The “dark web” black market behind the suspected theft of millions of bank customer information has been exposed

Recently, news involving millions of customer data of many domestic banks and being peddled on the dark web has been widely circulated.

Despite the data comparison and verification of the banks involved, they all denied the authenticity of the data package being peddled. However, the huge financial data involved in a wide range of areas, especially the security of bank users' sensitive information, continues to attract attention and discussion in the industry.

In particular, with the bank's offline business online, and the increasingly widening of the border with the flow side, the disclosure of leaks in the front-end and outsourcing management areas also brings new challenges to bank data security management. As of the end of 2019, China had 11.352 billion bank accounts and 8.09 bank accounts per capita nationwide. Who will protect these accounts?

The news of the suspected stolen sales of millions of customer data, the mysterious trading site "dark web" surfaced, once again let more people pay attention to this secret area that can be logged in by special technical means.

What more people do n’t know is, “What you see is just the tip of the iceberg. There are a lot of information on darknet transactions, and financial-related information can account for more than 70%.” Through multiple interviews in a row, brokerage Chinese reporters tried to restore a group How is financial data stolen, flows into the dark web, who sells and sells, and who flows out of the dark web chain.

Million pieces of user information were illegally sold by "cabbage prices"?

Bank: does not match the real data

Millions of customer data related to many domestic banks were peddled on the dark web for price, which has aroused widespread concern in the industry for days. On April 15, a financial security technologist confirmed to a brokerage China reporter that he saw the piece of piracy information on the dark web.

According to the relevant screenshots previously released by data security personnel: the sale information contains large-scale financial institution customer data breaches, including 803,000.55 pieces of Bank of Shanghai, 100,000 pieces of Pudong Development Bank , 63,000 pieces of China Merchants Bank Shanghai Branch, China ABC 900,000 and Industrial Bank 460,000 customer profiles, including savings accounts, credit card accounts and private banking accounts, including customer name, customer type, gender and age, mobile phone number, account opening account, address postcode, deposit data And other information.

In addition, it also includes preliminary classified 200,000 pieces of enterprise representative materials, including company name, registered capital, and business scope of the enterprise. It should be noted that this part of the information is mostly publicly available information.

"The price of 460,000 bank credit card customer data is less than US $ 100, and the price of 900,000 data is only US $ 3,999 (equivalent to RMB 28,000), which is simply the price of cabbage; if it is real data, such a huge amount of data The price is at least 10 times more. "A director of the risk control of the big data industry commented to the brokerage China reporter that although the sample data shown in the screenshots is very detailed, the price of such a large amount of data is ridiculously low. , Be credible to put a question mark.

In order to verify the above situation, the reporter also contacted the bank in question for the first time. The relatively consistent attitude of the banks is: after verification and comparison, it is inconsistent with the real data information; In order to obtain illegal benefits.

The relevant person in charge of Industrial Bank replied, "The so-called 'Industrial Bank credit card customer information' does not coincide with the actual customer information elements of our bank, and it is not ruled out that the criminals have forged and sold the so-called bank customer information to obtain improper benefits."

China Merchants Bank told reporters, "After comparing the relevant data, it does not match the actual customer information of our bank, and the information on the Internet is not true. Our bank condemns any criminal act of forging and selling citizen information, and reserves to pursue and damage our bank. The right to legal liability for reputation. "

Shanghai Pudong Development Bank responded that, "After investigation and comparison, the relevant data does not have our bank account information, and it is inconsistent with our bank's customer information elements."

A person from Bank of Shanghai responded to the reporter ’s statement, “After a detailed comparison, it was found that the bank account information of our bank was not included in its so-called customer information, and it did not match the key elements of the actual customer information of our bank. Leakage of data does not rule out that fraudulent elements forged, cobbled up and sold so-called bank customer information for improper gain. "

National bank accounts reached 11.35 billion

Who is guarding security?

Although the authenticity of millions of peddled data packages is refuted, how can the security of huge financial data, especially the sensitive information of bank users, be guaranteed? It has been enough to attract the attention of the industry and the regulation to the security of financial data.

Central bank statistics show that the number of bank accounts has grown steadily. As of the end of 2019, a total of 11.352 billion bank accounts were opened nationwide, an increase of 12.07% year-on-year. 100 million households, a year-on-year increase of 12.07%, and the number of bank accounts per capita in the country reached 8.09.

It is recognized by the industry that the financial industry, especially the banking industry, is the industry with the best risk control construction, and the level of risk control construction and landing in the field of information technology is much higher than other industries. According to the Banking and Insurance Regulatory Commission's "Guidelines for Information Technology Risk Management of Commercial Banks", the banking industry has a strict risk control construction system and risk control supervision system, and a rigorous risk control point identification, evaluation, disposal, and tracking mechanism.

