Slashdot Mirror

← Back to Stories (view on slashdot.org)

Glut In Stolen Identities Forces Price Cut

Posted by samzenpus on from the cheaper-by-the-dozen dept.

CowboyRobot writes "The price of a stolen identity has dropped as much as 37 percent in the cybercrime underground: to $25 for a U.S. identity, and $40 for an overseas identity. For $300 or less, you can acquire credentials for a bank account with a balance of $70,000 to $150,000, and $400 is all it takes to get a rival or targeted business knocked offline with a distributed denial-of-service (DDoS)-for-hire attack. Meanwhile, ID theft and bank account credentials are getting cheaper because there is just so much inventory (a.k.a. stolen personal information) out there. Bots are cheap, too: 1,000 bots go for $20, and 15,000, for $250."

38 of 152 comments (clear)

  1. Change your passwords ASAP! by DigiShaman · · Score: 5, Informative

    Seriously! If you even suspect that the machine you're working from has ben compromised by malware, CHANGE YOUR PASSWORD to the accounts you've used via a known clean computer. Then proceed to nuke the drive from orbit and reload the OS and apps. Botnets are known sources of dropping key loggers and harvesting user data to a central database.

    --
    Life is not for the lazy.
    1. Re:Change your passwords ASAP! by sycodon · · Score: 4, Funny

      We need a bounty on cyber criminals. How about $25 per ear?

      --
      When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
    2. Re:Change your passwords ASAP! by Anonymous Coward · · Score: 3, Insightful

      I guess that leaves Linux, Windows, and OS X out.

    3. Re:Change your passwords ASAP! by swillden · · Score: 2

      Your suggestion that we punish a non-violent crime with body mutilation seems contrary to your signature. Not arguing either point, they just seem dissonant to me. Perhaps you can introduce me to new information that will resolve the two.

      There is a simple but deep philosophical perspective shift you need to make to resolve the apparent dichotomy between the statements. Put simply, you need to realize he was joking. I'll leave it as an exercise for you to determine which of the statements was a joke, or if perhaps both were.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    4. Re:Change your passwords ASAP! by LoRdTAW · · Score: 2

      Not to be a pedant but:
      Sure did. Still have my R4 cd. Starting with R5, the personal edition or PE of BeOS was a free download with only a developer edition available on CD.

    5. Re:Change your passwords ASAP! by ifiwereasculptor · · Score: 4, Informative

      I don't know how it is in the US, but here banks seem to deeply dislike OSs not retardedly easy to compromise. I have accounts in two banks. One of them started working in Linux only about four years ago, the other only did so last year. They both regularly splurt errors because of openJDK incompatibility - they want Sun's Java. And one of them hilariously has its https certification broken for almost a year now. Airlines are even funnier. At least one of them still only works on IE.

    6. Re:Change your passwords ASAP! by dotancohen · · Score: 2

      Then change banks, and tell them why.

      I called Bank Leumi monthly for years about Firefox-on-Linux compatibility and they always told me that "it is in the works". I finally left the bank for another bank (Poalim) after sitting with the new bank's manager in his office with my Fedora laptop (~2009) checking that their site works on my system. When it did, I changed banks and wrote letters about why to both banks' presidents.

      --
      It is dangerous to be right when the government is wrong.
    7. Re:Change your passwords ASAP! by PopeRatzo · · Score: 2

      I still have BeOS floppy disks. I bring them out on occasion to show people who don't believe me.

      --
      You are welcome on my lawn.
    8. Re:Change your passwords ASAP! by ahabswhale · · Score: 2

      Amiga OS ftw!

      --
      Are agnostics skeptical of unicorns too?
  2. those numbers seem unsustainable by ffflala · · Score: 2

    Purchasing $150,000 for $400 (vary currency as necessary) would seem to be a loophole that would quickly undermine the world economy. Perhaps "price" of a stolen identity isn't a proper measure of "value".

    1. Re:those numbers seem unsustainable by ATMAvatar · · Score: 4, Interesting

      Exactly. You aren't going to successfully withdraw all $150k in one go. Withdraw $100 once or twice a week, and there's a decent chance the owner may not notice for some time.

      --
      "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
    2. Re:those numbers seem unsustainable by artor3 · · Score: 5, Insightful

      I think it goes without saying that when someone sells a $150k bank account for $400, it's because they know they can't withdraw more than $400 without getting caught.

    3. Re:those numbers seem unsustainable by sjames · · Score: 3, Insightful

      Criminal activity often involves taking a great deal of value from the victim and converting it to a much more modest value for yourself.

      In economic terms, the difference represents the risk taken. The guy who grabs the ID info sees little risk in that, but there is considerably more risk in actually using the info, so it sells at a steep discount.

      This sort of thing actually is undermining the banking system. How long will it be before a transaction is as likely to be fraudulent as not?

