and Canadian visa stickers with readable biometrics sold for $2,000 per item. The listing states that the stickers are “safe for travel.” Information that has limited availability, jacks up the prices, essentially following the laws of supply and demand.
Israelis are already on the hackers’ radar, and a massive breach is only a question of when, not if
The good news is that up until now, Shkedi has not found stolen biometrics that belong to Israelis in these forums. Probably because the Israeli biometric databases have not been breached yet. However, Shkedi opines that “it is only a question of when, not if,” and paraphrases an old saying from the IDF officers training school: “The final defense line (authentication, in this case) will always be breached.” “Eventually, it will all leak. And after less time than one would expect.” Shkedi also warns of an ominous scenario that can occur if biometric information leaks. Fraudsters can try to crossmatch biometric information with personal records that leaked from previous breaches. For instance, Israel’s census database, Agron or the Elector database (voter registration app) that was breached this year, exposing 6.4 million personal records.
Just add all the smaller breaches from recent years to the more severe breaches mentioned above, and you’ll get a “super database on all Israeli citizens,” what Shkedi dubs as an “an impending catastrophe on an unimaginable scale.”
Maybe at the moment biometric information belonging to Israelis isn’t available – but you will have no trouble finding an abundance of personal and financial information on the dark web. High-balance stolen personal and credit card information (high-balance cards, $3,000-$6,000) are sold for 59 Euros. The seller in this case has had several deals and has a five-star ranking, which makes him a credible vendor. Another fraudster offers fake Israeli passport templates for $30; and yet another hacker claims that he can forge biometric passports from a long list of countries – including Israel. Finally, Israeli ID card templates are sold for 8.45 Euros per item.
“Once it finds its way out, all fraudsters need to do is systematically crossmatch the data. Financial data, biometric data, personal records”, says Shkedi. If we all thought we were safe because the Israeli biometric database hasn’t been breached yet, the threat actually has become even worse since more and more services and institutions are migrating to biometric authentication. Don’t be surprised if one day you find your fingerprints floating on the web.