"The banking industry's information technology risk control requirements are high, and it needs to meet domestic and foreign risk control management requirements, including commercial bank information technology risk management guidelines, the Basal Agreement, the Saipans Act, etc." Peng Sixiang, head of the Tencent Security Data Security Team, told reporters .

The general manager of the financial business department of a large technology company in Hangzhou used to be responsible for the Internet of Things solution of the bank, which involved data service collection business. He gave reporters an example, "The information collected by the device is generally stored in the local banking institution, and the information storage and transmission security On the one hand, on the one hand, the bank itself has a dedicated network, the internal network and the external network are separated, and there are firewalls in the hardware facility to protect it; on the other hand, each bank has strict review management of security certification at all levels . "

"The bank's IT system does not have the possibility of large-scale data leakage." The director of the risk management department of a joint stock bank analyzed to the brokerage China reporter, "According to the relevant regulations of the China Banking and Insurance Regulatory Commission, the banking IT system is basically divided into: production domain, Test domain, Internet domain, etc. Among them, the data transmission between the three domains is strictly restricted. Only in the production domain can you see the full picture of the data, and the test domain only has the data for testing, which is related to the amount of data and desensitization. It is required that there is basically no customer information in the Internet domain. Technically and systematically, large-scale data leakage cannot make sense. "

DataVisor's black industry research expert and senior technical manager Zhou Junzhen has similar views. Financial institutions, especially banks, have the most stringent security risk levels. On the one hand, they have high regulatory requirements and strict management; on the other hand, they determine business attributes. For banks, customers Account information is one of the core business value elements. Banks will invest a lot of manpower and material resources to provide related guarantees. Large and medium-sized banks also have strong technical teams and strengths.

New security challenge for traffic economy outbreak: leaking at the front

Judging from the recently released annual reports of the six state-owned banks, four of them have invested more than 10 billion yuan in science and technology in 2019, and the highest construction bank has invested 17.633 billion yuan. As of the end of 2019, the number of ICBC financial science and technology personnel has reached 34,800. The number of full-time employees is 7.82%, followed by the fintech personnel of China Construction Bank, Bank of Communications , Bank of China , and Agricultural Bank of China , accounting for 2.75%, 4.05%, 2.58%, and 1.58%, respectively.

Banks have increased investment in science and technology, and the expansion of science and technology personnel has been unprecedented. However, all aspects of bank data are closely related, and although it is protected by the highest level of risk, it is difficult to say everything.

The first is the difference in security capabilities between different financial institutions and within financial institutions. "Large and medium-sized financial institutions have a high level of risk, but some branches have weaker risk capabilities and may not have strict password protection for accounts. Some underground gray and black industries will be systematically and purposefully attacked to seize some system platforms. Existing loopholes. "Zhou Junzhen introduced.

"The bank's risk control level is not a level." The director of the intelligent risk control center of the above stock bank said bluntly, "Some banks have a high level of risk control, and some banks have a low level of risk control. All models of strong banks have It is modeling by professionals in the industry; but for some banks in remote areas, such as lack of high-end data professionals, they can only build models through outsourcing. Even some banks that do not have technical capabilities directly use it to use some third-party company traffic Data, these data include the three elements of identity authentication and some behavioral characteristics, but often such data may be leaked before use. "

"Leaks are at the front." — In the view of senior financial industry risk control practitioners, this is accompanied by the online banking business in recent years, which should attract more industry attention in risk prevention and control. New changes.

In Peng Sixiang's view, the possible scenarios of bank data breaches, in addition to improper access control strategies in the field of information technology operations, the three links of development, testing and maintenance are not separated or the data is not desensitized after separation, and system vulnerabilities in the field of information security One of the important aspects is in the "outsourcing management field", "especially the improper management of outsourcing R & D and testing. Exposure of the production environment and over-authorization of the database can cause data leakage."

"Because the business attributes of the industry are different, there are often intergenerational differences between the bank's IT system and the Internet company." The director of the intelligent risk control center of the stock bank gave an example to the reporter. "For example, in the face of an Internet traffic platform that uses a traffic distribution model, 1 million customers distribute it to dozens of different banks. Correspondingly, the bank is connected to the traffic admission model; naturally, the two models There is an adversarial relationship. The admission model hopes to gain more access, while the distribution model hopes to filter out more; in reality, compared to Internet companies, the flexibility of bank IT systems, the tools available, the number of behavior data covered, etc., Are at a relative disadvantage. "

"In the future, bank data risk management will be stricter"

"In order to promote the healthy development and risk control of the financial industry, the supervisory authorities have increased the emphasis of the banking industry on data governance by issuing regulatory guidelines and linking data governance to regulatory ratings. Regardless of whether this incident occurs, banks In the future, data risk control and management will definitely become stricter. "Several insiders in the banking industry believe that despite the doubts about the authenticity of this pirated data, it will still have an impact on the business level in the future.

