Using the same password on different occasions can be easily obtained by hackers

Using the same password on different occasions can be easily obtained by hackers

Dark web transactions are fierce: the loss of information is expanding the financial “black hole”

Our reporter/Zheng Yu/Zhang Rongwang/Beijing report

In the Internet age, you may no longer have privacy.

Because your personal information is easily exposed in the process of various data circulation, black transactions such as personal data reselling are not uncommon.

A few days ago, the data of 500 million domestic users’ bound mobile phone numbers were first linked to the dark web (an Internet that uses special encryption technology to deliberately hide relevant information). Subsequently, Marriott International Hotel Group announced that the information of about 5.2 million guests may be leaked, including names, mailing addresses, email addresses, mobile phone numbers, etc.

The dark web, also known as the “hidden web”, requires multiple special means to access the “dark web”, and ordinary users cannot search and access through conventional Internet means.

On the dark web, the ID card usage track is priced at 0.02 bitcoin per copy (the current price is equivalent to about RMB 1,000 per copy), which includes bank, accommodation, railway, civil aviation (transportation) and other ID card usage records. As of April 2, 2020, the social platform robot found by the reporter involved in darknet trading showed that the “ID card usage track information” including bank, accommodation, railway, civil aviation (traffic) and other ID card usage records had been sold recently 18 Pieces, sold 5 pieces in the past week. The ID cards provided by other different sellers also use (track) to record the number of sold products, reaching more than 20 pieces.

In recent years, all kinds of information, including financial information, have flowed to the black industry and have been used in various fields such as financial credit collection and marketing.

“The fastest way to find out the borrower’s latest takeaway order and the call records 5 minutes ago.” A former collection officer of a subsidiary of a large state-owned bank told the “China Business News” reporter that collection companies generally purchase borrower information, including but not It is limited to the mobile phone number, takeaway, express delivery, air ticket, and train ticket information associated with the ID card.

The reporter tried to find a platform for selling information, but it only cost about 8 yuan to buy the address, platform account number, password and other information of himself and other family members, and the purchased information was accurate.

The information bought with money is used pervasively, and some people even use it to commit crimes.

On April 2, China UnionPay released a report saying that 51% of consumers have encountered online fraud.

In recent years, the police in various places (Beijing, Henan, Guangdong, Shanxi and Shaanxi) have issued many reminders to alert citizens to criminals obtaining citizens’ personal information through illegal channels and telecommunication fraud crimes. In the case released by the police, a college student was deceived of 70,000 yuan in just 2 days because the scammer claimed to be an employee of an online loan platform and was able to tell his details.

Origins: Insider Leaks and Hacking

Why are mobile phone numbers, passwords and other data leaked?

A network security person said that in recent years, Internet companies have been attacked by hackers, and cases of user data leakage have occurred frequently.

Recently, the People’s Bank of China (hereinafter referred to as the “Central Bank”) released a case of financial consumption “routines”, which introduced that after a customer handled mortgage, commercial loan and other businesses in a bank and inquired about his personal credit records, he often received information from small loan companies or Bank loan phone, asking about loan needs. After the customer reported the case, it was found that the bank’s internal staff re-sold his personal information to some so-called cooperative institutions. “The bank staff illegally sold customer account information, credit records, etc., and was suspected of breaking the law.”

An engineer from a financial company also analyzed to reporters that there are two sources of data leakage: one is technically derived from the back-end database, and the other is derived from the front-end by business personnel. The leakage of database data at the technical level may be caused by the illegal copying of data in the database by the company’s technical personnel. If a company has technical personnel leaking data, it indicates that the technical security management is not in place; at the same time, it may also be caused by hacker attacks. Generally speaking, the company’s system will have corresponding information security measures, so the situation caused by hacker attack is not common, but the result and impact of the entire database data leakage caused by hacker attack are usually serious. “The most common in the market is the leakage of customer information by business personnel, exporting the customer’s personal information and reselling it.” The engineer said.

So how do hackers steal user privacy?

One of its most common practices is credential stuffing. Credential stuffing is when hackers leak user data through a certain website they have mastered and try to log in to other websites.

Liu Xingliang, president of the DCCI Internet Research Institute and member of the Information and Communication Economics Expert Committee of the Ministry of Industry and Information Technology, told reporters: “Many ‘Xiaobai’ (novice) users use the same account password on different websites. , the obtained username and password are often used to try to log in to other websites in batches, which is the behavior of hacker stuffing.” That is to say, if you use the same password on different occasions, it is very likely that hackers can easily obtain it through credential stuffing.

