Network News

X My Profile
View More Activity

Service Offers to Retrieve Stolen Data, For a Fee

A former cyber cop in the United Kingdom is heading up a new online portal that claims to offer a searchable database of about 120 million consumer records that have been phished, hacked or otherwise stolen by computer crooks. Visitors who search for their information and find a match can verify which data were stolen -- for a £10 ($16.50) fee.

Colin Holder, a retired detective sergeant with the Metropolitan Police, said the idea for lucidintelligence.com became obvious shortly after he resigned from the U.K. fraud squad in 2004.

"About six months after I retired, I was contacted by an old source who said he was seeing a vast amount of credit card and other personal data being exchanged between criminals, and what could he do with it,'" Holder recalled.

Many companies scour e-crime chat rooms and message boards for stolen data, and share that data with banks and companies that sell identity protection services. But Lucid Intelligence is thought to be the first such service that offers consumers a direct way to find out if their personal details may be in the hands of criminals.

Holder said he initially began forwarding the stolen data that his sources collected to his contacts at Scotland Yard. But he said he soon quit sharing all but the affected account numbers, after discovering that the police unit he was sending the information to was funded in part by APACS, a coalition of British banks. Holder said the banks were using the data to help determine when customers had fallen for phishing scams. (Section 12.12 of the U.K. banking code allows banks to choose not to compensate customers who suffer financial losses because they disclosed their banking PINs to someone else).

"The banks were getting all these details and some were turning around and saying 'This person was reckless with their data,'" Holder said.

So, working with a couple of friends and roughly £160,000 of his own money, Holder set about to create an online database that consumers can access directly to find out if their information has been compromised.

"This project is costing me £6,000 a month to operate, and I'm only charging to help recover those costs," Holder said. "In 90 percent of cases, the searcher will never have to pay a penny."

The service works like this: You search by your e-mail or street address, and the site will tell you whether your personal details are among the records on an estimated 40 million unique victims (the difference between 120 million records and 40 million unique victims, Holder said, is that some people have been fleeced and/or had their data stolen/traded more than once).

lucidintel1.JPG

If the database finds a match, it will report the type of data found, be it credit card, bank account number, Social Security number, date of birth, etc. Visitors who want to verify the data must pay a £10 ($16.50) fee, using a credit card with a name that matches the name on the record. A link to the report will only be sent via e-mail to the address in that victim's file. If the victim no longer has access to that e-mail address or that credit card number, he or she can still access the data, but must go through Paypal's identification process, which takes additional steps to verify a customer's identity.

The database includes records from around the world with the largest share of data from the United States, U.K. and Canada.

I ran a search on one of my more common throwaway Gmail addresses, and it came back with a match saying the e-mail address had been compromised, and that such a result was a low risk. I proceeded through the verification process (free if just your email was found), and it gave me a six-letter code to save for the second stage of the verification process, which was an e-mail to the compromised address that included a second code. When I clicked the provided link and entered both codes, the Web site showed me a report saying my e-mail address had been obtained last October from a Web site called amny.com, a New York news Web site that I am quite certain I have never visited before.

Dan Clements, president of CardCops, a company that trawls Web sites and forums for stolen data and shares the information with commercial identity protection services, said his company explored a partnership with Lucid Intelligence, but opted not to team up. Clements said much of the company's data is solid, but said he believes e-mail addresses shouldn't count as unique records in a database purportedly dedicated to alerting identity theft victims.

"Spamming lists don't really count as unique records when you're talking about ID theft," Clements said. "They also weren't real candid about how they got their data. To me it seemed they were getting it from informants, and I'm not sure how reliable those informants can be to sustain a business model."

Holder countered that e-mail addresses, when combined with stolen passwords, can be very important to ID thieves. For example, many people tie different services to a single inbox, which can be used to reset passwords for those services. What's more, he said, many consumers re-use the same password at multiple Web sites and online services.

Consumers in the United States are rarely -- if ever -- held liable for losses due to stolen credit or debit cards, so paying to recover these credentials may not make much sense. However, I can see the attraction of people wanting to know how or where their data might have been compromised. If my Social Security number and other personal information was located in the database, I would probably be curious enough to spend $16 in the hopes of finding out why.

The emergence of a service like Lucid Intelligence was inevitable. For years, I have heard from many security researchers who were at a loss about what to do after finding massive caches of stolen consumer data. In some cases, domestic law enforcement agencies have reluctantly agreed to forward the information on to banks and credit reporting agencies, but most avoid the sticky question of how to alert affected individuals without unduly alarming them, or worse, creating a new avenue of exploitation by scammers.

