Forget Phishing Just Buy Personal Info

Iago writes "If you need information about a person in Moscow, just go to the market and buy it. The Globe and Mail reports that along with the usual pirated software, cd's etc. you can find out information such as the bank records of your competitors, motor vehicle information and tax returns. The question is, how much of this information is being sold in other countries, perhaps in a more sophisticated manner?"

yeah ... I like fishing

Nothing like fishing eh

Known about this for years

[pcmanjon]

They've been doing this for years in other countries. What most people don't realise is that most of these stories you hear about personal information/security breaches (Lexis Nexis, etc etc etc) usually goes to thugs like this.

These thugs sell this information to people in the black market. This isn't new stuff neither, the news just seems to hover on this and "identity theft" a lot recently. It's been happening since the 80's.

A better question

A better question is, how much of this information is real?

Re:A better question

[temcat]

Most of it is real, believe me. Whay fake something as big as countrywide database when you can easily bribe the right person and get the real thing. Recently there was a scandal when a Central Bank (!) database was stolen. But this is for big boys; as to the general public, stolen mobile operators databases are very popular here, because we don't have official telephone directories with personal phone numbers.

Re:A better question

[ciroknight]

The problem is, if *any* of it is real, then we have a problem.

Especially recently with all of the banks coming out with information of their customers being comprimised.

Re:A better question

[myukew]

I don't think so, I haven't much black market experience, but I think it's much easier to fake databases than stealing them. And judging by the ratio of fake software and audio sold on such markets I would say that the chances are good to be ripped of buying such databases

Re:A better question

[smittyoneeach]

Beyond fake, one would suspect a percentage of the information is of the honeypot variety, and will lead to a knock on the door at an unreasonably early hour by some nondescript fellows with a subpoena.

Disinformation?

A massive flood of fake information would dilute the value of stolen i.d. right?

Re:Disinformation?

[lifeblender]

Not at all. It would increase the value of trusted stolen ID information. In the end, it would just make thieves use more sophisticated social networks, etc. They'd get around it, and would be willing to pay more for real data, since the work that went into collecting it and verifying it was greater.

To sum up, it's still supply and demand, and you're talking about diluting the supply. That means that, for those who can get at the 'good stuff', it's worth more.

On the other hand, if the FBI and the credit card companies were to engage in honey-net operations, then we're talking.

On a related note, I just got a note from my credit card company saying that I could make a temporary credit card number for online purchases. Seems like things are looking up, if only a bit.

You need info

you need your social, call me 555-5555

What, /.? You don't like it?

[chocolatetrumpet]

But, I thought information wants to be free?

Re:What, /.? You don't like it?

[RAMMS+EIN]

Yes. If this information were Free, at least we would be more aware of what was happening. And criminals wouldn't be getting paid for it. This way, the criminals and the people with money benefit.

I personally don't think I care if my and everyone else's "personal" information becomes public. I don't think there is anything extremely interesting about it. People already find out my phone number, email address, street address, bank account number, sometimes even credit card number, user name, real name, etc. etc. etc. as it is.

All that said, I don't think it's necessary to make all everything publicly accessible. It does open the door to more fraud (although it can also help catch fraudsters more easily!), spam, etc. So let's say that public information wants to be free, and private information wants to stay private?

Re:What, /.? You don't like it?

[telecsan]

Then again, importing biz.booksellers.amazon.* might unnecessarily bloat my package

So that's how all the 'enlarge your organ' products I see advertised work....

Isn't it scary?

[Quentusrex]

Doesn't it scare all of you that this has been happening for so long already? I'm not saying there is much we can do about it, but it's still scary.

Now think about the databases the FBI and the airport security are keeping about you. Not only that but also the ones K-Mart, Wal-Mart, Target, Giant(foods), and other stores. It shouldn't be too hard to be you. Just find out your address, and jump on Google maps. Find the nearest stores to you. With your name and address find out your shopping history. And expand from there.

And you thought with all the political speech out there that you might actually be safe in the USA. I'll be happy being Anonymous, until I choose to be known.

Because as a wise person once said...

[truckaxle]

Sell a man a phish he can scam for a day, but teach him how to phish and he can scam for himself for a lifetime.

Buy from gangster, get burnt

[Willeh]

Yeah right, and what's to say this information is actually valuable? TFA says that at least some of it is, but just like bulk email lists there's bound to be a lot of chaff in all of it, due to natural entropy of data, etc etc.

