December 09, 2008

identity theft numbers (odd source, unusual targets)

Symantec posts an odd report on Phishing. The numbers are very useful:

Turner described visiting online private chat rooms, where underground buyers and sellers did business from June 1, 2007, to July 1, 2008. Credit cards, thousands at a time, would sell or be traded in a matter of seconds. They went from 10 cents to $25 per card, depending on credit limit, expiry date, and the security number on the back of the card.

Symantec estimates the sale value of credit cards in the underground economy was over $276 million US. But the potential spending spree on these credit cards would be $5.3 billion.
New attack-tool kits sell for as much as $4,000, he said. "We observed a little more than 69,000 distinct advertisers posting more than 44 million ads selling stolen information," said Turner.

"Distinct advertisers" number 69,000? That doesn't make sense, but let's work the numbers. This small country is earning something like $276m over the space of a year, so that makes it $4000 per advertiser, or $333 per month. Hmm, that's possible, but it still seems low for an average monthly salary for a phisher. Can one say "nymous advertisers" ?

But that wasn't the weird bit. This was:

"It's become a self-sustaining business worldwide," said the report's author, Calgary-based Dean Turner, director of Symantec Security Global Intelligence Network, Technology and Response. "What jumped out for us was how much money is being made in this underground economy."

Who are these guys? Where have they been? Well, they may have company sleeping over in Germany, where banks have had the smile wiped off their faces:

Identity thieves who claim they stole details of 21 million German bank accounts are offering to sell the data on the black market for €12 million (US$15.3 million), a German magazine reported over the weekend.

Ouch. That's possibly half the country's households (El Reg suggests 3 out of 4!). Which adds to:

It's Germany's second mega heist of personal information in as many months. In October, T-Mobile admitted losing records belonging to 17 million customers that included their names, addresses, dates of birth, phone numbers, and email addresses.

I wonder if this is a wakeup call for the data protection specialists? Which then leads us to recent USA figures posted on Digital Identity:

The headline results of this study are as follows:
  • The study discovered 5% of the children had one or more credit reports using their social security number
  • 3% were found to be actual victims of child identity theft, while 2% were victims of file/credit contamination.
  • Among the 5%, the children had on average $12,779 in fraudulent or wrongly assigned debt.
  • While the study found that children were more likely to find problems in their credit histories as they aged, an astonishing 12% of those with problems were age 5 and under.
  • A handful of cases stand out as especially severe: one child had seven identities listed under his SSN, with several thousand dollars in medical bills, apartment rentals, and credit accounts in collections; another child’s SSN was associated with over $325,000 in debt.
  • One in four victims in the study had bills or lines of credit in collections or foreclosure, while almost twothirds of these children had fake or wrong names listed under their SSN.
  • 42% of those children with erroneous credit reports only had credit files at one credit bureau, meaning their fraud could have gone unnoticed without checking all three bureaus.

Now, one could optimistically say that the kids won't have to pay out the money, but if the trial & suffering that is common with other identity fraud cases is any guide, I wouldn't be so sanguine. OTOH, it should be a lot easier to get a conviction if the perp can be collared.

Posted by iang at December 9, 2008 07:38 PM | TrackBack

It's disappointing how easily banks will let people take out loans or do transfers. It's not like automated phone verification etc don't exist *sigh*

Posted by: Thomas Barker at December 10, 2008 06:49 PM

There's an interesting story on ZDnet about a Microsoft study that suggests that phishing numbers are a lot lower than usual estimates. They put total US losses at $60million.,1000000189,39589445,00.htm

Posted by: Bob Lewis at January 14, 2009 10:49 PM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.