Network News

X My Profile
View More Activity

Web Fraud 2.0: Data Search Tools for ID Thieves

Data such as your Social Security number, mother's maiden name and credit card balance are not as difficult for ID thieves to find as most people think. I've recently learned that cyber crooks are providing cheap, instant access to detailed consumer databases, offering identity thieves the ability to find missing data as they compile dossiers on targeted individuals.

Security Fix spent the past week testing services offered by two Web sites that sell access to a wealth of information on consumers. Each site offers free registration, but requires users to fund their accounts via Webmoney, a PayPal-like virtual currency that is popular in Russia and Eastern Europe.

sspic.jpg

I enlisted the help of a half-dozen volunteers who agreed to let me try to find their personal and financial data on these sites. For a payment of $3 each, I was able to find full Social Security numbers on four of the volunteers, as well as their most recent street addresses and birthdays.

Another set of three $3 payments allowed me to gather the mother's maiden name (MMN) on half of the volunteers. For both the SSN and MMN lookups, all that is required is the target's name, street number, and ZIP code (see snapshot above). Users are not charged for queries that fail to return results.

Using the service pictured above, customers can check the available balance on a credit card for a $1 payment, by including just the credit card number, the name of the cardholder, and his or her address. According to one source who is investigating the back-end technology behind this credit card balance-checking service, the site's operators are dialing in to the automated voice response units at various card issuers, using Skype, an Internet-based telephone service that can mask the caller's phone number and location.

Other data points that users can query the target's date of birth (50 cents per lookup); mother's date of birth ($6); drivers license number ($8); background report ($15); and credit report ($24). The site also offers a service that automates the changing the billing address on a target's credit or debit card ($35).

It's unclear how these sites are obtaining this kind of information. It may be that they're relying on insiders at companies with access to this data. Alternatively, perhaps the services are making use of using stolen credentials needed to access sensitive online databases. More likely, it is a mixture of both.

Picture 31.jpg

The legality of these services depends largely upon how the information was gathered. Obviously, selling data obtained via stolen credentials that allow access to a protected database would be illegal. And of course, no business can legally resell the ability to change someone else's credit card billing address without the owner's permission.

But there are several commercial services that sell massive amounts of consumer data that is collected from public sources, such as mortgage and court records. In fact, federal law does not prohibit the resale of Social Security numbers and other consumer data that was collected from public sources, said Ari Schwartz, vice president and chief operating officer for the Center for Democracy & Technology.

For example, services like Intelius.com, sell loads of consumer data, such as the ability to find someone's identity by looking up a cell phone number.

"They might be aggregating this data in ways that could be legal for them to resell," Schwartz said. "Once that data is gathered from public sources, there aren't really rules about what you can do with it."

For the past several years, lawmakers in Congress have tried but failed to gain support for legislation to block the resale of Social Security numbers and other sensitive consumer data without an individual's consent.

By Brian Krebs  |  March 23, 2009; 11:30 AM ET
Categories:  From the Bunker , Latest Warnings , Web Fraud 2.0  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Rogue Antivirus Distribution Network Dismantled
Next: Mac OS X Top Target in Browser Beatdown

Comments

>>>lawmakers in Congress have tried but failed to gain support for legislation to block the resale of Social Security numbers and other sensitive consumer data without an individual's consent.<<<<


Who exactly is against it and why?

Posted by: JkR- | March 23, 2009 1:51 PM | Report abuse

The lobbyists for the information resellers and marketing, credit reporting agencies, healthcare providers, and most federal government offices that still require SSN's for benefits matching. Add to the that the Freedom of Information Act, and a trove of other information dissemination laws. There are a number of laws that are supposed to protect SSN's but have done a terrible job. It takes only one rogue employee or one mistake to endanger thousands of individuals. See:
http://www.loc.gov/law/find/hearings/pdf/00144521080.pdf
I feel it's too late to try to enforce all these SSN protection schemes. Millions of SSN's are already in the hands of criminals. What is needed a new method of identifying an individual rather than a faceless number that can be used by anyone.

Posted by: nonag | March 24, 2009 8:05 AM | Report abuse

"The legality of these services depends largely upon how the information was gathered."

There really is no distinction for the consumer though.

The legality should be judged by whether consent was given for each transaction by the person whose records are being retrieved, and not by whether the entity doing this has bribed enough legislators to make their data thievery legal or not.

I've argued for a LONG time that by allowing corporations to sell and buy our information nilly willy with no concern for consumer rights, sooner or later that information is bound to get into the hands of someone who's going to abuse the data. This criminal search tool is one of many data points that proves my argument.

Posted by: gorbachev | March 24, 2009 9:47 AM | Report abuse

>

Talk about the "toxicity-favored-word" beating its way around the Congress' doings, reference high finance on/in the market.

Everyone is aware (?), that these lobbyists are in all the pockets of most all Washington pols, elected (by "joe the plumber" constituents . "Toxicity"....is where it is. And there 'may be a lobbyist in your closet'.

Not amused,
mustyceltic

Posted by: mustyceltic | March 24, 2009 9:51 AM | Report abuse

What is confusing to me is with all of the high technology being developed with these super brains, and the even faster way it is being advanced almost every six months, how is it that there is no accurate method developed to track these crooks who steal identities for a living? Call me out of touch but to me the "Freedom of Information Act" does not endorse stealing someone's identity and using it to commit a crime.

