In April 2014, this blog featured a story about Lance Ealy, an Ohio man arrested last year for buying Social Security numbers and banking information from an underground identity theft service that relied in part on data obtained through a company owned by big-three credit bureau Experian. Earlier this week, Ealy was convicted of using the data to fraudulently claim tax refunds with the IRS in the names of more than 175 U.S. citizens, but not before he snipped his monitoring anklet and skipped town.
On Nov. 18, a jury in Ohio convicted Ealy, 28, on all 46 charges, including aggravated identity theft, and wire and mail fraud. Government prosecutors presented evidence that Ealy had purchased Social Security numbers and financial data on hundreds of consumers, using an identity theft service called Superget.info (later renamed Findget.me). The jury found that Ealy used that information to fraudulently file at least 179 tax refund requests with the Internal Revenue Service, and to open up bank accounts in other victims’ names — accounts he set up to receive and withdraw tens of thousand of dollars in refund payments from the IRS.
The identity theft service that Ealy used was dismantled in 2013, after investigators with the U.S. Secret Service arrested its proprietor and began tracking and finding many of his customers. Investigators later discovered that the service’s owner had obtained much of the consumer data from data brokers by posing as a private investigator based in the United States.
In reality, the owner of Superget.info was a Vietnamese man paying for his accounts at data brokers using cash wire transfers from a bank in Singapore. Among the companies that Ngo signed up with was Court Ventures, a California company that was bought by credit bureau Experian nine months before the government shut down Superget.info.
Court records show that Ealy went to great lengths to delay his trial, and even reached out to this reporter hoping that I would write about his allegations that everyone from his lawyer to the judge in the case was somehow biased against him or unfit to participate in his trial. Early on, Ealy fired his attorney, and opted to represent himself. When the court appointed him a public defender, Ealy again choose to represent himself.
“Mr. Ealy’s motions were in a lot of respects common delay tactics that defendants use to try to avoid the inevitability of a trial,” said Alex Sistla, an assistant U.S. attorney in Ohio who helped prosecute the case.
Ealy also continued to steal peoples’ identities while he was on trial (although no longer buying from Superget.info), according to the government. His bail was revoked for several months, but in October the judge in the case ordered him released on a surety bond.
It is said that a man who represents himself in court has a fool for a client, and this seems doubly true when facing criminal charges by the U.S. government. Ealy’s trial lasted 11 days, and involved more than 70 witnesses — many of the ID theft victims. His last appearance in court was on Friday. When investigators checked in on Ealy at his home over the weekend, they found his electronic monitoring bracelet but not Ealy.
Ealy faces up to 10 years in prison on each count of possessing 15 or more unauthorized access devices with intent to defraud and using unauthorized access devices to obtain items of $1,000 or more in value; up to five years in prison on each count of filing false claims for income tax refunds with the IRS; up to 20 years in prison on each count of wire fraud and each count of mail fraud; and mandatory two-year sentences on each count of aggravated identity theft that must run consecutive to whatever sentence may ultimately be handed down. Each count of conviction also carries a fine of up to $250,000.
I hope they find Mr. Ealy soon and lock him up for a very long time. Unfortunately, he is one of countless fraudsters perpetrating this costly and disruptive form of identity theft. In 2014, both my sister and I were the victims of tax ID theft, learning that unknown fraudsters had already filed tax refunds in our names when we each filed our taxes with the IRS.
I would advise all U.S. readers to request a tax filing PIN from the IRS (sadly, it turns out that I applied for mine in Feburary, only days after the thieves filed my tax return). If approved, the PIN is required on any tax return filed for that consumer before a return can be accepted. To start the process of applying for a tax return PIN from the IRS, check out the steps at this link. You will almost certainly need to file an IRS form 14039 (PDF), and provide scanned or photocopied records, such a drivers license or passport.
To read more about other ID thieves who were customers of Superget.info that the Secret Service has nabbed and put on trial, check out the stories in this series. Ealy’s account on Twitter is an also an eye-opener.
There is little justice in this world. I think that judge should be the one in jail now and maybe Experian too. They seem to freely give out private information for a price to anyone. And Ealy would in reality only spend maybe a couple years behind bars. Sorry had to rant.
Never assume corruption where incompetence will explain.