In May 2018, the China Banking and Insurance Regulatory Commission issued the "Guidelines for Data Governance of Banking Financial Institutions", aimed at guiding banking financial institutions to strengthen data governance. In December last year, the first batch of pilots for the filing of mobile financial APPs in the financial industry started. There are 16 banks in the first batch of 23 pilot filings, including 5 large state-owned banks, 5 joint stock banks, 3 urban commercial banks, and 2 rural commercial banks. , A Rural Credit Union, involving five aspects of improving security protection, strengthening personal financial information protection, improving risk monitoring capabilities, improving complaint handling mechanisms, and strengthening industry self-discipline, and delineating the collection, use, retention, etc. of personal financial information Four red lines.

In fact, behind the tightening of bank data management is the systematic attack on the management of personal information data at the national level. In the second half of last year, the Ministry of Industry and Information Technology and others publicly criticized more than 100 application software and its operating companies for violations such as over-range and unnecessary use of personal information without user consent.

The brokerage China reporter noted that from May to August of last year, the regulatory authorities intensively issued a number of drafts and drafts for soliciting opinions on data security management methods, appraisal methods for APP's illegal collection and use of personal information. This is also similar to the judgment of the above-mentioned digital banking professionals. The current central bank's guidelines on bank data governance are very detailed, and future changes are more likely to occur at the relevant legislative level.

"In the data indeed the right, data management, China has an absolute advantage, it will be a large country worldwide data assets." Jingdong number Shinco Digital Technology Center Zhang Xu, general manager of Data Assets Department believes that data assets are the core assets of banks, It is the most trustworthy data besides government security data, but the development of data will inevitably face the confirmation of power, and how to do deep mining, development and application of new technologies such as artificial intelligence after massive data is in hand.

"From the perspective of the overall environment, it is generally accepted in the industry that supervision has still encouraged the promotion of high-quality data development of financial institutions under the premise of compliance, such as interconnection with various types of government data and the establishment of cross-regional data fusion applications. "Xue Hongyan, assistant dean of Suning Financial Research Institute, said in an interview with a brokerage China reporter.

Huge data black transaction network: financial related accounted for more than 70%

"Darknet sales data is a well-organized industry chain. Stealing sales data is the deepest hidden, the oldest and most mature way of monetization in black production." Peng Sixiang, head of the Tencent security data security team, said bluntly.

2018 is considered the first year of data protection in the industry, but it is also the gray year of data leakage. In March of that year, Facebook was exposed to more than 87 million user data breaches, encountering its largest ever data breach crisis. In China, at the beginning of 2018, a domestic evaluation hotel chain reported that 500 million pieces of customer privacy data were sold on the dark web; in March this year, a domestic APP leaked information and was used to bind mobile phone numbers with 538 million users on the dark web. Data, of which 172 million has account basic information "for sale.

In recent years, there have been frequent outbreaks of major corporate information materials or user data leaks, making the dark web "underground black market" gradually recognized by society.

"The dark web can be simply understood as an address on the Internet, and can be accessed by certain technical means. The biggest feature is the anonymous platform, which is difficult to trace, anonymous transmission, and anonymous currency transactions." Zhou Junzhen told reporters, "The market size is difficult to count. What you see is just the tip of the iceberg, and there is a lot of information about darknet transactions. "

And he noticed an obvious change is that since 2018, with the acceleration of traditional financial digital transformation, banking, securities, insurance, especially Internet finance and other types of financial data have increased significantly, and a lot of information is often resold on the dark web, " Financial-related data intelligence data accounts for more than 70%, especially personal privacy information related to financial attributes, such as financial account opening information, credit cards, etc., the same is true at home and abroad. "

The Tencent Security Report looks at the data traffic (sample data) of the darknet in 2018. Account / mailbox data, personal information, online shopping / logistics data, bank data, and online loan data rank the top five, accounting for 19.78%, respectively. , 12.19%, 9.69%, 9.02%, and 8.3%, and other information such as gaming data, stock market data, and business and industry data.

Distribution of darknet transaction data in 2018

Source: Tencent Security

Peng Sixiang introduced that the specific methods for hackers to steal data include technical intrusion, social engineering and APT attacks, and also formed a three-step cycle of off, washing and crashing. "Off-site refers to invading valuable companies and putting the database All theft; library cleaning refers to the initial cleaning of the data and gets the most valuable data to realize; colliding the database refers to the data that can be continuously used after cleaning, and will continue to try to penetrate the library and form a cycle to other applications and enterprises. Operating mode, all data of an enterprise or an industry will be obtained. "

For example, a large amount of user sensitive information is stored in the banking industry, which is complete and accurate, and the bank has developed a large number of business applications and the update speed is fast, which brings about a large attack surface and many windows, but it is difficult for the bank to achieve dripping protection , "This will become the target of the black attack."

