© 2024 Connecticut Public

FCC Public Inspection Files:
WEDH · WEDN · WEDW · WEDY · WNPR
WPKT · WRLI-FM · WEDW-FM · Public Files Contact
ATSC 3.0 FAQ
Play Live Radio
Next Up:
0:00
0:00
0:00 0:00
Available On Air Stations

Take A Peek Inside The Market For Stolen Usernames And Passwords

ARI SHAPIRO, HOST:

Most of us have a long list of usernames and passwords to sign into accounts online - eBay, Amazon, Expedia. Those credentials are valuable to hackers, and they're for sale online. Stacey Vanek Smith from our Planet Money team got a look into the market place for stolen passwords.

STACEY VANEK SMITH, BYLINE: I have in front of me a list. It is four and a half pages long, and there are a bunch of company names on it all in alphabetical order. It has banks and airlines and clothing stores. And next to each company name is a price. This list comes from a site on the dark web where people buy and sell stolen usernames and passwords. It is a price list. I got a copy of this list from an investigative journalist named Brian Krebs.

BRIAN KREBS: Author of the website krebsonsecurity.com.

VANEK SMITH: And you spend a lot of time on the dark web.

KREBS: Yeah. It's kind of an occupational hazard.

VANEK SMITH: Krebs got this particular list from a site called Seller's Paradise.

KREBS: It looks like a pretty nicely indexed e-commerce site where you might go and buy, you know, blenders or whatever it is you want to buy.

VANEK SMITH: But in this case, instead of blenders, people are buying stolen usernames and passwords. Some account information like bank account passwords are obviously valuable. But for others, it can be kind of hard to know why anyone would be interested. There's Costco for 15, David's Bridal for 10. And what are you doing with these passwords if you buy them? So if you - if I buy someone's David's Bridal password for ten bucks, like, what am I doing with it?

KREBS: (Laughter) One of the longest-running scams is the points. They go to use their points, and they're like, I don't have any points; I don't really know what's going on.

VANEK SMITH: So, like, if you buy someone's, like - I'm looking at Best Buy - costs $13.

KREBS: Right. I could in theory sign into your Best Buy account, change your address, and you would be none the wiser when they send me, you know, a set of $400 Bose headphones (laughter), you know? Cyber thieves think of really ingenious ways to cash these things out, and cash them out they do.

VANEK SMITH: I mean, how scared should I be about this - about my passwords being out there?

KREBS: Well, that depends. Are you the type of person who reuses the same password all over the place? Then you should...

VANEK SMITH: Let's say that I were that kind of person (laughter). How scared should I be?

KREBS: OK, yeah, I think you should be pretty concerned. I mean...

VANEK SMITH: Really?

KREBS: One of the biggest pieces of feedback I get from, you know, mere mortals who - you know, they take pride in the fact that they don't really understand computers or understand why anybody would want to hack their computer. And I just say, look; you have probably 20, 30 sets of credentials stored in your browser or on your computer that have value. You may not think that they do, but they absolutely do. And this service kind of, you know, puts a pretty fine point on that.

VANEK SMITH: What does this mean - the existence of this marketplace - like, for most of us mere mortals?

KREBS: It means that it's 2018, and we're all still stuck with the stupid passwords.

VANEK SMITH: Krebs thinks we will eventually get to a post-password world. In that world, your phone could essentially become your password. After all, it has tons of data on you, your location, maybe even your fingerprints or your face. And that data can be used to verify your identity. So we'd essentially be carrying our passwords around in our pockets.

But for now, we are stuck with these same old passwords and the same old advice we've been hearing for years. If you want to protect yourself from hackers, be sure to turn on two-factor authentication, and do not reuse the same passwords again and again and again like I do. Stacey Vanek Smith, NPR News. Transcript provided by NPR, Copyright NPR.

Stacey Vanek Smith is the co-host of NPR's The Indicator from Planet Money. She's also a correspondent for Planet Money, where she covers business and economics. In this role, Smith has followed economic stories down the muddy back roads of Oklahoma to buy 100 barrels of oil; she's traveled to Pune, India, to track down the man who pitched the country's dramatic currency devaluation to the prime minister; and she's spoken with a North Korean woman who made a small fortune smuggling artificial sweetener in from China.

Stand up for civility

This news story is funded in large part by Connecticut Public’s Members — listeners, viewers, and readers like you who value fact-based journalism and trustworthy information.

We hope their support inspires you to donate so that we can continue telling stories that inform, educate, and inspire you and your neighbors. As a community-supported public media service, Connecticut Public has relied on donor support for more than 50 years.

Your donation today will allow us to continue this work on your behalf. Give today at any amount and join the 50,000 members who are building a better—and more civil—Connecticut to live, work, and play.