I’ve been using a tax filing PIN from the IRS since they were available from IRS. had it issued to me because i used to do my taxes back in the late 80’s early 90’s on my Tandy 286 in dos. Man, I saw this coming decades ago, id theft and all. the internet is like a Middle Eastern Bazaar at high noon in the Sahara. Get used to it, it’s only going to get worse, nothing is safe on the net. But, it can’t rain all the time…
How did you get this PIN? The form Brian links states that it is only for people who were the victim or had a ‘incident’ that makes it plausible that they’ll become victims.
The intent is NOT for normal people to just get a PIN. Now of course, that may just be the form, and filing it as a regular person who preemptively wants to protect himself may just work….
So did anybody try?
Guess some commenters are just makin stuff up 😉
Our Bird friend may be partially correct. I don’t know about the 80’s or most of the 90’s, but I know that I got a PIN when filing electronically as late as 2000.
I used to work for an accountant, that is always getting his identity stolen. Since the mid 90s…. accounts opened up in his name in other places. And he would have to contact all three bureaus, the FBI, secret service… a nightmare. Has happened to him many times over the years.
Accountants are in a type of business too where they have to keep data for many years on their main workstations.
What a dope! Priceless. I liked the chronological reporting link especially reading how that experian bozo said there wasn’t any harm done as if bad guys buy SSNs as collectors pieces. Shouldn’t that company, above any others, know what happens when people buy/sell personal information? Seems they are taking the “head in the sand” approach.
Well, what happens – every damn time there’s a breach – is that the companies involved sign people up for “credit protection” services from, you guessed it, Experian. So OF COURSE they’d say there’s no harm done!
Experian, TransUnion, and the other credit bureaus are essentially a legalized protection racket; if there were any justice they would all have been dissolved with extreme prejudice a long time ago. The underlying service they were founded to provide – telling lenders whether potential borrowers are a good risk or not – is still essential, but these companies have proven over and over again that they are both technologically and morally incompetent to provide it.
Now he gets the pleasure of having to run from the U.S. Marahsals. Good luck with that. He’ll be in custody within two weeks.
I’m hoping someone gets him. I checked the USMS web site and of the 15 listed as “Most Wanted” 1 is dead and 4 are captures. So, why are they still listed as “Most Wanted”? How about adding the former #16-#20? Ealy isn’t listed there and I don’t see a way to search to see if he is wanted.
“All escapes from custody are automatically elevated to Major Case status.” according to http://www.justice.gov/marshals/investigations/ I don’t know if Ealy was in “custody” and again, no apparent way to search.
Just think about having USSS Agent Clint Eastwood (and the .44 Magnum) and USMS Marshall Tommy Lee Jones (and his Glock) after you. What did that newspaper say? “The Ripe Stuff”? That is the movies, this is real life, but the thought alone is chilling.
Seriously, look at what it took to prosecute this one miscreant. How many more are still listed as “John Doe”?
We need to proactively prevent this growing crime. Catching them is reactive, danged expensive, time consuming and too many are hurt along the way.
Perhaps a guy that seems like a bumbling fool at times just isn’t up there with other dangerous criminals.
I’d rather see him and all those like him, in shallow graves. Or better yet, dismembered and disposed of in the Gulf Stream a’ la’ Dexter…
Good work by the legal team and secret service. They work many cases and glad we get to see how good these agents are!
I remember reading the original story of this individual when it was first posted. The article was interesting in that this individual contacted you claiming his innocence. There seems to be a lot in the press these days on actively tracking down and prosecuting cyber-criminals. Not to mention the stiff penalties these crimes carry. I looked through a news feed on the arrests and indictments of tax fraud filers; to my recollection the numbers involved are extensive. There is so much of this going on it is difficult to comprehend the numbers involved and the various schemes being used.
Another “miscreant.” LOL. Brian, I am getting an IRS PIN! Thanks!
Along with the IRS pin, sign up for a Social Security on-line account. According to SSA, there can only be one account registered to a given SSN. Make sure that account belongs to YOU, not some miscreant
Yes, thanks for the reminder Blasher. I wrote about the SSA thing a bit more here:
@Brian, do you think you could use your pull (or your visit to Politics and Prose) to get the SSA and IRS to fix their HTTPS:// services?
As noted by Jerry Leichter / October 6, 2013 at 8:06 am
> And in the always-on-top-of-things-when-it-comes-to-security department:
> The link bandied about for this service is http://www.ssa.gov.
> Since this is a site at which you’ll be entering important personal information, it’s prudent to connect to it using https. But …
> https://www.ssa.gov produces and “invalid certificate” error,
> because it serves up a certificate for http://www.socialsecurity.gov.