Who sold it, who bought it

Many people have a similar experience: they have just applied for a mortgage loan at a bank, and then have continuously received credit, consumer marketing calls and text messages from various third-party platforms.

"This is a typical case of personal information leakage. For example, a mortgage loan requires more personal information to be filled in writing. It is not ruled out that there are institutional personnel or information contacts who leave the information for resale, such as some information intermediaries or financial agencies, and third parties. The usual operation methods of marketing and promotion platforms. "Zhou Junzhen explained," However, compared to this type of information leakage, the dark web is more organized and targeted theft and sale. "

"In the early days, it was usually completed by a team or a single person, but now it has been completely industrialized and professionalized. The fixed team takes off the warehouse and sells it to the library cleaning team, and then sells it to the library collision team. Delivery and tracing are extremely difficult. "Peng Sixiang told reporters," Most of the stolen data will not be disclosed, but will enter the secret transaction link, which acts in specific scenarios, such as strategic analysis of competitors, competition for users in the same industry, upstream and downstream. Such as business inferences, such secret transactions can also be called customized data transactions, which are characterized by the fact that the data is only sold once or banned for sale in a certain time window, and the data disclosed on the dark web is sold many times. "

On the buyer ’s side, “more than selling on personal forums, it is often sold to professional information providers or data providers. The latter will have better data integrity, data sub-contracting, and value for data processing, matching, and splicing. High. "Zhou Junzhen said that through the improvement of data processing, the accuracy of information has been significantly improved, and domestic telecommunications fraud and credit card fraud abroad are often the result.

Another feature is its globalization trend. Data illicit data exists all over the world and has become the main channel for illegal cross-border data flow. "For example, personal information from African countries is used by illegal agents to register Amazon users for fraud and cheating." Peng Sixiang introduced that hackers will organize data and exchange data with each other to form a black data big data service provider. Specifically, it is The social work library, driven by interests, has developed large-scale, high-tech developments such as big data services and infrastructure construction, which has also increased the difficulty of data security governance.

Three major ways to monetize: precision fraud, database collision attack, and spread-net fraud

As of the end of 2019, the number of Internet users in China reached 827 million, and the number of mobile Internet users reached 817 million, accounting for 98.6% of the total number of Internet users. The digital economy has penetrated all aspects of social life and personal data trajectories are everywhere.

Undercurrent black market transactions erode user privacy, and in addition to the direct realization of stolen and sold privacy data, black industry practitioners are often used to use purchased data for precision fraud and other criminal acts, further damaging personal rights and interests.

According to statistics from Tencent's security report, information leakage has spawned three major monetization channels: precision fraud, database collision attacks and spread-net fraud.

A case written in Tencent ’s security report is that after online shopping users buy something, they receive a phone call from enthusiastic “customer service” who sends a refund webpage link or QR code for reasons such as quality issues or logistics issues. Follow the prompts to return the refund or refund deposit higher than the purchase amount. After that, the "customer service" will further guide the user to return the extra money to the online store.

What many people do not know is that this is a targeted telecommunications fraud conducted by fraudsters after obtaining detailed information of online shopping users through the dark web. The money received by users is actually a fast loan from some regular loan platforms. Fraudsters use services such as fast credit loans on online banking or third-party payment platforms to mislead users to borrow from the loan platform and then return the "excess" money to the fraudster Web account.

"Shopping Refund" scam fraud process schematic, from Tencent Security Report

Tencent's safety report pointed out that it includes precise frauds such as "refund for shopping", impersonation of "public inspection law", "grant of grants", "flight cancellation", "second childbirth refund", "traffic violation reminder", "point exchange for cash" , Are all targeted fraud scripts carefully designed by scammers based on the characteristics of personal information.

In addition, in the past four years, database collisions have catalyzed the fission of information leakage around the world. This kind of malicious landing is more of a database collision and sweeping attack. "From a personal perspective, it is necessary to increase protection awareness and see whether authorization information is given from the perspective of business necessity; when individuals use financial accounts, it is recommended that different accounts use different passwords to avoid being used by some technology companies to collide with the database. Come to the risk of data leakage. "Zhou Junzhen said.

Peng Sixiang also suggested that personal passwords should be changed regularly, and the maximum time a password can be used is no more than 6 months; encrypt your own terminal equipment, including computers, mobile phones, and hard drives; carefully review the service provider's privacy agreement to challenge unreasonable terms.

"At present, some high-end data theft gangs will no longer accept general data customization needs, but focus on financial fraud with stronger liquidity." Peng Sixiang told brokerage Chinese reporters that with more and more terminal payments and rich networks The e-commerce activities and the financial data security management situation are not optimistic, so this has become the focus of attention and control in many countries.