And it's not like these lists ever get refreshed much, so what you end up with is increasingly less useful data in these lists, and the vendors don't even care about it. It's just the nature of the beast (and the overall state of former Russia, where anything goes).

Re:Buy from gangster, get burnt

[Peeteriz]

The things you can buy in Moscow market are the real thing - Russian IRS database, with the income information as accurate as the authorites have it, the living addresses are the ones that the police use, etc.

If it says 'Tax returns 2003', then it really is the tax returns, as they were for 2003, complete with the ability to easily search for, say, addresses and family relationships of persons in your neighbourhood with more than 100,000$ income last year.

Re:Buy from gangster, get burnt

[RAMMS+EIN]

...and the overall state of former Russia...

Dude! When did the revolution happen? I'd better go and update my little database here.

Are you sure about your sig? ;-)

Another example of security through obscurity.

[Behrooz]

The question is, how much of this information is being sold in other countries, perhaps in a more sophisticated manner?

All of it, of course. Sooner or later we're going to have to get used to the idea that the concept of preserving privacy as a society disproportionately benefits individuals and groups with the resources to acquire and disseminate information regardless of the obstacles in their way.

It's too late to save privacy as most people currently envision it. What we need to be doing as a society is focus on transparency and equality-- ensuring that all parties in the social contract stand on an equal footing with regard to what information is publicly available. Secrecy is most dangerous when the powers that be insist that it be one-sided...

It's just going to get worse

[The+Slaughter]

I think this has always been around, but with the proliferation of the digital era, it becomes easier to make a thousand copies of something.
Look at medical records, it used to take a few minutes while they looked for your chart. At the medical clinic I currently go to they can locate you instantly. When you go into the doctor's office, he has your information on-screen. If something like a patient's chart goes missing, there's physical evidence that it's gone. But if a computer is poorly secured, you may not ever realized it was compromised.
What really bothers me is who is purchasing this information. My medical records would be pretty harmless to most people, but what if a coworker with a grudge were to find out about a deadly allergy I have? There's always that scary potential you don't necessarily think about. What if a terrorist uses your identity to get into the country and commit nefarious deeds? Could you be imprisoned while they go free?

Re:It's just going to get worse

[RAMMS+EIN]

``What if a terrorist uses your identity to get into the country and commit nefarious deeds? Could you be imprisoned while they go free?''

With the current paranoia, definitely. It's better to be safe than sorry, so let's send back that plane that has someone on board who might be a terrorist (and, after all, anybody could be a terrorist), and let's keep these people safely locked up without a trial, until maybe someday we have some evidence against them, or perhaps for them.

Seriously. The principle that you're innocent until proven guilty is a healthy one. There's also a reason this has to be proven in front of a judge. These people are trained to be impartial, and to spot weaknesses in the argumentation and evidence on both sides. People in general are easily swayed, especially with media influence.

Now, to return to your issue about computers, that's a very good point, and highlights an important problem. People think computers don't make mistakes, and information that is stored there and backed up is safe. Both of these are pretty much correct. However, that does not mean that what comes out of a computer is correct in any sense. People still make mistakes when entering information, and I think we here all know how sad a state computer security is in.

Especially falsification of information from inside is a very real threat. In most applications I have seen, this leaves no traces unless you want it to. Very different from handwritten information, where it's easy to see that something was written by a different person, and investigation may even reveal who that person is. If not by the handwriting, then by the fingerprints.

Many of these fallbacks are simply not available in computer systems, and with computers being the backbone of virtually everything organized, I think we ought to be really concerned. And, I might add, the fact that most of these are running known faulty software and operated by non-computer-savvy people does not make it any better. Nor does the fact that the workings of said faulty software are hidden.

not only in Russia

[Mrs.+Grundy]

What is going on in Russia IS a little scary, but is it really any different that buying the same information from one the businesses operating in the US like choicepoint? The government and industry buys information from HUGE databases legally here in the united states, but for some reason people make it seem scarier when it is a Russian kiosk instead of an american corporation even though both exercise about the same amount of restraint and ethics concerning to whom they will sell information.

Re:not only in Russia

[Blastrogath]

the american companies usually don't sell your information to burly men named boris and ivan who are planning to kick in your door and put guns to your house as they rob you. I find publishers clearing house sweepstakes and other junk mail to be a much smaller annoyance.

"burly men named boris and ivan" can buy your information in the US, all they have to do is hire a lawyer to buy it for them via a corporation the lawer made. Americans are safe from widespread home invasion robberies because they have an efective police force and a country with a history of relitive domestic peace and tranquility.