So, for SSA, people get a Domain mismatch — and not a friendly “missing www.”/”omit www.” mismatch (I added code to Firefox for that), but a serious “this domain *really* does NOT match the certificate domain mismatch error”
And the service is vulnerable to POODLE.
The IRS is not really better because you can’t get to a site with https:// with a certificate for the IRS. Anyone can host content in Akamai, so a MITM could send you to bogus content in Akamai, or since https:// doesn’t work and isn’t advertised, they could just tamper with the content you request.
I agree that the IRS site should just be always-SSL as it is a popular target for phishing and possibly MITM attacks.
But in their defense, their main site only serves non-secret stuff. When entering your data you’ll first be redirected to:
So that part is actually secure. But indeed, the main site should be SSL too.
Unfortunately, the SSA offers PDFs over http://,
which has Links [http://ssa.gov/myaccount/], and instructions [How To Create An Online Account]
Those are the kinds of things which really should be secure (and signed), so that users aren’t served manipulated content…
Note that the link for “Create Account” on “my Account” is insecure:
Basically, *.ssa.gov (and *.irs.gov, and *.socialsecurity.gov) should be TLS/HSTS with no content (beyond instructions to upgrade to a secure browser) served over HTTP.
The fact that the authentic server of “http://ssa.gov/createaccount/” would send out a redirect to a client which points to a secure site doesn’t help a user when their connection was being attacked by a MITM, in such a case, the attacker would choose NOT to send along that redirect, and could do anything it wants — http://www.thoughtcrime.org/software/sslstrip is an example.
Thanks for the info. I tried to create one but my account is locked- so I have to go into the SSA and prove I’m me.
Just great. These are the people that are running our healthcare now, too. Can’t wait till I have to prove I am not pregnant (being male).
Why again do we allow companies like experian to profit off of selling our data? If we all Freeze our credit, what would happen to their profits? Let’s start a movement.
Silly guy. They charge you to freeze your credit too. They get you coming and going. Only movement that’s going to happen is the BM they drop on all of us.
Also if let’s say the car dealer cannot get quick credit data, thsi means you’ll be on teh hook to privide income statements, bank records, etc to the bank. This means all that daat – including your SSN and bank records – will now be at that car dealership viewed by who knows who.
Else no loan, and hecne unless you pay in full, no car.
I’m not saying this to defend these companies, but just to indicate it isn’t as simple as just getting rid of them.
Peter – you unfreeze it before you apply for the loan for a time specific period. Of course they charge you for unfreezing it but because it’s frozen doesn’t mean it’s frozen forever.
The question was “why do we …to profit off of selling our data?”
Freezing/unfreezing doesn’t change that. The US is build on a system of cheap credit checks to provide easy credit. Taking away the commercial credit checks industry, *will* result in you having to provider more data to lenders directly, or simply getting less easy access to credit.
Not defending these companies here BTW, just stating that it isn’t that simple.
Brian thanks for the great book signing last night, wish the weather would have been a little better for you. It was nice meeting you and looking forward to listening to the audio book tonight. Hope you can make it back for ThotCon next year.
The IRS site states that the IP PIN is given to anyone who has had an incident of Identity theft. It says nothing about being able to receive an IP PIN voluntarily. The IP PIN is only good for the filing season in which it is issued and a new one is issued in each filing season.
” . . . the judge in the case ordered him released on a surety bond?”
The judge is worse than a fool. How about the judge’s name?
The hat is fitting….
I downloaded the form 14039 as suggested. In section A it requires that you are either a victim of identity theft, or that you have “experienced an event involving my personal information that may at some future time affect my federal tax records.” It then has blanks for further information.
I wonder how this form should be completed for those of us who have no specific reason to expect identity theft?
I also don’t understand how completing this form results in a PIN being assigned, but I admittedly have not read through all the links on the IRS website.
I wonder if he’ll have any problem getting a fake ID while he’s on the run… :-\
I give him at most a month or two on the run before they catch him. He would have had to surrender his passport when he got out on bail, so getting into another country could be difficult (but I suppose that he could sneak across a border to say Mexico).
Ultimately it comes down to how much cash he has squirreled away and how long will it be until it runs out. Cars are problematic in that he can either steal one (and then risk getting pulled over) or he can use his own (and risk getting pulled over), so getting around could be hard. I suppose the best bet is to “Ride the Dog” (Greyhound) to get around (purchase tickets for cash with no ID check). But he still needs a place to sleep and food to eat.
You would have to assume that credit cards are all no good any more, and even if they were still good, using them would leave a paper trail. And if he logs into any of his online accounts, he leaves a huge breadcrumb for the authorities.