    4. Re:those numbers seem unsustainable by AK+Marc · · Score: 2

      That, and how can we verify this? Where are the links to the online marketplaces?

      --
      Learn to love Alaska
    5. Re:those numbers seem unsustainable by MaskedSlacker · · Score: 3, Insightful

      Moving $60k online doesn't do you any good. You move it from their bank account to...what? Another stolen account that you can't withdraw from? Or one that has your address? Or one with a stolen SS#, but that has you on security cam footage? You move that kind of money out and you are going to be caught.

    6. Re:those numbers seem unsustainable by Sique · · Score: 3, Informative
      That's where the real valuable asset comes in: the money mule.

      Money mules are people tricked into agreeing to whitewash the stolen money by accepting the money withdrawn from the stolen account and then transferring it via wire transfer to the plunderer.

      When the original owner of the account sees the transfer, he will call the bank and reverse it. At this time, the money mule will already have withdrawn the money from their account and transferred it. This leaves the money mule with the debt incurred, because they now lose the money from the stolen account, and are thus effectively paying the plunderer from their own money.

      This puts the value of a stolen account to about the amount of money the money mule will be able to cough up until their own bank takes action.

      --
      .sig: Sique *sigh*
    7. Re:those numbers seem unsustainable by AmiMoJo · · Score: 5, Informative

      Usually the plan is not to withdraw money from the account directly. Too easy to get caught, owner of the account usually notices pretty quickly. Instead the account is used to open other accounts or take out loans which are then defaulted on.

      This is pretty common in the UK. We have these shitty pay-day loan companies that charge 5000% interest and do only the most basic checks before handing over the cash. People give them someone else's name and bank account, so the first thing the victim knows about it is when Wonga starts taking internet payments by Direct Debit.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    8. Re:those numbers seem unsustainable by hodet · · Score: 2

      Or maybe the $150,000 is not the real prize. If you can access an account with that much money in it you can use it as part of your new "identity" to leverage even further into another account. The person whose identity has been stolen would be none the wiser and the thief could make off with 10 times that amount. If you try and access any of that 150k the bank would shut it down immediately after you pulled out the first $500. If a different bank really thought you were the owner of the account you can take your sweet time, maybe even make a couple of payments back to the bank to drag out the process.

    9. Re:those numbers seem unsustainable by Jason+Levine · · Score: 4, Informative

      Exactly this. When my identity was stolen, the thieves didn't use it to find and break into my bank account. Instead, they opened a credit card in my name (with my address, SSN, and DOB, but NOT with the correct Mother's Maiden name - red flag #1). The only reason they didn't get away with it was that they 1) paid for rush shipment of the credit card and 2) then immediately changed the address (red flag #2). So the card got shipped out quickly to my address and THEN the address was changed. The card arrived at my doorstep instead of theirs. Of course, that didn't stop them as they tried to get a $5,000 cash advance before even activating the card (red flag #3).

      And the credit card company's response to me? "Are you sure your wife didn't open the card in your name without telling you? No? Well, we can't give you any information on the account because if you go and kill them then we're liable." They stonewalled me and when I got the police involved, they directed them to a number that was never answered. To them, they just closed the account and the problem was solved. Actually helping to catch the people who did this would involve effort that they weren't willing to put in. That's why Capital One credit card's are not and will never be "what's in my wallet."

      --
      My sci-fi novel, Ghost Thief, is now available from Amazon.com.
  3. Get rid of spam? by SB9876 · · Score: 5, Funny

    So, if I'm to follow the reasoning of this article, if we all use weak passwords , the market gets flooded and they all go out of buisness?
    SWEET
    password:password, here I come!

  4. I want to cut out the middle man by the_Bionic_lemming · · Score: 5, Funny

    I'd like to cut out the middle man and sell my Identity.

    40 bucks buys a few cases of beer - just sayin...

    --
    _ _ _ Go for the eyes Boo! GO FOR THE EYES!
  5. Re:Capital Crime by sjames · · Score: 5, Insightful

    'Identity theft' should be recognized for what it really is, bank fraud.

    First the crooks defraud the banks by performing transactions in someone else's name. This is aided by the banks insistence on not implementing secure authentication.

    Then the banks defraud you by insisting that you are responsible for the transactions in spite of not having a single shred of evidence that you made them.

    The credit agencies compound it by repeating the bank's financial gossip with a wanton disregard for the truth.

    The 'justice system' then aids and abets by not telling the banks to pound sand and by not convicting the credit agencies for libel./p.

  6. Re:Hurry up and sign up for ObamaCare by AK+Marc · · Score: 2

    Too late, I have had private insurance for years.

    --
    Learn to love Alaska
  7. Take Mine For Free by Anonymous Coward · · Score: 5, Funny

    Here, take my identity, please!