“Similar to the credential stuffing principle, there are many social mobile phone application software (APP), all of which have the function of automatically matching the contacts in the mobile phone address book and becoming friends in the social software. When the user agrees to the permission of these apps to read the address book, at the same time , the APP began to automatically match the address book friends, and match the social platform account with the mobile phone number.” The above-mentioned big data industry practitioner said: “The data leakage incident that has attracted much attention is very likely that the hacker forged a local address book database. , a large number of mobile phone numbers are listed in the database in advance, and then a large number of mobile phone numbers and APP matching functions in the library are used to match the mobile phone numbers with the corresponding accounts one by one. Hackers often use Python web crawlers to capture a large number of social platform account related data on web pages Finally, the successfully matched data (such as mobile phone numbers, social platform accounts, account-related information) will be captured and saved together by crawler, resulting in personal data leakage.”

The above-mentioned person stated that the excessive collection of data has always existed. On the one hand, web crawlers crawl the website information excessively, causing the website to crash and website user information to be stolen. On the other hand, APP excessively collects user information, including covert collection, misleading consent, compulsory authorization, excessive claims, out-of-scope mobile phone personal information, and difficulty in account cancellation.

In recent years, relevant departments have attached great importance to the protection of personal information. The Central Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the State Administration for Market Regulation have guided and established a special governance working group for the illegal collection and use of personal information by APPs to carry out APP rectification-related work.

Shocked: “The real-time financial information query service is not as simple as credential stuffing”

Some financial technology practitioners said that due to the existence of online black production and the chaotic state of information security before 2017, in his opinion, information reselling in batches is nothing new, but now the dark web can be so easily designated to query personal financial information, or is it still It was a shock to him, who had been in the industry for 8 years.

“Real-time designated query of a person’s bank flow and balance is definitely not something that can be done by credential stuffing. It is most likely done by internal personnel who master the database of financial institutions.” The above-mentioned financial technology practitioners believe.

After paying 100 yuan, the seller showed the reporter the function of inquiring the reserved mobile phone number and the bound ID number of the bank card through the name and the bank card number of a large state-owned bank. At the same time, the reporter saw that some dark net sellers will also have a service to check the balance of the bank card in the four elements of the bank card (name, card number, ID number, reserved mobile phone).

According to the dark web, paying 1,000 yuan can also query the bank card flow of a designated individual, including detailed bills of multiple banks for one month, three months, half a year, and one year. The price starts at 2,000 yuan.

In the view of the above-mentioned persons, in the process of data circulation, data ownership and authorization are unclear, which is an important reason for the proliferation of black transactions such as personal data reselling and social harm.

A person from a big data financial company said that taking the above-mentioned four elements of a bank as an example, the institutions that master these data include all service institutions that may obtain the data, not only banks, but also fund companies, brokerages, payment institutions, and even And e-commerce. That is to say, there are multiple channels for personal information to be leaked, which is likely to be overwhelming.

The channels are diverse, and the links are even more worrying.

“There are countless links where data leakage may occur. In many aspects of life, users need to submit personal financial information. For example, real estate brokerage agencies can also obtain users’ bank card information when assisting with housing loans and other businesses.” Liu Xingliang explained.

“The current leaked data is more of a historical issue for banks.” A banker said: “In recent years, banks did not pay special attention to the protection of customer information in the management of subordinate operating outlets in the early years. The four elements of customers and other account opening information in grassroots outlets have accumulated over time, and have gradually become the target of financial information black production. In order to profit from it, internal employees of grassroots outlets even have illegal behaviors such as reselling, which also breeds black transactions.”

The above-mentioned people also admitted that in recent years, the possibility of banks and internal employees actively leaking user data is relatively low. Because the various links and positions within the bank currently restrict each other, for example, the personnel with management authority cannot master the database, and the employees who master the database cannot query customer information at will. Every data call requires approval from various departments and levels, and it is less likely for employees to sell data to the outside world. “In addition, it is foreseeable that with the continuous strengthening of regulatory crackdowns, bank information security management will continue to increase, and the willingness to interact with data may be further reduced. Data-driven fintech companies may be greatly affected.”

In addition to traditional financial institutions, unlicensed fintech platforms and online lending platforms are also hardest hit.

“I have been paying back the money, but my family is overwhelmed, and the collector can still find my account on other social platforms. When there was still more than 200 yuan (arrears), the collector threatened to come to the door and charge a thousand yuan for the door-to-door fee.” One Online loan borrowers said.

The reporter once obtained a piece of online loan user data peddled on the dark web, including contact person, monthly income, salary payment form, mobile phone, working hours, contact address, loan amount and other information, and gave some detailed information. The reporter called many parties in the above data, and they said that the personal information was true. Among them, some users said that the information described by the reporter had been provided to online lending institutions and banks.