Earlier this year I wrote about a monster stash of identity data stolen by criminals wielding computer keystroke logging malware. The researchers I interviewed in that story took the purloined data they had stolen from the crimnals and forwarded it on to the Australian Computer Emergency Response Team, which maintains a system called "Lumberjack," designed to notify financial institutions of compromised accounts.

In a 2007 series I wrote called Tracking the Password Thieves, I approached the FBI with a truly massive trove of stolen data a source of mine had found. From the main story that accompanied that blog post:

Federal law enforcement officials said they routinely provide data they uncover on compromised credit and debit accounts to MasterCard, Visa and other credit-card issuers. The FBI also said it recently began sharing caches of stolen consumer data with the fraud departments of the three major credit-reporting bureaus.

But because credit-card companies often do not get any more information about the extent of the breaches, victims of viruses or scams may think that their problems have been resolved after being issued new credit or debit cards. And such agencies as the
FBI handle too many incidents to notify online crime victims individually.

"We're just getting overwhelmed with this [compromised] consumer data, but it's not exactly law enforcement's job to call each victim and explain the situation," said Dan Larkin, an FBI agent who heads the National Cyber-Forensics & Training Alliance in Pittsburgh.

Credit bureaus are not required to notify consumers.

"The credit bureaus work on behalf of banks and companies that grant credit," said Ari Schwartz of the Center for Democracy and Technology, a consumer advocacy group in Washington. "They're not set up to be consumer-oriented businesses."

By Brian Krebs  |  July 23, 2009; 3:24 PM ET
Categories:  Fraud , Safety Tips , Web Fraud 2.0  | Tags: colin holder, lucid intelligence, phishing  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Attackers Target New Adobe Flash/Reader Flaw
Next: Network Solutions Hack Compromises 573,000 Credit, Debit Accounts

Comments

I agree that this type of service was inevitable, so much so that one wonders why this is the first. I wish D.S. Holder all the best.

Posted by: lostinthemiddle | July 23, 2009 4:17 PM | Report abuse

let's pretend for a second that this isn't blackmail.

the fact that stolen information is put in an online searchable database is a huge security risk. what makes this wanker's website more secure than the ones compromised.

i'm also not too fond of the owner verification process since criminals could potentially use their partially stolen information to buy even more information with this system.

i'd be more outraged if i wasn't certain this business model will fail within 3 months and that we will never hear from this fellow again.

Posted by: ptksec | July 23, 2009 5:08 PM | Report abuse

Brian, you say that the search you ran showed that one of your Gmail addresses was compromised and it was lifted from amny.com, which you never visited.
Isn't that possible that someone quoted from you on that site and included your address?

Posted by: observer31 | July 23, 2009 7:55 PM | Report abuse

to view a partial list of crimes committed by FBI agents over 1500 pages long see
http://www.forums.signonsandiego.com/showthread.php?t=59139

to view a partial list of FBI agents arrested for pedophilia see
http://www.dallasnews.com/forums/viewtopic.php?t=3574

Posted by: mabumford | July 23, 2009 11:44 PM | Report abuse

I don't think this is a good thing. The "no fly" list, for example, is rife with misidentification. This sounds like the credit report/financial version. Your comment about the British Banking code sent chills up my spine.

Posted by: gannon_dick | July 24, 2009 8:14 AM | Report abuse

On the one hand, I can appreciate this gentleman's desire (and right) to make money. And the article does note that he ponied up some money to start his company. Still, to echo the fellow who called it blackmail, it IS somewhat akin to calling someone and saying, "I found your wallet. Give me $20 and I'll return it."

- Michael Seese, author of "Scrappy Information Security"

Posted by: MichaelSeese | July 24, 2009 10:13 AM | Report abuse

@MichaelSeese

At least blackmailers have to call, that costs money.

Scratch a "Targeted Ad" find "Spam".

Posted by: gannon_dick | July 24, 2009 5:45 PM | Report abuse

If yoiu want to remove your name from the barrel of ID Theft you also need to Opt Out of online data bases. Check out www.OptOutDetectives.com and look what they have found on Todd Davis that could have been removed. http://www.blogtalkradio.com/OptOutDetectives/blog/2009/07/24/Todd-Davis-from-Lifelock-Not-So-Protected-To-much-info-on-public-data-bases-Opting-out-would-ha

Posted by: kent6 | August 2, 2009 2:52 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company