    You get to assume a recent bankruptcy, a child support obligation, a spotty employment record, a sub-500 credit score, three maxed-out credit cards, a beater car, and a psychotic ex-wife.

    Clean arrest record and a good tech education, though. Maybe you could apply to a NSA contractor.

    1. Re:Take Mine For Free by Jason+Levine · · Score: 5, Interesting

      Clean arrest record and a good tech education, though

      Sadly, there's more than just financial identity theft. There's criminal identity theft also. Here's how it works:

      1) Criminal arrested for some crime.
      2) Criminal gives your name/SSN/DOB/etc to the police.
      3) Arrest goes onto your criminal record and not the real criminal's record.

      Now you go for a job interview and your potential employer runs a background check. Suddenly, they find out that you've committed felonies across three states and were arrested nine times. You don't get that job offer - or any other one. Plus, if the local police stop you for any reason, they'll find out you're a "felon" and will treat you as such. No matter how many times you try to clear this up, if even one database still links you to the crimes, it will flow back over and start again.

      At one point, I was following the blog of someone who had this happen to him. He couldn't find a job, was being harassed by police, and nobody would help him. All this.despite the fact that the photo of "him" at the arrest was clearly not really him. People just trusted what was "in the system" even if the system seemed wrong. Last I heard, after years of struggling, he had finally gotten some people to listen and begin the process of clearing his record.

      It's insane that one criminal with a stolen identity could ruin someone's life like this but it does happen.

      --
      My sci-fi novel, Ghost Thief, is now available from Amazon.com.
  8. Re:Capital Crime by sjames · · Score: 2

    The 'victim' or 'identity theft' certainly isn't the culprit. The banks COULD take a photo of the person when they sign up and issue them a smart card with a unique key pair. They could check to see if you answer the home phone and give them an agreed upon code word to verify that you really live there. They could insist on mailing the smart card to your current address (but not activate it until you call them with the a code word and read off a unique serial number).

    The point is that it's on them, to verify the identity of people they hand out money to. They are the only ones with any ability to control the process. I cannot even know if a fraudster talks to a bank I have never heard of, much less control the outcome. They have no right to make their problem into my problem. If they don't want to do any of those things, that's fine too as long as they are willing to eat the losses.

    Unless there's a law requiring the banks to accept a gas bill or a poor quality photo ID, it's still on them because it's their policy that is causing them trouble.

  9. Card Theft by nuckfuts · · Score: 3, Funny

    Reminds me of the time my brother had his wallet stolen. When I asked him if he cancelled his credit card, he said "Hell no! The thieves are spending less than my wife usually does".

  10. No NSA joke? by Sockatume · · Score: 3, Insightful

    It's time to get the government out of the identity theft business, as it is clearly wildly distorting the market.

    --
    No kidding!!! What do you say at this point?
  11. Re:Hurry up and sign up for ObamaCare by Anonymous Coward · · Score: 4, Funny

    Don't you know private industry is the epitome of security and efficiency? That's why the private sector is never plagued by budget overruns or mismanagement.

    Why do you hate America, you filthy communist?

  12. Re:Capital Crime by aheath · · Score: 2

    There is no requirement to carry identity cards in the UK or the US. Ration cards were used as a national identity card during the second world war. My grandfather committed an act of civil disobedience when he was stopped for speeding after the war. He refused to show his ration card because the war was over. His act of civil disobedience was debated in parliament and is one of the reasons why there are no national identity cards in the UK. British Identity Cards: Arguments For and Against their Retention and Use 1945-1952 Doesn't mention my grandfather but does provide a good overview of the postwar debate about national identity cards.

  13. Re:Capital Crime by Joining+Yet+Again · · Score: 5, Insightful

    Calling for something to be a capital crime should be a capital crime.

    O shi-

  14. Re:Wait... by benjfowler · · Score: 3, Interesting

    It's interesting for what it implies:

    Stealing personal data is easy and cheap. Cashing out certainly isn't, and is where banks' "defence in depth" security strategy pays off.

  15. Need To Flood Market With Fake Identities by retroworks · · Score: 5, Interesting

    It should be easy enough for someone here to harvest phonebook or other records from 70 years ago, refresh and randomize birth dates, and begin to flood the identity theft market with fake personalities and random government identity records. That would greatly increase the amount of work for identity thieves, who actually benefit from passwords (which provide evidence it's bonafide identity they are stealing). For years I've promoted "camouflage" rather than invisibility. I now think the reason it has not taken off (disappearance of AntiPhorm?) is that it's equally a threat to Google, Bing, and advertising-based search engines. We can be less careful of our "identity needles" if we construct bigger "digital haystacks".

    See article on digital haystacks and cookie camouflage http://retroworks.blogspot.com/2010/09/simpler-ideas-cookie-camouflage-digital.html

    Oh, by the way, I'm not really Retroworks. I find I get higher mods if I steal a /. identity rather than to submit AC

    --
    Gently reply
    1. Re:Need To Flood Market With Fake Identities by AthanasiusKircher · · Score: 2

      It should be easy enough for someone here to harvest phonebook or other records from 70 years ago, refresh and randomize birth dates, and begin to flood the identity theft market with fake personalities and random government identity records.

      I get what you're saying here, and perhaps it could have some benefits.

      For years I've promoted "camouflage" rather than invisibility. I now think the reason it has not taken off (disappearance of AntiPhorm?) is that it's equally a threat to Google, Bing, and advertising-based search engines. We can be less careful of our "identity needles" if we construct bigger "digital haystacks".

      See article on digital haystacks and cookie camouflage http://retroworks.blogspot.com/2010/09/simpler-ideas-cookie-camouflage-digital.html

      I'm less clear about how your proposed ideas work in practice when I read your link.

      I understand how it might serve to hide and distort data about your searching and browsing habits if your computer randomly searched and browsed for other things in the background. But it has some pitfalls.

      For one, I would never consider using such a system unless it had definitely solved the "child porn problem." What happens if your computer goes surfing on some "bad" sites in the background, and naughty stuff ends up on your computer? I'd really love to hear try to defend yourself when law enforcement comes knocking -- "But it wasn't me! My computer was surfing for kiddie porn!"

      And while that may be the worst problem, there are other places on the internet that could potentially get you in trouble if you frequent them too much. That's always the problem with the "if everyone has drunken photos on Facebook, nobody will care" arguments. Yes, maybe that will eventually be true in few decades, but for now, people who want to use such things against you won't care about what other people do. Someone who wants to "get you" or maybe just find a way to throw you out of the resume pile for job applications will only care about the bad stuff that they can find. Whether it's representative of you or not, it won't matter. It's just like cops and the thousands of random laws on the books -- chances are that you're committing some breach of the law right now in some obscure statute. Having too many laws doesn't obscure those: it makes them all the more problematic because any one of them might be held against you at some point. Similarly, if your data is "camoflaged" well enough on your hard drive, law enforcement will probably claim that any of that mess might belong to you... including any weird, naughty, or potentially illegal places your "computer" may have decided to visit randomly.

      Now, I suppose you might say that you have some sort of "key file" somewhere that shows your legitimate personal search history. First, I think that you'd be hard-pressed to explain that to law enforcement, but even if you could, it introduces a significant vulnerability in your system. Anyone with access to that file knows your real search history, making your system useless. You might as well just use an encrypted drive or directory for your searches, with that sort of failure point.

      Finally, your solution sounds possible if you just want to keep companies from tracking random browsing habits, but I'm not really sure what that has to do with avoiding identity theft. It's not like your computer will randomly log into fake bank accounts in the background or something. If someone's going to steal personal data that's critical to identity theft, they're going to be looking for your access to particular sorts of sites (banks, retailers, etc.), and you won't have "fake access" to those sites to disguise your real transactions.

      So how exactly do you "camouflage" any of your legitimate significant financial transactions: the ones that any ID theft person might actually b

  16. Re:Wait... by ifiwereasculptor · · Score: 2

    "The price of a stolen identity has dropped [...] to $25 for a U.S identity [...]"

    Seems pretty clear.

  17. Re:Wait... by TheCarp · · Score: 2

    Ahhh but then, how many botnets could you get for 70k-150k?

    --
    "I opened my eyes, and everything went dark again"
  18. Re:Capital Crime by sjames · · Score: 3

    Why would I, I never had any dealings with John Doe at all. I am not the one demanding money, why should the burden of proof fall to me?

    It's the bank that had unfortunate dealings with Mr. Doe and rather carelessly handed him a wad of cash without knowing who he was.

    If they want any money from me, it's up to them to prove I owe it to them. And I don't mean a piece of paper with an illegible scrawl anyone could have made, I mean actual proof. A picture of me (that actually looks like me) holding the paper and smiling might help, but given the reputation of banks (they have, after all, a history of foreclosing on homes they don't hold a loan on and many other acts of fraud) and the existence of photoshop, it wouldn't constitute absolute proof.

    At one time, banks were quite careful to avoid even the tiniest hint of impropriety and deserved a reputation for honesty so strong that often enough their word was nearly proof in itself. That day is long gone and they have well and thoroughly squandered their reputation (along with a great deal of other people's money).

  19. Re:Capital Crime by sjames · · Score: 2

    It's not a matter of race, it's a matter of demographic. That is, adding just a bit more hassle for some demographic or another that tends to vote against your party. For example, if the elderly tend to vote against you, you insist that a presented ID be current. Easy enough (practically automatic) until you reach an age where you don't drive anymore.