Following the online publication of Social Security numbers and other sensitive data on high-profile Americans, the three major credit reporting bureaus say they’ve uncovered cases where hackers gained access to users’ information, Bloomberg reports. The disclosure, while probably discomforting for many, offers but a glimpse of the sensitive data available to denizens of the cybercrime underworld, which hosts several storefronts that sell cheap, illegal access to consumer credit reports.
The acknowledgement by Experian, Equifax and Trans Union comes hours after hackers posted online Social Security numbers and other sensitive data on FBI Director Robert Muller, First Lady Michelle Obama, Paris Hilton and others.
Sadly, Social Security numbers and even credit reports are not difficult to find using inexpensive services advertised openly in several cybercrime forums. In most cases, these services are open to all comers; the only limitation is knowing the site’s current Web address (such sites tend to move frequently) and being able to fund an account with a virtual currency, such as WebMoney or Liberty Reserve.
Case in point: ssndob.ru, a Web site that sells access to consumer credit reports for $15 per report. The site also sells access to drivers license records ($4) and background reports ($12), as well as straight SSN and date of birth lookups. Random “fulls” records — which include first, middle and last names, plus the target’s address, phone number, SSN and DOB — sell for 50 cents each. Fulls located by DOB cost $1, and $1.50 if searched by ZIP Code.
It’s not clear from where this service gets its credit reports and other data, but it appears that at least some of the lookups are done manually by the proprietors. Pending new records requests are tracked with varying messages, such as “in queue,” and “in progress,” and often take more than 15 minutes to process.
A source who agreed to have their information looked up at this service provided his Social Security number, date of birth and address. Within 15 minutes, the site returned a full credit report produced by TransUnion; the report, saved as an HMTL file, was archived in a password protected zip file and uploaded to sendspace.com, with a link to the file and a password to unlock the archive.
TransUnion officials could not be immediately reached for comment. But the Bloomberg report quotes a TransUnion spokesperson saying that “the hackers had considerable amounts of information about the victims, including social-security numbers and other personally identifying information.” What’s interesting about ssndob.ru is that a full credit report requires knowing the target’s first and last name, address, ZIP code, city, state and SSN. While that may seem like a tall hurdle, this same site offers the ability to look up SSN and DOB records, presumably from a different database, for $1.50 per record pair.
One possibility is that the proprietors of this service and others like it are taking data gleaned from various sources and using it to pull credit reports from annualcreditreport.com, a government-mandated Web site created by the three major credit bureaus to help consumers obtain annual free copies of their credit reports.
If annualcreditreport.com is indeed the source of this information, it would be highly ironic. The site was the product of the 2003 Fair and Accurate Credit Transaction Act, a law intended to reduce identity theft which required each of the 3 major credit bureaus to provide consumers free access to their credit reports. The irony is that despite the free availability of these reports to consumers, the credit bureaus have for years touted consumer credit reports as a major benefit of signing up for pricey credit monitoring services, as shown by the success of television ads for services like freecreditreport.com.