But if he bought ss numbers, couldn’t he concievably pose as someone else, or a bunch of someone elses?
If he squirreled away enough, he could buy a false identity, buy a new car, etc. and just live somewhere else for a while.
He probably didn’t save much though. Most criminals spend their money as fast as they make it – it’s why they resort to crime in the first place. There’s no way they can maintain their lifestyle without actually putting in the time to work their way up the income ladder.
Need a valid ID to get on a bus (that crosses state lines) where I live. No idea about the rest of the country.
I think experian should be fined a fuck ton of money, or we should just go fight club on them.
EFF & Mozilla are reducing the bite of going https
hopefully the KOS provider will provide some accommodation. On the other hand we know that https isn’t bullet proof.
It’s truly a shame – and a sad commentary on the mostly dysfunctional IRS – that PINs cannot be obtained for the asking. A very small investment in time and resources would pay huge dividends.
The IRS may be moving, albeit at a snail’s pace, in that direction. They have a pilot program to obtain an Identity Protection PIN, in three states: Florida, Georgia & WDC (I know, it’s not a state). Here’s the URL for more info: http://www.irs.gov/uac/Newsroom/2014-Identity-Protection-PIN-%28IP-PIN%29-Pilot
On a related note, the Identity Theft Affidavit that Brian links to appears to offer a pretty liberal way of getting PIN, under reason #2. It would appear to be worth a try.
keep calling till you get one is my philosophy. use a family members name that has been a victim.
Yes, a PIN should be a very easy add-on to their system. And if one of the 100 million taxpayers should forget their PIN, the IRS system should be able to make them answer a secret question. Like, what is the last 4 digits of your SS #. Or, what is your mothers maiden name. I particularly like the ‘what high school did you attend’ when I have to pick a secret question.
You should be the only person who knows the answer to your secret question. The answers to the examples given are pretty easy to locate, perhaps via social media or internet searches (for a few dollars to get details). An example of a better question, IMHO, would be your best friend in high school, because you’re the only person who knows the answer. Also, you don’t have to tell the truth, you just have to remember what answer you selected.
Mybill was being facetious/sarcastic/…
there are ~210million Americans likely to have an SSN with content, but who aren’t likely to be able to use their SSN to claim anything today.
there are ~41million Americans likely to be using there SSN today (and forgetting it tomorrow — they’re old, it’s their right+privilege).
8/9ths of the 210million aren’t going to be using their SSN to recover value for >5 years unless an accident happens (accidents are rare).
So, ~185million americans could create “my SSN” accounts today, and not have a use for them for 5+ years. What are the odds that you could create a false value for an account, and remember its value 5+ years from now?
Keep in mind that you should *NOT* share this false value w/ any other site. Because if you do, then when that site is compromised, someone will use it to compromise your “my SSN” account.
Alternatively, you could argue that people should go and log in each year, but, the odds of me remembering something I use only once a year are exactly ZERO. (I can point to an email account to which I have to turn to recover tax documents annually — each year, I’ve reset the password for it.)
The more often people have to log into something, the more likely they are to accidentally log into it via a compromised system/path.
No, we shouldn’t have to create accounts to block people.
Also for those of us who don’t have a “current” US mailing address, a lot of things become even more “exciting”.
Personally, I wouldn’t mind being encouraged to visit a US Embassy/Consulate in order to activate an account. OTOH, I live in a city which has one, I could crawl to it. I’d hate to live in Dawson City, Whitehorse, or Yellowknife and have to go to a Consulate…
The word “dope” pretty much sums up this lowlife
Is there actually anything to be gained from implementing that… what are you trying to hide or verify on a public site like this?
Some level of attestation that the content we’re reading was written by Brian Krebs and that it has not been tampered with.
Articles that Brian writes include links to other sites (e.g. the IRS) – to PDF documents (which could include executable code).
Occasionally he recommends products for us to use to secure our data.
Someone who could perform a MITM attack on my connection to krebsonsecurity.com could change the links to point to a different address which has a trojanned document.
Or, they could change the names of the products, or various other things.
Speaking of which, it’d be nice if the IRS paid Akamai for https:// service too — for the same reason…
You can always use Gibson Research fingerprint tool to verify the site. https:www.grc.com/fingerprints.htm
Isn’t it true that setting your exemptions artificially high so that there’s no refund to get/steal in your name would prevent this kind of fraud more easily than anything else.