A person related to the online lending platform said that it does not rule out that some people use public information on the Internet and user data leaked by other platforms to sell under the name of the company. “The same borrower generally registers on multiple platforms. If these data are matched with other online loan platforms, there is a certain hit rate. It is more common that some failed online loan platforms are often neglected in data management and aftermath, resulting in such a situation.”

Consequences: Big data killing, information cocoon room, telecom fraud

In fact, not only financial information is exposed by various channels, but various personal information, including privacy, may be leaked.

“Currently, some mobile phone software has the permission to read the user’s album. If it automatically recognizes that the hair in the photo is sparse, it is possible to receive an advertisement for hair transplant.” A practitioner in the big data industry introduced reluctantly.

So what are the possible consequences of personal information leakage?

“The first is the abuse of data, for example, in the marketing process, big data kills (Internet companies provide the same goods or services, but the price seen by old customers is much more expensive than that of new customers. Merchants analyze personal data and conduct Pricing discrimination.” Experts say there is also abuse of data abroad to interfere in government elections.

In March 2018, Cambridge Analytica, a British political consulting firm, collected and used the personal data of 87 million Facebook users without authorization for the election of US President Trump.

Likewise, the information cocoon room deserves attention.

Zhang Taofu, the executive dean and professor of the School of Journalism of Fudan University, once wrote that the advent and popularization of algorithm recommendation is a manifestation of the progress of media technology, which allows information to be accurately connected with users, and personalized matching of information and users. “The catering recommendation of the algorithm will cause the flood of vulgar, vulgar, and kitsch information, which will lead to the solidification and generalization of some users’ low-level interests. Second, it will form the information ‘cocoon room’ problem. Personalized recommendation is bound to narrow the user’s choice of information, as if a wall has been built around the user, forming an information ‘cocoon room’.”

Many industry figures told reporters that personal data abuse and reselling often exist in marketing, credit risk control and even fraud.

On April 1, 2020, the Haidian Public Security Bureau in Beijing, the Criminal Investigation in Zhuhai City, Guangdong Province and other places issued a risk reminder of the scam of canceling online loan accounts, indicating that online loan fraud methods are on the rise again recently.

According to the Public Security Bureau of Pinglu County, Yuncheng City, Shanxi Province, a college freshman was defrauded of 70,000 yuan within 2 days. The reason was that a person who claimed to be an employee of an online loan company told him that because he registered for an online loan If you have a company account, you need to cancel the student account, otherwise you will not be able to borrow money in the future. During this period, the liar not only sent him ID card, business license and other information to prove his identity, but also the liar can accurately name the fresh student’s name and ID number. The victim student is now on the verge of autism, neither dare to I told my family that I was afraid I couldn’t bear it anymore, and the case is currently being further processed.

According to the police, the scammers obtained detailed personal information of users during the fraud process.

So how is a data breach legally held accountable?

Zhou Chenxi, a lawyer from Beijing Jincheng Tongda (Shanghai) Law Firm, told reporters that the first is the criminal aspect. Generally speaking, individuals involved in such acts are suspected of infringing on citizens’ personal information. This crime requires the perpetrator to have intention or consensus on the crime. Therefore, if the institution involved does not have the subjective intention of the leak, it is difficult to pursue the institution’s criminal responsibility. The second is the administrative aspect. At present, the administrative supervision of personal information protection in my country is gradually strengthening. If the institution has various problems such as negligence in management, failure to repair the discovered loopholes in time, and failure to manage the third party that cooperates well, it will lead to the occurrence of In the event of a data breach, or failure to take timely measures after a data breach occurs, resulting in further losses, the institution is likely to be punished by the administrative department. In addition, because the current laws and regulations have relatively high requirements on data security, once a data leakage incident occurs, various problems of the enterprise can often be found in turn, so the risk in this area is relatively large. The third is the civil aspect. There are not many existing cases in this area, and there are not many actual judgment institutions that bear civil liability. However, considering that the outcome of a civil case largely depends on the evidence, consumers or users often Failure to prove data leaked by the agency and failure to prove specific losses resulted in losing the case. The current issue of how much evidence consumers or users need to provide may also change. At the same time, considering the continuous emphasis on personal information at the regulatory level, such cases may continue to increase in the future.

“We should think about how to balance privacy protection and reasonable use,” the above-mentioned experts suggested. “At present, in terms of data security, I personally think that the most critical issue is the standardized use of data. Start with clarifying the retention period of personal information, clarifying data ownership and used, shared boundaries.”

The Links:   LQ190E1LW02 6MBI20F-060 THE IC INFO