October 10, 2011

Buying a car or making any other expensive purchase can be a hassle. And when it’s necessary to finance a purchase, there’s one more hurdle. If you want merchant financing, you’ll often be required to fill out a credit application or, at the least, to provide information like a credit card or your Social Security number.

Recent hacker break-ins at a half-dozen car dealerships nationwide are a reminder of just how easily one’s personal and financial information can be jeopardized by poor security at any of of tens of thousands of organizations that have access to that data.

Earlier this month, Farmington Hills, Mich. based RouteOne LLC sent a letter to more than 20,000 dealerships around the country, warning of probable malware infections at six dealerships that use its service. Formed in 2002, RouteOne is a joint venture by GMAC (now called Ally Financial), Ford Motor Credit, Toyota Financial Services, and DaimlerChrysler Financial Services. Dealerships use RouteOne’s credit application software and Web portal to run credit checks and process financing for car buyers. The service also allows authorized users to pull credit reports from the three major credit reporting bureaus.

In September 2011, RouteOne issued a “security bulletin,” to its affiliates, stating in part:

A letter from RouteOne to partner dealerships.

“Over the recent past, RouteOne has received information regarding a small number of dealerships (6) that have experienced compromises in their system security environments (including misappropriation and misuse of their RouteOne log on credentials likely as a result of their dealership computers being infected with spyware). RouteOne is in contact and working with affected dealerships in an attempt to help them address their security issues.”

The bulletin states further than RouteOne “takes these matters very seriously and therefore has been in contact with the FBI and the U.S. Secret Service. Ryan Holmes, the Secret Service agent assigned to the investigation of the attacks on RouteOne’s customers, said he could not release any information on an active investigation.

Mass data collection, and the resulting potential for cybertheft, is a relatively recent problem. Ten years ago, data aggregation points like RouteOne didn’t exist. RouteOne was created to speed credit and financing processes at dealerships, which previously had to navigate to and authenticate at multiple finance vendors, lenders and credit bureaus. Today, dealerships can access all this information with a username and password at RouteOne.net, or via a RouteOne iPhone app.

Dan Doman, vice president and general counsel for RouteOne, said the company became aware of the unauthorized activity after it was notified by the affected dealers.

“It’s important to note that RouteOne has not been breached in this instance, or ever in the past,” Doman said. “What we do when we learn of these matters is we try to get it out to our dealers as quickly as possible so they can take appropriate steps to fix it.”

ID theft services for sale.

Technically, RouteOne is correct. It did not have a data breach: Some of the customers who use their service did. But that distinction is irrelevant to thieves who prize such access, and to consumers who find their identities hijacked and themselves saddled with unexpected debts from fraudulent new lines of credit opened in their names. The criminal underground is full of services that allow miscreants to look up Social Security numbers, dates of birth, maiden names, and other sensitive information. It’s not clear where that data comes from, but the most likely sources are compromised accounts at businesses and organizations that have easy and frequent access to consumer data.

This blog post isn’t intended to single out RouteOne; that is just a recent example of a vast problem for individuals who must share personal data. The same kind of data aggregation exists in many other businesses and tens of thousands of organizations that routinely access sensitive consumer data, including medical, dental and real estate services. Thieves can access a gold mine of consumer data just by compromising PCs at any of these places.

Then comes the question of who’s responsible for alerting consumers who had their data breached in an attack like this? RouteOne’s Doman said the company is confident it has no obligation to disclose a breach.

RouteOne's iPhone app.

“We have not had a system breach, and therefore none of the triggers under the law that would require RouteOne to provide notice to individuals has been crossed,” Doman said.

Jeff Neuburger, a leader of the technology, media and communications group of law firm Proskauer Rose, said Doman is probably right, and that any duty to notify affected consumers would rest with the affected dealerships.

“There are 47 different state [data breach notification] laws on the topic, and each one is a little different, but most of the laws say that if you collect information from a consumer and that information gets compromised, you’re obligated to notify the consumer,” Neuburger said.”Unfortunately, this also puts companies in a position where they have to comply with 47 different state laws, no matter what state they’re in.”

Because personal information is required in so many situations, it’s almost impossible to avoid sharing it. As the RouteOne incident reveals, individuals aren’t always notified of data intrusions.

To protect yourself, you should check your credit reports frequently. Free credit reports are available once a year (and more frequently if you are a victim of identity theft) from each of the three major credit reporting bureaus at annualcreditreport.com. This central site allows you to request a free credit file disclosure once every 12 months from each of the nationwide consumer credit reporting companies: Equifax, Experian and TransUnion. (This site should not be confused with similar-sounding organizations that charge for essentially the same information).


20 thoughts on “Identity Theft More Profitable Than Car Theft

  1. Richard Steven Hack

    They haven’t had a system breach…yet. Now that news of this outfit’s existence and high value to hackers is out, every hacker in the world with an interest in high-value financial data will be hitting their firewalls by morning.

    And the firewalls of every dealership they can locate via a business directory. Especially the luxury car dealerships since that’s where the rich people with high credit limits shop.

    It’s what I’d do.

    1. Neej

      Whilst what you say may have a grain of reality in it (if I can murder a common saying like that, forgive me) it’s not as though RouteOne wasn’t widely known about or that other businesses carry out credit checks through a similar centralised repository including car dealerships.

      I imagine only those relatively new to this kind of criminal enterprise will find this to be news tbh.

    2. KFritz

      Do you have any financial connection to this or similar firms or to any auto dealerships? If so, readers have a right to know.

    3. Nick P

      Ah, your name pops up here after receiving the banhammer on Schneier’s blog? No surprise. Honestly, I wish I saw the exchange between you and the moderator. I’m sure you made it entertaining. (Something the mod is incapable of…) In any case, hard to say it is, I miss my arch-nemesis’ counterpoints on the blog. Made for some lively & informative discussions for all sides.

      Blog has dulled down again. Like I always said, it’s the community & commentators that surround a blog (esp that one) that can make it truly great. Unfortunately, I think the moderation of that blog has reduced its value in this regard.

  2. JCitizen

    Yes; and I’m sure the type and expense of the vehicle is not lost on the criminal in sizing up their victims.

    Good thing there are credit cards that report all attempts to apply for credit in the holder’s name. Reports should be set to go both snail mail and electronic alert.

    1. Jane

      That would be really great. Could you list a few such cards or tell us how you found them?

      1. KFritz

        Rather than ask this gentleman to shill, I’m going to make sure that my next credit card(s) have this feature by asking until I find it. Also going to ask current provider if it’s available.

      2. JCitizen

        Dear Jane:

        Several of them do it; a Google search for online secure credit card should do it. I was using Discover Card, but they are dropping the secure credit card numbers this month, so I may have to find a competitor – I hope!

        There should be several that are competitive in price to Life Lock – I don’t trust that organization. I thought I saw an add for one from Chase, but don’t quote me on that.

  3. Stephen

    Hello Brian,
    You have really good and informative blog. Thanks for that! I reading it almost from the first post. I also started to write blog about fraud, but more theory and informative in fraud overall. I was working last 10 years in anti-fraud unit and i’m sharing my knowledge with others.
    Check it out: What Is Fraud
    I’m not very good in programming etc.. so technically it is as it is, but the key is – content.

    1. Stephen

      Never mind, don’t check out my blog, it’s just spam.

  4. Nick P

    Brian, identity theft is certainly more profitable and has been for a long time. Many car thieves sell to chop shops that give them a small fraction of the price of the car. The risk is also high because you have to commit the theft in person & regularly interact face-to-face with very shady people, some of whom might be informants. In contrast, identity thieves started out just mailing fake ID’s and applications to banks to get cards. Modern hacking-related thefts require very little in-person or high risk activity, with digital aspects easily anonymized.

    Brought back a memory, though. In the 90’s and early 2000’s, identity theft was much easier & more profitable. In one case (forgot his name), the teenager used identity theft to get a bunch of credit cards & buy over $100,000 worth of stuff, including a house. The few victims who could have pressed charges decided not to go through the hassle because their liability was about $50. So, he never went to jail for it at the time of that book’s writing. Wish I could recall his name to see if he ever ended up being convicted.

    1. JCitizen

      I though I read that costs money – unless you want to file a false theft report?

      1. Moike

        True, depending on the state where you live, it costs money. But even the worst case is $10 X 3 credit bureaus = $30 one-time is a bargain compared to useless credit monitoring at $17 X 12 months = $204 per year. With credit monitoring, the crooks get credit granted, but you are only notified immediately and still have to go in afterwards to clean it up.

  5. LonerVamp

    Two observations/questions.

    First, I’m curious if these affected dealerships gave necessary notice? Did they even know they have to, or should, or the extent of the disclosure? This is a huge challenge to small orgs and doesn’t get any easier with “cloud” services they consume from various devices.

    Second, this falls into the same dilemma of banks: depending on the type of compromise, should malware on a client system open the floodgates of using access into the RouteOne portal? For instance, 2-factor auth that changes, limitations on volume, automation-defeating measures, etc. I’m not saying RouteOne needs anything more or that blame should be shifted back and forth between portal and client; just a discussion point, really.

  6. RR

    So if I steal BigDealer’s RouteOne userid and password and then use it from Russia, neither BigDealer nor RouteOne have any obligation to notify impacted users? RouteOne hasn’t been breached, and no user data was accessed from BigDealer’s location (they wouldn’t even know who to notify).

  7. Bruce Andrews

    What is truly amazing is that in this day and age, information like Social Security number and mother’s maiden name is considered “sensitive” information, and people are willing to use it as proof of identity. We need to think up a new foundation for the modern digital age. I understand that a few hundred years ago, you couldn’t open an account at a bank in England unless an existing customer brought you in and vouched for you. Certainly not scalable in today’s world, but we need some modern day equivalent.

  8. AlphaCentauri

    It wasn’t specifically discussed, but I’m guessing that part of the reason so many different car manufacturers are cooperating here (rather than just using the regular credit reporting services) is that they are using the information for more than just providing a loan for someone who has already decided to purchase a car.

    If I am a car dealer and check with RouteOne and find out a customer hasn’t shopped anywhere else, I might negotiate differently than if I learn he/she has several car dealers trying to make a sale. I might also check tire-kicking customers’ credit before they are close to buying, knowing they won’t be creeped out by my inquiry showing up on the credit history; only the RouteOne inquiry will show up whether one or a dozen car dealerships inquire.

    But the result is that no one would question dealerships making lots of credit inquiries on people who aren’t customers.

    Anybody know if dealerships are using it this way?

  9. Tommy Turtle

    @ Alpha Centauri:

    No one has a right to pull your credit report just because you’re test-driving or tire-kicking. Only signing the actual loan application, after you’ve decided to buy the car, allows that. You can sign an authorization for a dealer to pre-qualify you, so that they can quote an interest rate, but shouldn’t unless you’re pretty sure you want to buy there. I’ll explain why in a minute.

    Most of the time, it’s better to get financed by the bank where you already have an account, or especially, a credit union. The rates are probably better, and dealers get kickbacks from the finance companies they use, which adds to what the finance company has to charge you. One single credit history review by your bank or credit union will tell you how much they will lend you, on what terms, etc. Then you can “shop till you drop”, without incurring further damage to your credit score, or giving dealers any of the info you described.

    Every time a request for credit history is made, it takes a couple of points off of your credit score. This is trivial if it’s once or twice a year, but if you shopped ten dealerships and had ten credit “pulls”, your score goes way down. The theory behind the scoring is that people who are making numerous attempts to borrow money are more likely to be in financial trouble, or to get into trouble. E. g., you apply for ten credit cards, with a limit of 10k each, get approved for all ten, take a cash advance of 100k, and file bankruptcy (after hiding the cash, giving to Grandma, converting to gold coins, etc.)

    This is why credit-scoring models take into account how many times your credit history has been requested in the last two years, related to an application for credit (loan). And why your score shouldn’t be pulled until you know which car you want to buy, and where. Or just go to your own bank, as described.

    Routine inquiries from companies with whom you already have accounts, called a “periodic account review”, or just “account review” — to make sure you’re still as good as when they lent you the money — don’t hurt the score at all.

    @ ALL: RE: Credit card safety:

    In my State, and in most others AFAIK, you can request a “credit freeze”. This prohibits any credit reporting agency from releasing any information in your file (other than existing relationships, as above) to *anyone*, without your express written authorization *each time*. This may cause delays in being approved for any kind of loan or credit, though.

    My creds: MBA with double majors in Finance and Economics, and several decades of working in those fields at the practical (as opposed to theoretical) level. Nice to meet you all.

Comments are closed.