Posted by: acarroll1 | March 24, 2009 10:04 AM | Report abuse

Want to get Congress to beef up the identity theft laws? Spend some money and steal the identity of every member of Congress. Redirect their bank accounts mailing addresses to an anonymus post office box. Then we will see very rapid action to address this problem that is already costing everyone billions each year.

Posted by: smf25 | March 24, 2009 10:17 AM | Report abuse

What time is JkR arriving on Sat?

Posted by: rockotodd | March 24, 2009 10:26 AM | Report abuse

This writer is against all these computerized happenings in Most things. This writer is probably very un-informed in computer matters. Writer thought the internet, when they made it work, was for people with computers to use freely and promote computer use.
Writer was very wrong. Everyone must now pay the fiddler the price to use the internet. Going to the public library through internet is out of the question if you don't pay for internet service and probably many, many other subjects.
People are Forced to use the internet by the Government and the Private Industries. The choice for not using the internet would be "too bad for you, ha ha."

Now that people are Forced to use the internet by paying for the service, the internet users appear to have the right to steal any information you have and about you to use against you (of course this includes the ever present eyes of the government and the subversives?).
If you order something on-line and receive the wrong stuff, then more headaches with no real accountablilty by blaming all others.
People will end up spending, spending and spending until you have no money left and become a total recluse and with no connection, then what will become of people.

Writer had hoped that ALL computers were going to be Fried during the Millenium thing in 2000, too bad it didn't happen.

Writer do admit that things such as word or word perfect and such is actually good for people.

Posted by: SOCIETY1 | March 24, 2009 10:42 AM | Report abuse

Unfortunately it DOES SEEM, in most instances, things seem to favor the criminal rights over the victim. Yes, it is true. So much concern on protecting "rights", it is the victim who is forgotten. Sad Sad. I might add, your computer automatically even hooked into mine to get my name and who knows, might even download my PC.

Posted by: darlenehastings | March 24, 2009 11:26 AM | Report abuse

I once subscribed to a service for lawyers (I think it was named witnessinfo.com) which provided some information about individuals, but I do not remember having access to things like SS numbers. A couple of years ago they were forced abruptly to shut down (by whom I don't know), because of security issues. Companies like Lexis-Nexis continue to sell that information, but at a much higher price.

Posted by: jessem | March 24, 2009 12:32 PM | Report abuse

Would it be more secure to choose security questions such as favorite pet's name or first girl/boyfriends name as opposed to mmn or town you were born in. when these security q&a's are changed, are the previous answers wiped from their databases?

Posted by: jamesrohr | March 24, 2009 2:06 PM | Report abuse

I agree with gorbachev's comment.

I used to always check to see what information was online for me and usually I would not see anything but since about mid-2008, I've found that all kinds of personal information is out there for me (and for my siblings). Information such as my name, age (something that until now I'd always considered extremely private), recent address, and names of other cities where I'd lived. For a nominal fee, one of the search services would give my current address to anyone who cared to pay the fee. And, if I wanted this information removed from the search services' websites, I would have to give them current address and other personal information. Why should I have to do that?

It's probably not connected but I have to say that before I first saw all my personal information online, I used to get comparatively few junk emails. Since mid-2008, however, it's been constant, to the point where I now feel I need to change my email address.

And there doesn't appear to be any government department or agency that can intervene to put a stop to such misuse of people's personal information.

Posted by: bba4 | March 24, 2009 3:43 PM | Report abuse

Interesting story, technology is being upgraded daily with thousands of techs introducing new ways to enhance security and idenity thieft, I have no doubt the required technology is available to limit or make identity thieft useless, it is getting the right information together and implementing it -

Posted by: gene14 | March 24, 2009 7:24 PM | Report abuse

-Thanks for the fine article! I have decided to use this info to alert "those with whom I do business" to consider adding other layers of security questions and to change several of my pass information on other sites.

-As always, such information leads to a follow-on question: "what can we do about it?" For example, for a future article, it might be good to use your volunteers to find what information is least vulnerable to surreptitious gathering -- for example, i would think it would be challenging or impossible to find things like the model of your second car, the maid of honor at your wedding, etc. Just how deep can data mining go??? THis kind of information might be useful for us.

Posted by: povdds | March 24, 2009 8:13 PM | Report abuse

This is a huge industry, and they have a lot of lobbying power. Companies make gigantic amounts of money of aggregating and selling personal information about people. It's also a very open market for the information.

Notice how the only time you ever see corporate and government officials not answering hard questions because they're "protecting privacy" when it's obvious all they're really trying to do is dodge responsibility? Companies has worked very hard to get the deck of sleaze tilted in their favor, this is just one aspect of the problem.

This is the same crowd of dirtbags, mixed in with government & corporate interests that brought us the (we) CAN-SPAM act in all it's opt-out glory.

I comment on this site using my real name in part as a protest against the myth and futility of trying to pretend that any of us have much personal privacy anymore.

Posted by: timscanlon | March 25, 2009 1:57 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company