I'm not surprised

[Underholdning]

The rule of thumb is: Do not worry about the means of transport, but the destination.
In other words - don't worry if the encryption used to send the data is 128 bit or 1024. No one will bother try to sniff'n'hack it anyways. Worry about whom you're giving your info to. Sure - they may have cheap DVD's, but in order to sell you cheap goods, they must save money in other areas. Security is (sadly) one of the first things to go.

not just Moscow

[Ingvar77]

In every major Russian city you can obtain almost for free a database with phone numbers(including cell), addresses, car registry and pasports for all citizens of this city.
Even more, it's hard to find a PC in my own city that doesn't have a "Megapolice" database, which contains all above information accessible throught a single easy-to-use interface.

Everything has its price.

[Shag]

The question is, how much of this information is being sold in other countries, perhaps in a more sophisticated manner?

The answer to that question is available... for a price. ;)

In soviet Russia...

[bloblu]

...at least corruption was organized. I'm afraid nowadays Russia is just a big mess. You can't expect anything else.

Anyway, I guess that these days you better have nothing to hide.

Re:That old saying...

[jrockway]

Sorry to hear about your shift key.

Also, I like how you can't put a period after "St." but can end every sentence with ... three periods. You only need one! ;)

Grammar?

[noidentity]

Forget grammar just stick words together see like this isn't that easy

India

[romit_icarus]

It's being sold in India. I've met "vendors" who do the round of direct marketing agencies peddling CDs for information. The last I checked, about a year ago, a data CD came for 10c/record...

With all this Phishing in the news...

[Tink2000]

I've given a lot of thought to the subject lately, and really, I've decided I don't care much. In fact, I honestly believe that anyone who stole my identity would after a quick perusal of what they've stolen feel guilty and probably credit me a couple of hundred bucks or so.

Hey, you can't steal what isn't there, and my credit is already wrecked beyond belief. You'd have to be a pretty desperate scammer to steal my identity.

Re:In Soviet Russia...

[smokeslikeapoet]

NO, NO, NO, it's

In Soviet Russia you buy your own information.

Equifax
Transunion
Experian

Unless you consider once a year access acceptable. Your credit report free. But that's only once a year.

Who's information is it anyway?

Miene Final Solution

[HyoImowano]

Live in the woods in a shack, no computer, no TV, no stereo, just you, the chickens, the cows, your banjo, and Deliverance. Que creepy hillbilly guitar riff.

Re:Miene Final Solution

[Frodo+Crockett]

You forgot the sheep. It gets lonely out in the woods.

"Private Eye" CD

A few years ago in Israel a CDROM started circulating with information about more-or-less the entire population. The database was probably leaked from the Ministry of Interior. It was originally used by a private investigations firm but a copy leaked and started circulating freely.

IMHO, once it's out there it's everyone's civil duty to get a copy, just to level the playing field.

People can be bought, too

[The+Slaughter]

You're right. There's definately cause for concern - there are now so many weak spots in the system. A lot of people with access to these important databases are making less than $10/hr. If you find the right person, $15,000 would get you whatever information or passwords you need - or worse, making changes in records or deleting information.
It happens too with corporate espionage. Somebody at the help desk might be convinced to hand over the CEO's email account password to a competitor. If I've got $15,000 and find the right person, can I get your name on a terrorist watch list?

Buying Personal Info, U.S. Style

[divide+overflow]

The easiest way to buy personal information here in the U.S. is to set up a fake company, then request the desired information from one of the major credit bureaus: Experian, Equifax, TransUnion, or ChoicePoint. Back in February ChoicePoint admitted to releasing the information on at least 145,000 consumers to fake companies.

What is unusual about this?

[dan+dan+the+dna+man]

In the UK I've had the ... pleasure (?) ... of knowing some exceedingly dodgy people with very good technical skills. This information has been available to criminals with the requistite amount of cash as long as hackers (sorry crackers) decided they could make a fast buck doing companies rather than pootling around insecure university networks.

Nothing new here and it certianly isn't limited to dodgy stalls in Moscow markets or corrupt outsourced callcentre employees.

Re:In soviet Russia...

[jacen_sunstrider]

I completely thought the title of the parent was leading up into a "In Soviet Russia, information phishes you!

I hate to disappoint you

[plaxion]

...but there aren't enough moderation points available in the /. system to stave off the flow of bad "In Soviet Russia..." _AND_ "PROFIT!" jokes that are going to flood in from this one.

