A while back I looked at the maturing market dynamics of cybercrime black markets and found that as professionals have come to dominate the hacking scene, a whole series of black markets have emerged.

Where in the past a single person might execute a cybercrime from beginning to end, nowadays there is a division of labor. Some cybercriminals can focus on building exploit tool kits while someone else becomes a bot-herder, collecting and aggregating botnets (networks of remotely controlled compromised computers). The most disturbing aspect of the emergence of black markets is how they have increased the efficiency and profitability of identity theft.

If we examine various market indicators, we can see how the black markets have increased efficiency. The most obvious indicators to track are the price of the final output and the “liquidity” or the volume of trading that occurs. The price at which a fully qualified identity is sold is a good proxy for the cost of acquisition of that identity and the overall efficiency of the market. Over the past three years various researchers have provided examples of the average price of a stolen identity, ranging from $150 to $14. Most estimates from three years ago are in the $100 to $150 range, while today we see prices around $14 to $18 per identity. While it is difficult to get accurate numbers, there is a clear downward trend that may be as big as one order of magnitude. Decreasing prices are a clear indication of an efficient market, one in which the cost to acquire a primary resource is decreased through innovation.

But what about the overall size of the market? This is harder yet to calculate, but we can use available data for a rough calculation. The California data breach notification act SB1386 compels companies to notify customers in the event of a breach of identity data. In 2006, more than 49 million identity thefts were brought to light under the law. The running total for 2007 exceeds 70 million. Of course, the identities which have been subject to disclosure are but a small percentage of the total, global identity theft problem. We’re only seeing the tip of the iceberg. If only 7 million identities are sold in the black markets, then the total revenue from the first sale only would exceed $100 million. That does not count further exploitation of the identities, such as purchasing goods or withdrawing cash.