Cybercrime Data - Who to allow access

[Pinas]

Hi all,

so I'd like to hear you opinionon this.

I am currently building a system that provides the possibility to search and analyze undeground markets (boards selling credit cards, stolen identities, ...) - you probably know such boards yourself.

The service is far from finished but I plan to bring it online in the next months.

Now my problem: The nature of this service is that data from underground boards is made accesible for  users. The data will very likely contain information that can be misused e.g., Credit Card Data. How can I make sure that this service is not used as something like "all you can grab" buffet for cyber criminals ?

I thought about restricting access to people who "identify" themselves e.g., via their LinkedIn profile but
I want the system to be usable by many people.

I could implement some methods that try to hide/remove sensible information but I am quite sure that these methods will miss something.

Another possibility would be to restrict the number queries allowed for non registered users - as done by Shodan. This still has the risk that sensible information is exposed within these few queries.

 Any ideas/tips/...

Thank you !

[gjiqlVHs]

Hi there Pinas,

For starters, I think of Rescator. Rescator allows you to search for credit cards via the last 4 digits of the card, perhaps combining that with a bank would allow for extremely accurate identification of possible matches.

For example: You could request the last 4 digits and institution of the card someone wants to protect or scan for. If the last 4 digits are '1111' and their institution is AMEX, and you find a '1111' and AMEX match on rescator, then you could view the full card details on rescator and request that the individual provide the CVV and expiry date - you use this to cross-match.

If they match again, you've got a 99.99% certainty of having found a compromised card of theirs, with the only risk of misuse falling solely onto you.

I'd be very interested to learn more about your platform, and when it's expected to be live/what it's capabilities are expected to be. Could you shoot me a private message some time perhaps going into a little more detail of what sites in particular you are searching through? I've got quite a large repository of underground blackmarket/stolen data trading sites that I'd be happy to share with you.

Let me know if you're interested, and good luck for the development of the system.
I hope this post has been useful.

[proxx]

Hi all,

so I'd like to hear you opinionon this.

I am currently building a system that provides the possibility to search and analyze undeground markets (boards selling credit cards, stolen identities, ...) - you probably know such boards yourself.

The service is far from finished but I plan to bring it online in the next months.

Now my problem: The nature of this service is that data from underground boards is made accesible for  users. The data will very likely contain information that can be misused e.g., Credit Card Data. How can I make sure that this service is not used as something like "all you can grab" buffet for cyber criminals ?

I thought about restricting access to people who "identify" themselves e.g., via their LinkedIn profile but
I want the system to be usable by many people.

I could implement some methods that try to hide/remove sensible information but I am quite sure that these methods will miss something.

Another possibility would be to restrict the number queries allowed for non registered users - as done by Shodan. This still has the risk that sensible information is exposed within these few queries.

 Any ideas/tips/...

Thank you !

At least make sure it isn't easy to scrape , use js to present data this will keep most punks out, just face it , whatever you put out there will be abused by someone.
Exactly what I was thinking , ratelimiting the amount of queries would work but it would also make it lame
At least forcing a login and whatnot would make it harder for them kids to massively suck on that db.