Think about your most prized possession. Imagine it in your mind’s eye. Maybe it’s a family heirloom, or something a close friend gave you, or something you worked hard to afford. Now imagine it gets stolen.
Now suppose I’m your next-door neighbor, and I want to know if I’m in danger of being robbed, too. Should I go to all the local pawn shops and back alleys, buy up all the stolen property (including your prized possession) and take it home and look at it to see who it belongs to? Should I pay the people who robbed you to find out if they are going to rob me as well?
What if I’m Facebook, and you’re one of the countless consumer web services that have been breached in recent years? This is the news that CNET broke recently — that Facebook is buying up stolen credentials off the dark web to ensure that none of them could be reused to attack them — and it raises an outstanding issue that has circulated in industry and legal circles for a while. Namely, should companies buy stolen data from third parties to combat credential reuse attacks against themselves?
Information security is the land of tortured analogies, and I’m certainly torturing the stolen property analogy. For starters, goods in the physical world are unique — my stolen candlesticks can exist only once, whereas a set of stolen credentials can be copied and resold repeatedly at no cost to the thief. But from a legal and ethical perspective, the analogy provides a good starting point to talk about the rampant, and quiet, practice of legitimate companies buying stolen data off the dark web.
How much of the black market for stolen information is created by legitimate companies buying up data?
But before we dive into the sticky issues with the practice, let’s first talk about the motivation. As Alex Stamos, Facebook’s chief security officer, correctly identifies, credential reuse attacks are among the most pernicious and dangerous threats facing consumers on the internet. Tools to combat it on the consumer side — password managers so you never have to reuse passwords, two-factor authentication to enhance password-based security — all exist, but are not widely adopted among consumers (for a whole host of reasons). But how should companies combat it internally, when so many consumer credentials are floating around, waiting to be used against them?
The question reminds me of another technology and security conundrum from an earlier era, when BlackBerry users were buying third-party batteries that were catching fire. While those batteries and the lax manufacturing standards of those third parties were to blame, it was BlackBerry that was perceived as the culprit, and proceeded to cryptographically tie their batteries to the phones, disabling the use of third-party batteries. Businesses took this lesson to heart — even if they aren’t to blame, incidents involving their products will always end up hurting their brand. Hence the motivation to act to prevent such occurrences.
By buying stolen credentials, one effectively guarantees a market for them.
But what about the ramifications of such actions? For starters, the act of buying stolen data that doesn’t belong to you is, at worst, simply illegal, and, at best, highly dubious. It would be one thing if Facebook were buying their own stolen data back, or if a contractor were doing it on their behalf and with their permission. But buying stolen credentials from other services without their permission? It’s certainly over the line, at least by today’s law.
There are also ethical concerns, namely legitimate dollars going to incentivizing the thieves to steal the credentials in the first place. By buying stolen credentials, one effectively guarantees a market for them, ensuring that there will always be a buyer for whatever it is the thief can get their hands on.
It begs the question: How much of the black market for stolen information is created by legitimate companies like Facebook buying up data? It might be difficult to quantify, as few companies are ever going to discuss the practice in public, but I suspect it’s significant. In fact, I’ve heard anecdotes of companies that haven’t even been breached until one of their own contractors offered payment on the black market for their data! In this instance, and probably in many others, purchasing stolen data caused the very problem it was trying to solve.
This practice needs more public scrutiny, quantification and honest conversation in industry and legal circles. At the same time, we need to focus much more on deploying technologies to prevent or neutralize these attacks — password managers, two-factor authentication, biometrics — and much less on incentivizing the sorts of activities we’re trying to prevent. In fact, I wonder if we, as an industry, just stopped buying stolen data outright, would the market for it dry up? It just might.