Slashdot Mirror
40 Million Identities Up For Sale On the Web
An anonymous reader writes "Highly sensitive financial information, including credit card details, bank account numbers, telephone numbers, and even PINs are available to the highest bidder. The information being traded on the Web has been intercepted by a British company and collated into a single database for the first time. The Lucid Intelligence database contains the records of 40 million people worldwide, mostly Americans; four million are Britons. Security experts described the database as the largest of its kind in the world. The database is in the hands of Colin Holder, a retired senior Metropolitan police officer who served on the fraud squad. He has collected the information over the past four years. His sources include law enforcement from around the world, such as British police and the FBI, anti-phishing and hacking campaigners, and members of the public. Mr. Holder said he has invested £160,000 in the venture so far. He plans to offset the cost by charging members of the public for access to his database to check whether their data security has been breached."
He saved up?
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
I'll take one. I've been meaning to get a life.
http://alternatives.rzero.com/
Hello. My name is Mr. Burns. I believe you have some info for me.
Ok Mr. Burns, what's your first name?
I... don't know....
I am the richest astronaut ever to win the superbowl.
"He plans to offset the cost by charging members of the public for access to his database to check whether their data security has been breached."
How, exactly, does this differ from extortion?
http://alternatives.rzero.com/
So in order to find out if your personal information has been breached, you have to disclose said information AND pay a fee. Seems a little fishy to me. Isn't that how a lot of identity-theft scams operate in the first place? "Hey, your identity is at risk. Send us money and details and we'll check to see if you're a victim or not.........and.....YES...you are now a victim! Thank you for using Thieves-R-Us!"
"So after all this, you make my case for me. To end this stalemate, you must die..."
for a hacker to have that information on their computer. So how is it legal for a company to keep all of that information. Not to mention making the company publicly known will make it a huge target for hackers as now every single person knows that if they get in there is 40 million identies they can have.
Seems to me that legally it should be shut down and every single person in the database be informed that their identiy has been stolen. . . twice it would seem.
I for one welcome our new retired senior Metropolitan police officer overlord.
"Here's my credit card number. So is my info in the database?"
"My database shows that your name and credit card have been compromised by scammers. I'm so sorry. For a small fee, we can secure your information for you..."
Chemists do it with moles.
... can I then sue him for illegally possessing my sensitive data?
sig has been sent away for a few small repairs...
The scary part I think is that he amassed this data for roughly 1/10 of a cent per person in there. Good thing the bad guys aren't doing this. Oh wait....
I have put together a database of upskirt photos collected from the internet. For a small fee you can peruse my collection and find out if you were a victim.
He almost certainly obtained his information legally, but some or most of it came with strings attached, including prohibitions on any non-official or personal use.
I predict any attempt to monetize this by a private individual will be shot down fast.
It's one thing for a government to provide this service on a cost-recovery basis, under heavy regulation.
It's quite another for someone to collect this data under "official" or "can I have it as a favor" pretenses or even buy it on the "open market" but use the fact that you are in government to make people think you won't abuse it then turn around and sell the same information. Even if he's doing it on a cost-recovery basis, I don't see any regulation and it just looks bad.
What he should do:
Sort the data by country of residence or nationality, then give the data to those countries' governments or simply destroy it. If he asks nicely for donations and is clearly being good about the way he handles this, he might get enough to cover his costs.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
My name? It's Bill Gates. Oh, no, it's Warren Buffet .... Barak Obama.......
The real "Libtards" are the Libertarians!
This is also good for those of us who have forgotten our pin number and social security numbers and are too lazy to sort it all out at the bank. Not that we have any money left in said bank accounts...
I have put together a database of upskirt photos collected from the internet. For a small fee and a reference upskirt picture you can peruse my collection and find out if you were a victim.
fixed that for you
Please, tell us how you really feel.
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
It's far more brilliant.
You must give him some information about yourself to determine if you're in the database, non? Information that includes your credit card numbers, perhaps. Where do you think that data goes, I wonder.
Can you be Even More Awesome?!
His sources include law enforcement from around the world, such as British police and the FBI, anti-phishing and hacking campaigners and members of the public.