I do this for other reasons (I’d rather not give the government an interest-free loan every year, among other things), but unless I’m missing something, that makes me impervious to this kind of fraud. If he had my social, Mr. Dope would file a return and get what I get, which is nothing.
You assume that Mr. Dope would file the exact same info as you, when in reality, he would just make up stuff to maximize the refund.
Not really. It may decrease their payoff slightly, but these guys are committing fraud. They have no problem claiming that you have adopted 5 kids in the past year, are the head of household, have been making payments on a large mortgage, etc. – basically as many deductions as they can make without tripping fraud alarms.
The majority of the amount should – if they did it right – come from the false deductions, not your withholding.
I suppose you could file your return very early, as soon as the IRS is accepting them, around mid January. It wouldn’t be accurate, since much information, such as
that needed for Sched D, would be lacking, but then you could file an amended return, which is a lot of bother. All this would only be worth it if you had some reason to think that your refund was at risk of being snagged by the bad guys.
The IRS PIN site is unavailable until filings are allowed again, presumably in mid-January:
Guess you need to get in there fast to prevent the scammers beating you to the punch.
Wait, what’s stopping THEM from filing for a pin then and locking the legit user out? Especially if the user’s machine is botnetted as lots of people keep copies of id and such somewhere?
If the IRS only took 10% max from every person, and there were NO deductions and NO refunds we could all file on a postcard or less and there’d be no money to try to scam out of the government.
Sliding scale taxes has to be one of the stupidest and costliest government ideas.
Income taxes are a fraction of the total taxes collected by various USSA [sic] governments and agencies. If personal income taxes were eliminated (which would not solve the identity problem), there’s thousands of other resources for Federal coffers.
Only a simpleton might believe paying more is a solution to anything, except bankruptcy. Have you heard of education? Or, did you sleep through that class? Get some. Pick up a pound of intelligence on the way.
FYI: a rise in taxes to 5% helped spawn the American Revolution. If it was reason enough for them … And, as the forefathers opined, a little revolution now and then is a good thing (for freedom and liberty).
Based on performance and outcome, the fed.gov deserves significantly less, not a penny more. Perhaps not even a penny.
©2014 DoktorThomas™. All rights reserved. This material may not be used, published, broadcast, rewritten, paraphrased, forwarded, nor redistributed without written permission. All statutory use exemptions/exceptions specifically revoked by author. Protected by Amendment, Federal law and international treaty. For educational use only–not intended as legal, medical, accounting, tax, financial or other advice; for readers to use as such violates TOS and may entail imposition of financial penalty and other sanctions. Limited license granted for exclusive use on krensonsecurity.com.
[[” Because Internet usage, and news consumption in general, typically drop over the weekend, when someone puts out news that they hope few people will notice, they usually announce it Friday late afternoon or evening.]
If it is the fed.gov, the system is broken, fraudulent, late, out dated, a boondoggle, pork, graft, a massive cost overrun and endlessly in process. The operators and designers are crooks, unrealistic, under performing, over paid, lacking commonsense and otherwise entirely not competent.
Root cause: politicians. Who’d vote for a politician (except for a room at Leavenworth)?
The fed.gov remains unshaken; it’s not like its their money …
As a holder of plastic, I see the problem, the cost, the fix, my time, my suffering and the reparations to my reputation as someone else’s fault, responsibility and problem. Only fools would operate a financial system like the USSA [sic] has.
Hint: if every bank were a unique operation unto itself–not part of the Federal Reserve’s (illegal) Banking Cartel–this kind of fraud would be impossible. Certainly greatly muted in each instant. Aside: There’s no excuse for the IRS and its blunders; shutter it. ©2014 DoktorThomas™. All rights reserved. This material may not be used, published, broadcast, rewritten, paraphrased, forwarded, nor redistributed without written permission. All statutory use exemptions/exceptions specifically revoked by author. Protected by Amendment, Federal law and international treaty. For educational use only–not intended as legal, medical, accounting, tax, financial or other advice; for readers to use as such violates TOS and may entail imposition of financial penalty and other sanctions. Limited license granted for one exclusive use on krebsonsecurity.com.
Great article. Thanks for the info, it’s easy to understand. BTW, if anyone needs to fill out an “IRS 14039 form”, I found a blank form here: http://goo.gl/Kma9do
How long between when he took that selfie & his absconding? (His Twitter feed now has nothing after 2013.) A selfie with a pic of the Road Runner shoulda set off red flags with the judge, marshals, IRS, FBI & other Federal agencies who now look like Wile E. Coyote after he fell off the cliff…