If you think you have a good one, please save someone a mod point by keeping it to yourself, because if it isn't already redundant, it soon will be.

This message brought to you by the Moderator Points Association of America (MPAA) *ducks*

--
I'm commenting on this story to prevent myself from burning moderator points on useless comments like this one ;)

Re:That old saying...

[Deliveranc3]

Don't put, commas in your sentences.

That, you could say, brings on the grammar Nazis :P

Ransom Want Ads

[Valacosa]

Though this is only alluded to in the article, one of the greatest dangers is using information like this as an ransom hit-list. If you could abduct the kids of the ten richest people in Moscow, odds are at least one of them would pay up...

Things like that are depressingly common in some parts of the world.

Well, I hope

[SimianOverlord]

that they haven't scammed detail from places like say, the NYTimes subsriber database. "Mr A Butthole, Kansas" and "Phil McCrackin, Washington" might find unwanted junk mail winging their way towards them.

Re:Obligatory "In Soviet Russia..." joke

[xerxesdaphat]

Information just wants to be free!!!

Don't forget offshored databases

[btarval]

Probably a good deal of it. While the article focused on Russia, another recent article showed how easy it was to get the personal information of people from databases which had been offshored.

$100 (even Canadian) per CD is a worthy amount of money in Russia or other second/third world countries where back-office operations have been off-shored to. This problem is only going to keep growing at these price levels.

The point here is that there is very strong incentive to provide accurate data at these price levels, competition being what it will be.

all day every day

[spoonyfork]

The question is, how much of this information is being sold in other countries, perhaps in a more sophisticated manner?

USian? Go get your free credit report. Look closely at who has recently requested it. They're getting all kinds of information about you. Your bank, credit card company, mobile phone provider, broadband provider, power company, pretty much anyone with your name addy and social security number can sell your info to be requested by someone else at any time. This is a perfectly legal and legit practice. Regarding other countries, these businesses who outsource IT to India/China/Russia will locally all have this information to trade on the white and black market where there are even less data privacy laws.

I used to worry about identity theft and related crimes. I used to think I was the one in control and had the responsibility of securing my personal information. No, the companies that trade on personal info and credit have the control and the toothpaste is out of the tube. I can never secure the last 30 years of my information again, so why bother trying? All I can do is be vigilant in trying to detect fraud and deal with it on a case by case basis.

There is too much commerce at stake for governments to pass laws to ensure data privacy or make issuing credit more secure. Stop whining and start making arguments to your local politicians for doing what you want to be done.

Old trick with new methods

[Peyote+Pekka]

The difference is that since the 80's it is much easier. Personal data on Windows servers has made getting personal data that much easier. Doing that and connecting it to the Internet is just asking for a gross- or willful-negligence lawsuit. Take the case of the recent Mastercard incident: (sorry, link in Finnish)

People burned by that one could go for a class action lawsuit against either Mastercard their service supplier or the software vendor or a combination. There's no excuse for using tools known to be defective in a networked context.

Increasingly that said same vendor has been associated with breaches of security and failures. A year ago it was voting machines now this...

Not suprising

[varmittang]

Hell, you can buy your wife while in Russia. I would expect to be able to buy just the info on other people's wifes.

(-1, Troll)

[orasio]

GNU is not about information, it's about code, it's the Free _Software_ Foundation that's behind it, not the Free _Info_ foundation or whatever.

Free Software is not about all kinds of freedom. It's just about software. It's like that, because in the context of software, freedom is much more obviously necessary than in other contexts, where its benefits can be more subtle.

What you are talking about is those guys that say the "information wants to be free" stuff. I like that, but GNU/FSF has nothing to do with them.

Yea, but the implications are still frightning

[XSforMe]

Not long ago here in Mexico, a punk servicing a PC in the Federal Electoral Institute downloaded and sold the ENTIRE National Voter Registry to a two bit data aggregator, which in turn sold the database to Choicepoint in the U.S.

Now the National Voter Registry contains the name, address, telephone and date of birth of all the people over 18 in the entire country. It is the basis for the most trusted identification used over the country and of our voting system.

The costs of managing and updating the registry is just a bit over a thousand million dollars per year. The punk sold the database for measly 2000 dollars.

After the excrement hited the cooling device, there was a big showdown between the aggregator, Choicepoint and the local authorities. The punk got busted and the buyers claim they destroyed the databases (yea, like hell they did).

I for one am not ever updating my entry in the Registry.