Why are the British police and the FBI providing information to some one not directly involved in one of their cases. If this guy/company is involved in the case as a contractor why is he being allowed to double dip with sensitive case information? This definitely seems like an ethics or control of evidence violation has been perpetrated.
open source sub sim. I might start coding again for this. http://dangerdeep.sourceforge.net/contribute/
Well then, I'd like it *back* please. I wasn't done using it yet. You can have it after I'm finished.
Please do not read this sig. Thank you.
1 .. use law informant means to collect (steal) personal data with out a warrant
2.. store in central location only know to single group
3.. charge to verify stolen data has not be stolen by another person.
4.. what a scam O wait I never gave my ok to sell my! data, without my! permission to collected my data..
... he'd notify the relative banks and get them to issue new cards to the card holders and then cancel the old account numbers.
Or isn't that something a police officer would not do?
Aren't the police supposed to help protect the public?
Well I'll be, its Scotland Yard and a squad of SAS coming for tea and biscuts! What? They say they're not visiting for tea and biscuts?
If so, get this list to American companies QUICK! They claim to have to import H1-B workers just to fill jobs.
Lets be fair, he's in possession of stolen property, and although he has turned himself into the authorities, the law applies to all criminals, no matter how they draw a pension. Perhaps the blokes that raid private events based on facebook tags should try the swat team or bomb squad and put a stop to extortion and misuse of public authority. Its looking like a gang related organized crime syndicate, or perhaps its all a coincidence or just an invitation for the blue hats to hack his target rich database. Good thing he's armed with a mace and a night stick. That way he can defend the 40 million people who he feels each owe him .000567 in order to recoup expenses for obtaining stolen ID's.
Hugh Hefner?
Tar and feather him, in public.
Beat him senseless, in public.
Then slit his throat, in public.
If someone else decides to do it after words, do the same thing to the next guy. It won't take too many public torturing followed by public executions to make the point.
Is this over the top? Maybe. We've definitely gone to soft on people for pulling this sort of shit.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
My name? It's ... Barak Obama.......
And what is your date and place of birth?
= = = =
(Moderators: Google "Barack Obama citizenship conspiracy theories".)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Go to Google (or Yahoo or Bing) and type in your full social security number. Hit ENTER. If you find your number online, you're a victim of identity theft! If you don't find your number online...just wait a few days as you just sent it clear-text for the whole world to see. Yeeeeehah!
mu
I'm interested in hearing people's thoughts on the morality of this sale. Sales like these are completely non-unique, with one prominent example being the credit score business in the United States. As far as I know, Americans are only entitled to know their credit score for free twice a year, and no more. Additionally, lenders don't provide any fair warning that a person's credit score is at risk; in fact, younger credit card owners are encouraged to use their credit cards as primary spending sources with sign-up incentives and looser overall operating conditions.
Personally, I think that it's completely immoral to charge people for knowing whether their most treasured assets are at risk. Just don't let CNN know about it; I really don't want to deal with a full work day of them discussing privacy breaches, credit card fraud and how this all impacts Obama and Michael Jackson. (He's still dead.)
... have a database which, for a small fee, I will be happy to verify that your records are not contained therein.
I think we've just discovered the "4) ?????" step.
Have gnu, will travel.
Either way, this guy is a candidate for a walk to the creek with Pat Buchanan.
If you mod me down, I shall become more powerful than you could possibly imagine.
Just check if you are on the list and then either way dispute the charge with your credit card company. Let them deal with him, should be interesting.
My name is Inigo Montoya.
You have my data.
Prepare to die!
Charge with possession with the intent to distribute. I see no difference if he we in possession of 100 kilos of cocaine. What's to stop him from selling peoples information on this list to the highest bidder? Who's going to police the policeman? HIS morals are already in question based on his actions here.
And if he used his own money to invest in this bullshit scheme, thought shit. He should have known better.
Trouble is, unless it's a crim in the UK to possess that information (it's not one in the United States and at least most countries), charging him with possession with intent to distribute wouldn't stick; distribution of that information is likewise not a crime in the United States or most countries, so that wouldn't stick either. As for intent, well, it has to be proven, is difficult to prove, and the burden of that proof is on the prosecution.
There are a great many companies that have a great deal of PII on a lot of people, and they sell and trade it all the time? Legal? Yes. Should it be? Well, that's another question entirely.
