Do not use online leak checking services.

    The publication of the post was prompted by information about the next major leaks of personal data on the network, I wanted to leave just a comment, but in the end I came to the conclusion that the problem should be solved a little more extensive.


    All coincidences are random, the text below is simply the fruit of delusional thinking of a horse tired of work in a vacuum and has the goal of increasing information security and hygiene among users on the network.


    It is possible that public online services for verifying data leak confirmation also have the goal of increasing the cost of such data for secondary sales. Especially if the structure of the leaked data is not flat, but passed through aggregation with other target sources, i.e. something more than email => password.


    For example, suppose that there is a result of aggregation of leaked data across various databases:


    {
      "firstServiceName.com" : {
        "type" : "emailService",
        "properties" : {
          "email1@example.com" : "password1",
          "email2@example.com" : "password2"
        }
      },
      "secondServiceName.com" : {
        "type" : "paymentsGate",
        "properties" : {
          "email" : "email2@example.com",
          "type" : "Visa",
          "fullName" : "Ivan Ivanov",
          "cardId" : "XXXX-XXXX-XXXX-XXXX""cvc" :  "12345",
          ...
      },
      ...
    }

    Next, you can make an initial estimate of the potential cost of data for malicious individuals. Obviously, the cost of secondServiceName.com data is potentially higher than for firstServiceName.com. Further, the logic of further monetization of data is formed, usually two ways.


    1) Primitive and secure. Flat data of the type "email1 => password1" is selected from the data with low cost, a kind of bait is formed. Further, these flat data are aggregated into a collection and “leaks” are published on non-public specialized sites. If the potential cost of shadow data (secondServiceName.com, ...) is large and limited in the lifetime (cvc, cvc hashes for specific providers), then the publication is given an additional “publicity”, the maximum possible, including “advertising” Share through social networks and other available tools.


    2) Difficult and dangerous. The same as in 1), only the authors / beneficiaries of data monetization additionally create those same data leakage check services. This is either the way newcomers, or when the sum of money from the potential monetization of data is huge.


    The target audience is rather inert and will not bother searching for the same torrents with the contents of the “leakage” of data, because sooner or later users come to specialized sites to check for data leakage and then a request for verification is made.


    If the user has not found anything, the data about his scan request is collected in a separate database. This user is live. By comparing the start dates of the campaign with the publication and the date of the request, you can estimate the liveliness of the user. Yes, the fact that the result of the check was issued empty does not mean that its data are not among the leaked ones.


    Further, if the type of structured data is quite valuable and contains direct and simple ways to "monetize" (see data from secondServiceName.com), also if the user is active and conducting a search, then the further probability of monetizing the data decreases because passwords can be changed, cards are blocked and so on. The beneficiaries of the leakage of such data are quickly sold as separate bases to the same carders and other intruders at a hypothetical price of X.


    After a certain time has passed since the leakage was organized, a diff is formed on the data that was not requested through the checks and then either saved to the archive for subsequent aggregations with new leaks, or if the data type has a long-term monetization method - such data is also sold in parts, but at a hypothetical price of 3x.


    Therefore, if your security is really important to you, then it makes sense not to use popular services whose companies-owners were previously exposed to the loss of user data. Either completely, or as much as possible limit yourself in the dissemination of personal information. If, after paying for goods on any websites, you receive an electronic check, in the URL of which variables like cvcHash are found, then it makes sense not to buy through such services. Fortunately there are few of them and they are represented only in disadvantaged regions of the planet.


    If global leaks occur, it is not recommended to use online check services and in any way be active through search engines (google). If you are quite a popular and public person, then theoretically it is possible to determine your desire to make such a check using targeted advertising (personalized attack).


    If you suspect data leakage or mass (high-profile media) public leaks that can lead to the loss of your data - you need to change passwords on such target services via https with visual verification of information in the security certificate and without using additional network levels (tor / obfs and others).


    The world of technology is constantly evolving, potential ways to harm someone else in the network are also evolving. Always monitor your security online and do not publish anything valuable that could attract the attention of intruders and harm you in the future. Be sure to teach safe behavior in the network of their children, loved ones and acquaintances.


    Also popular now: