A Web site that sells Social Security numbers, bank account information and other sensitive data on millions of Americans appears to be obtaining at least some of its records from a network of hacked or complicit payday loan sites.
Usearching.info boasts the “most updated database about USA,” and offers the ability to purchase personal information on countless Americans, including SSN, mother’s maiden name, date of birth, email address, and physical address, as well as and driver license data for approximately 75 million citizens in Florida, Idaho, Iowa, Minnesota, Mississippi, Ohio, Texas and Wisconsin.
Users can search for an individual’s information by name, city and state (for .3 credits per search), and from there it costs 2.7 credits per SSN or DOB record (between $1.61 to $2.24 per record, depending on the volume of credits purchased). This portion of the service is remarkably similar to an underground site I profiled last year which sold the same type of information, even offering a reseller plan.
What sets this service apart is the addition of more than 330,000 records (plus more being added each day) that appear to be connected to a satellite of Web sites that negotiate with a variety of lenders to offer payday loans.
I first began to suspect the information was coming from loan sites when I had a look at the data fields available in each record. A trusted source opened and funded an account at Usearching.info, and purchased 80 of these records, at a total cost of about $20. Each includes the following data: A record number, date of record acquisition, status of application (rejected/appproved/pending), applicant’s name, email address, physical address, phone number, Social Security number, date of birth, bank name, account and routing number, employer name, and the length of time at the current job. These records are sold in bulk, with per-record prices ranging from 16 to 25 cents depending on volume.
But it wasn’t until I started calling the people listed in the records that a clearer picture began to emerge. I spoke with more than a dozen individuals whose data was being sold, and found that all had applied for payday loans on or around the date in their respective records. The trouble was, the records my source obtained were all dated October 2011, and almost nobody I spoke with could recall the name of the site they’d used to apply for the loan. All said, however, that they’d initially provided their information to one site, and then were redirected to a number of different payday loan options.
Then I heard from Samantha, a Virginia resident who requested that I not use her full name in this piece. Samantha acknowledged “foolishly entering her information at one of these payday loan sites about a year ago” because she’d had major surgery at the time and needed some extra funds.
“Not long after that I started getting calls from a so-called collection agency for payday loans that I never took,” Samantha explained in an email. “The people calling had heavy Indian accents and were posing as processor servers for the state of Virginia, police officers, or just straight out threatening me. Luckily, I never verified my information with these people and filed complaints with the Federal Trade Commission and the state of Virginia. The FTC has since busted some of these ‘companies’ for these fake collection calls.”
Samantha said she provided her data at a site called 1min-payday-loan.com, which directed her to a number of lenders. I reached out to that Web site early last week but have not yet received a reply.
She never did get approved for a payday loan. It’s probably just as well: such loans are illegal in Virginia and several other states. Many online payday loan companies don’t seem to care which state you live in or whether it’s illegal there. The site Samantha said she sent her personal information to offers payday loans to residents of all 50 states.
“If they operate illegally, then they probably don’t care how they treat you as a customer,” Samantha said.
I asked a number of legal experts about the legality of selling someone else’s Social Security number. There are a number of state and federal laws that apply here, but the consensus seems to be that the determining factor is intent. Two federal law enforcement officials who asked not to be quoted said roughly the same thing: That the possession and trafficking of SSNs should fall under 18 USC 1029(a)(2) and (a)(3), with SSNs defined (albeit not obviously) as “unauthorized access devices”. In addition, contempt and conspiracy language in that statute should allow the charge to extend to parties knowingly hosting and profiting from the activity.
This service deftly illustrates the ease with which miscreants can obtain your most personal data. The next time you call your bank or interact with a company that asks you to authenticate yourself by reciting some or all of your Social Security number, birth date, mother’s maiden name — or any other personal information that you may assume is private — remember that services like this exist. Whenever possible, I think it’s an excellent idea to insist that these entities authenticate you using alternative questions and answers that are truly private to you and to you alone.