Unless he uses that information to commit a crime, he's not doing anything illegal by having it, nor is he doing anything illegal to charge you a fee for telling you if he has info on your or not, and if so, what he has.
Simply ridiculous. I wonder what his fee will be, what, $400? I swear if it's above maybe $100, he's a total asshole. People won't even find this story and he'll get maybe 100 checking, only paying to find out they haven't been breached. Plus, to those who get their identities stolen they need to get better home computer security. Seriously how the hell are you getting this information stolen? Get a good virus/security program and learn common internet sense. Ugh, what the hell. I've had a computer since I was 12, when I started buying stuff online and using my real information I had great security and knew what to do and what not to do. This just pisses me off. In almost 4 years entering personal information/credit cards/bank involvement I haven't had any issues. Makes you wonder.
I realize this is going by the wayside and all that, but doesn't anyone in the UK police service get ethics training anymore? Let alone have some type of psych eval when they join like they do in Canada? Some serious ethical questions that should be raised not only by his service, but also by the crown.
Regardless of whether or not he retired from being a police officer or not, there's some things that don't go away when you retire. He's crossed a line, whether he realizes it yet or not. Then again, this being the UK, maybe I shouldn't be surprised, if this is commonplace for retired officers to pull stuff like this, it could be an example of how deep the rot actually goes in their entire system.
Om, nomnomnom...
I know there are no privacy laws in Britain
Erm... Yes, there are.
If this is what it appears to be, it's a fairly obvious breach of the Data Protection Acts. Indeed, from the TFA:
The Information Commissioner, the data protection watchdog, is monitoring the development of the database. [...] The legality of the database could be put to the test in the coming week. The Information Commissioner's Office said it could not endorse a commercial service or make a ruling on its validity unless someone made a complaint. But the privacy watchdog said it had "provided advice to help the company comply with the principles of the Data Protection Act".
I rather suspect that this advice may have been "Stop. Now." :-)
The database might also fall foul of European human rights legislation that explicitly covers privacy.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Mr. Holder (interesting name) better get himself a lawyer, because if he has my info, I am going to hire one to get it purged from his db. It does not matter if there he thinks there is some "greater good" to having it. It's my info; he shouldn't have it. What if someone steals his precious DB? He's basically hung a shingle that says "hack me" at this point.
Computer Science is all about trying to find the right wrench to bang in the right screw. -T.Cumbo?
till someone else steals your information, submits it information for a search on the DB, then you watch the repo men come take all your stuff?
what a terrible, illegal, stupid idea this is. cheers britain for leading the way in eroding freedom and privacy in the new age!
Trouble is, unless it's a crim in the UK to possess that information (it's not one in the United States and at least most countries), charging him with possession with intent to distribute wouldn't stick; distribution of that information is likewise not a crime in the United States or most countries, so that wouldn't stick either. As for intent, well, it has to be proven, is difficult to prove, and the burden of that proof is on the prosecution.
There are a great many companies that have a great deal of PII on a lot of people, and they sell and trade it all the time? Legal? Yes. Should it be? Well, that's another question entirely.
Unless he uses that information to commit a crime, he's not doing anything illegal by having it, nor is he doing anything illegal to charge you a fee for telling you if he has info on your or not, and if so, what he has.
This database also happens to include information on doctors, lawyers, and policeman, which (much like the US) is probably not supposed to be in the public domain for Security reasons. I'd say that a possession charge should legally still stick.
Just because he obtained a copy of data obtained illegally(phishing) from the Internet doesn't make it any more legal than me downloading a copy of a recording artists MP3 song. Gathering stolen data "free" from the Internet is akin to calling laundered drug money "clean".
On top of all that, how long before you think HIS database gets hacked? Talk about painting a hacker target on your head by letting the world know what your database contains.
So humor me, if my name is on that list, and I didn't authorize the dissemination of said information (adding further that it was most likely obtained in a manner which violates a law or two, i.e. stolen). Wouldn't that put Mr. Holder in possession of stolen property?
Thanks for me! I'm all for sale babyyy!
Information wants to be free, right? And these are simply facts. You can't own a fact. here's no way you can exist in this world with someone knowing something about you.
GET OVER IT.
I don't understand how this isn't very, very illegal. The former officer is in possession of stolen property, he knows that it's stolen property, and he's trying to get people to pay for access to it. That seems like a crime to me.
"I say we take off and nuke the entire site from orbit. It's the only way to be sure."
upskirt of a slashdotter...?
God's gift to chicks
That everyone here thought this wasn't happening at all, or that this is 40,000,000 names, etc in one place?
Surely the bot-lists maintained by Wikipedia weren't my imagination...
--- For a good time mail uce@ftc.gov
Wish I would have A) drank less so I could post more intellegiently (see spelling mistake and parenthesis within parenthisis) and B) gotten here sooner to let yall know whats up. I would estimate by no know statistics and only by experienced guesses, that most transactions of this sort happen in IRC, private IRC channels to be precise. In the underground world it's relatively easy to get credientials, but hard to "cash out" as they would say. So what really happens is that you sell stuff for pennies on the dollar (I've seen visa black cards advertised for 150$!) to someone who has the means to actually turn that into cash (read: mob/gangsters/stupid kids) who use all kinds of methods but the amatuer focuses on things like egold etc. Forums are notorious in the underground for being easy to penetrate by law enforcment and easily recorded, whereas IRC can be encrypted and you can generally vet who you are talking to with many others. Plus they can only find you channels and stuff if they know it, they dont know they cahnnel they cant find it. anyway, just a small slightly innacurate summarized glimpze into the world of identity theft.
"It's ok, I'm completely secure as long as my iron is off"
Time to change your PIN. What a moron?? He thinks people will actually pay him?
Someone sue the bastard.
I don't think even a police officer can get away with that for very long.
It's not too clear, but I would imagine that he would only check the database to see whether you've been compromised, not to get info from the database. I can imagine that you might, for example, fill in as much or as little of an info form as you want, and check if there's a match. E.g. "Q: is there a James Smith, born March 1979 (no month specified), with social insurance number ending in 378?" "A: Yes, there is a match. We have First Middle Last, birth year/month/day, full social insurance number, and two credit cards ending in 34 and 78." Then you know what you have to cancel.
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
I really hope this bloke does not have this database on a system connected to the Internet -- Especially a Windows machine !
Mr. Holder is a retired member of the police force. He is not a crook. He spent his own time and money gathering this information and building the database for his website. The sole purpose of his work is to help protect innocent people from falling victim to internet scams and identity theft. The majority of people that visit his site will learn if their identity has been compromised for FREE. Sure he has some active law enforcement contacts that have assisted him along the way, but the majority of people that have assisted him are volunteers with the same goal in mind. Don't be so quick to flame someone you know nothing about. How many of you here would invest your own money and time in to any project, never mind something as important as this.
Biscuits? No no no: tea and cucumber sandwiches.
It sets a nasty precedent too if he is allowed to get away with it.
For all we know the £160k costs he has incurred could've gone straight to the fraudsters to buy the data in the first place with the goal of reaping back the cash and more by his afformentioned business model of charging for it.
Depending on how much he charges it's a stupid business model anyway, you could just do a data protection act request if you really wanted to and the amount he can charge for that is capped quite low.
Under data protection act he has to provide the information for a maximum of £10 and refund anything above costs.
Isn't this stolen property he is exploiting ?
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
Why is this interesting? The guy isn't selling the data itself. You pay your fee, and he tells you "yes, your SSN and CC # are out on the internets." If you were targeting a particular person, this might be a useful first step in determining whether to try buying some bulk lists, but it (the service, not the list) probably has little black hat application beyond that.
How does it differ from credit reference agencies like Experian telling me about my credit rating ? (and usually screwing up badly and then charging me to have to sort it out....)
Peddling stolen goods back to the public, so is this what retire cops do when they can no longer serve and protect the public. I thought possessing stolen goods and profiting from it is illegal, so how the hell is this former cop think it is ok for him.
Since there is not much info in TFA or the summary, here's some more.
Colin Holder was a Detective Sergeant with the Metropolitan Police for 33 years or so, and left in 2004. He now works in "security and investigations".
At some time he amassed "approximately 120 million personal records that have been phished/hacked and sold between criminals on the internet". Now he's offering a free summary of the information he has, and a £10 full listing, available once you verify your identity. £10 is also what you'd pay if you made a request under the Data Protection Act for the data he holds. Also, he's not storing the information you provide to do a lookup (which is name and either postal or email address) -- unless you buy the full version of a report, clearly. He also provides information on what he's doing, guidance on security, and an explanation of why, for instance, it's not necessarily helpful to victims for him to report the data loss to credit card companies.
