Here’s the story of a database of sensitive consumer information – names, addresses, phone numbers, email, and payment information – posted on a site frequented by (among others) hackers. It took just minutes before identity thieves tried to make unauthorized use of the information. But this tale of stolen credentials is full of surprises, including who posted the data.
If you’re watching the FTC’s Identity Theft: Planning for the Future webcast right now, you know that the “perpetrator” was the staff of the FTC’s Office of Technology Research & Investigation (OTech) and the information belonged to 100 fake people, but was designed to look like a filched database of consumer credentials.
OTech conducted the experiment to answer two questions: 1) When information like that is made public, does anyone use it? and 2) What can law enforcers learn by tracking what ID thieves do with data once they get their hands on it?
After creating the database, OTech posted it twice on what’s called a paste site. (That’s a site where people can paste information in plain text. There are legitimate uses, of course, but hackers have been known to use them to make stolen data available to others of their ilk.) For two weeks OTech monitored all email access attempts, payment account access attempts, attempted credit card charges, and texts and calls received by phone numbers. What did they observe?
Sharing is erring. OTech’s first posting on April 27th got about 100 views. The second posting on May 4th got about 550 views. We think the likely reason for the uptick is that a Twitter bot disseminated the availability of the data to a wider audience.
ID thieves don’t waste time. There’s a unit of measurement faster than the proverbial New York Minute. It’s the time it takes a data thief to exploit stolen information. After OTech’s initial posting, it took 90 minutes for the first unauthorized attempt. But after the second posting, it took just 9 minutes. The total number of attempts: 119 in the first week and 1108 in the second.
The market for stolen data is global. IP addresses from close to 30 different countries were used in access attempts. The majority were from IP addresses in the United States. But don’t take out that “We’re #1” foam finger just yet because most of the ID thieves used technologies that hid their true IP addresses.
Data theft funds shopping sprees. In the two weeks OTech studied, fraudsters tried to rack up $12,825.53 in illegal purchasers. Retailers were their top target. Notable purchase attempts: pizza and online dating services.
OTech’s study suggests some tips for security-conscious companies:
- ID thieves will exploit available information. Period. If your business needed any more reasons to Start with Security, OTech’s findings provide plenty.
- Paste sites seem to be favored hangouts for data thieves. Email and payment service providers may want to take a look at what’s going on at those locations.
- Two-factor authentication provides at least some protection against stolen credentials. Have you thought about implementing it at your company?
- OTech spotted a pattern of multiple purchase tries at a single site within a very short period of time. Depending on the circumstances, seriatim purchase attempts could suggest that fraud is afoot.
Watch the the event from the LIVE WEBCAST link.