Huge, Sophisticated Black Market for Trade in Online “Fingerprints”

Huge, Sophisticated Black Market for Trade in Online “Fingerprints”

CybersecurityHuge, Sophisticated Black Market for Trade in Online “Fingerprints”


Published 26 October 2020

Security on the internet is a never-ending cat-and-mouse game. Security specialists constantly come up with new ways of protecting our treasured data, only for cyber criminals to devise new and crafty ways of undermining these defenses. A thriving black market for user profiles is used by criminals to circumvent authentication methods that secure our online secrets.



Security on the internet is a never-ending cat-and-mouse game. Security specialists constantly come up with new ways of protecting our treasured data, only for cyber criminals to devise new and crafty ways of undermining these defenses. Researchers at TU/e have now found evidence of a highly sophisticated Russian-based online marketplace that trades hundreds of thousands very detailed user profiles. These personal ‘fingerprints’ allow criminals to circumvent state-of-the-art authentication systems, giving them access to valuable user information, such as credit card details.


Our online economy depends on usernames and passwords to make sure that the person buying stuff or transferring money on the internet, is really the person they are saying. However, this limited way of authentication has proven to be far from secure, as people tend to reuse their passwords across several services and websites. This has led to a massive and highly profitable illegal trade in user credentials: according to a recent estimate (from 2017) some 1.9 billion stolen identities were sold through underground markets in a year’s time.


It will come as no surprise that banks and other digital services have come up with more complex authentication systems, which rely not only on something the users know (their password), but also something they have (e.g. a token). This process, known as multi-factor authentication (MFA), severely limits the potential for cybercrime, but has drawbacks. Because it adds an extra step, many users don’t bother to register for it, which means that only a minority of people use it.


To alleviate this problem, an alternative system of authentication has recently become popular with services such as Amazon, Facebook, Google and PayPal. This system, known as Risk-based Authentication (RBA), looks at ‘user fingerprints’ to check someone’s credentials. These can include basic technical information, such as type of browser or operating system, but also behavioral features, such as mouse movement, location and keystroke speed. If the fingerprint complies with what is expected from a user – based on earlier behavior - they are allowed to login right away, using only their usernames and passwords. If not, additional authentication through a token is required.