More data on his site.
I think he's trying to offer a useful service, and does not intend this as a scam. It's even probably socially useful to be able to know if your data is "out there". But it's hard to see if it's legal under the Data Protection Act in the UK or equivalent legislation in any EU state - assuming the collection and processing of the data happened or happens in an EU jurisdiction.
The DPA requires data to be "fairly obtained" - there is lots of guidance on exactly what this means. He may try to argue that gathering such "freely (or criminally or commercially) available" data from the net, for the limited purpose of alerting the victims, is "fair". Good luck with that - I don't think there is any precedent for that, and the legal costs could exceed the £160K he's spent so far.
The DPA also limits how long the data can be held, and the uses to which it can be put -- it has to match the purposes for which it was gathered. It's an interesting question when this legal "collection" happened - whether it was the original collection from the victims (in some case legally), any intermediate hacking (unlikely), or the Mr Holder's scraping up exercise (in which case, how could there be consent to his "purposes"?).
One issue this highlights is that, if you ever allow an EU company to share your data, or ever give data to a non-EU company, there are no limits on what they can do with it. Your data is now an asset of the company, and they can change their T&C retroactively to allow whatever use they like. So can anyone who purchases the information, or who obtains it when the "owners" go bust.
You can see why it might be useful to know if your data is "out there", and even whether it is limited to commercial organisations, or crime / hacker networks.
Maybe a change in the law to allow that might be good -- on a carefully regulated basis, so the data is not just another tradeable asset!
IANAL, WMMV, yadda, yadda...
Paul "Say no to feeping creaturism"
This guy knows how to find compromised credit cards. He should be going to credit companies and working with them to install technology to disable these cards and inform their users. It would be more useful in the end. Unfortunately, I think this guy wants to make money and did some simple math. He has 40 million names. Say only 5% of the people on the list buy into the search and double this for people that buy and are not on the list(Huge assumptions). Even if he charged them a dollar he would make 4 million dollars. This guy has knowledge and is going for a cash grab. He is definitely scum.
Have you seen the economy lately. What good is identity theft. If I can't get credit with my own identity, how is some Chinese Hacker gonna use it to get credit.
It seems to me that this service will be a very pretty target for hats of various sorts :
A requirement for the person to be contacted before personal information changes hands.
This is one of those statements that everyone would agree on in principle, then in practice becomes a nightmarish mess. Let's go through some of scenarios in which information "changes hands."
A doctor generates some personal information about you. He then dictates this info into a microphone. Does the information "change hands" when it is transcribed by automated software into electronic form? What if the machine on which it is done is owned not by the doctor, but by a vendor? And if a subcontractor getting it is indeed "changing hands," then what if half of the IT department are actually subcontractors and not employees? If one of them works on a queue on a server where your info might live, has it "changed hands?" And what if the subcontractor who runs the box has a subcontractor with the maintenance contract who might come across your info as he tries to fix something? How many times has the info "changed hands?"
I can easily see a situation where the doctor gets some info, then within 24 hours, 50 forms have to be filled out to get the info through the 50 entities who have some control over some part of the normal process to deliver care.
Wherever you draw the line, the policy will be too lax to prevent fraud and too cumbersome to actually work in the real world.
But it sounds good. And I guess that's all a politician has to worry about.
Let's say you take a photograph of a class of graduating seniors. Being in possession of this photo is technically against the law in New York. That's because having images of more than 250 people's irises is illegal! And even if there's only 249 people in the picture, if you own any other photo of a person's face, then off to jail!
I can see it now: "Okay everyone, say cheese and CLOSE YOUR EYES!"
and my database also holds information about whether you will die tomorrow, whether or not your children will be good-looking and if you should buy a house now or wait.
Please, send me money and I'll tell you if you're in the database.
Step One: Collect Underpants
Step Two: Sell knowledge of underpants to owner for nominal fee
Step Three: Profit
There is a link to the story - read it! This guy spent a lot of his own money to help make this available and you only are asked for 10 pounds IF you are in the database for additional info to help them cover their costs.