Friday, March 27, 2009

Web Fraud 2.0: Data Search Tools for ID Thieves

Via Washington Post (Security Fix) -

Data such as your Social Security number, mother's maiden name and credit card balance are not as difficult for ID thieves to find as most people think. I've recently learned that cyber crooks are providing cheap, instant access to detailed consumer databases, offering identity thieves the ability to find missing data as they compile dossiers on targeted individuals. Security Fix spent the past week testing services offered by two Web sites that sell access to a wealth of information on consumers. Each site offers free registration, but requires users to fund their accounts via Webmoney, a PayPal-like virtual currency that is popular in Russia and Eastern Europe.

I enlisted the help of a half-dozen volunteers who agreed to let me try to find their personal and financial data on these sites. For a payment of $3 each, I was able to find full Social Security numbers on four of the volunteers, as well as their most recent street addresses and birthdays.

Another set of three $3 payments allowed me to gather the mother's maiden name (MMN) on half of the volunteers. For both the SSN and MMN lookups, all that is required is the target's name, street number, and ZIP code (see snapshot above). Users are not charged for queries that fail to return results.

Using the service pictured above, customers can check the available balance on a credit card for a $1 payment, by including just the credit card number, the name of the cardholder, and his or her address. According to one source who is investigating the back-end technology behind this credit card balance-checking service, the site's operators are dialing in to the automated voice response units at various card issuers, using Skype, an Internet-based telephone service that can mask the caller's phone number and location.

Other data points that users can query the target's date of birth (50 cents per lookup); mother's date of birth ($6); drivers license number ($8); background report ($15); and credit report ($24). The site also offers a service that automates the changing the billing address on a target's credit or debit card ($35).

It's unclear how these sites are obtaining this kind of information. It may be that they're relying on insiders at companies with access to this data. Alternatively, perhaps the services are making use of using stolen credentials needed to access sensitive online databases. More likely, it is a mixture of both.

The legality of these services depends largely upon how the information was gathered. Obviously, selling data obtained via stolen credentials that allow access to a protected database would be illegal. And of course, no business can legally resell the ability to change someone else's credit card billing address without the owner's permission.

But there are several commercial services that sell massive amounts of consumer data that is collected from public sources, such as mortgage and court records. In fact, federal law does not prohibit the resale of Social Security numbers and other consumer data that was collected from public sources, said Ari Schwartz, vice president and chief operating officer for the Center for Democracy & Technology.

For example, services like, sell loads of consumer data, such as the ability to find someone's identity by looking up a cell phone number.

"They might be aggregating this data in ways that could be legal for them to resell," Schwartz said. "Once that data is gathered from public sources, there aren't really rules about what you can do with it."

For the past several years, lawmakers in Congress have tried but failed to gain support for legislation to block the resale of Social Security numbers and other sensitive consumer data without an individual's consent.

No comments:

Post a Comment