Huge identity theft uncovered

[InfoSec News <isn () c4i org>]

Forwarded by: "Jay D. Dyson" <jdyson () treachery net>


-----BEGIN PGP SIGNED MESSAGE-----

Courtesy of Cryptography List.

Two words: Oh ****.

- ---------- Forwarded message ----------
Date: Thu, 26 Jul 2001 10:59:38 -0400
From: "R. A. Hettinga" <rah () shipwright com>
To: cryptography () wasabisystems com
Subject: Huge identity theft uncovered

http://www.msnbc.com/news/604496.asp

Huge identity theft uncovered

Files with Social Security and driver's license numbers
pasted in chat room; possible link to cell phone applications

By Bob Sullivan
MSNBC

July 25 - Key personal data belonging to hundreds of individuals have been
shared in an Internet chat room, in what one expert says could become one
of the largest identity theft cases ever. The data include Social Security
numbers, driver's license numbers, date of birth and credit card
information - everything a criminal would need to open an online bank
account, apply for a credit card, even create the paperwork necessary to
smuggle illegal immigrants. It is still unclear how the data ended up in
the chat room, but an MSNBC.com investigation has revealed common threads
among the victims - including the purchase of a cell phone online from
VerizonWireless.com or an AT&T Wireless reseller. 

ACCORDING TO A SOURCE who requested anonymity, the customer data started
flowing July 14 and continued at least through July 22. It's unknown just
how many records were published, but at one point new records were flying
by at a rate of two per minute. 

The source provided MSNBC.com with a two-hour slice of log files from the
chat containing information from about 50 people. MSNBC.com attempted to
talk with all of the people named and interviewed 29. Of those, 17 said
they had ordered wireless services online, using the Web site of Verizon
Wireless, a joint venture of Verizon Communications Inc.  and Vodafone
Group PLC. In each case, the victims had ordered service between December
and April, and in almost every case, the victims lived in Illinois or
Indiana. 

The form of the data pasted into the chat room connected to those 17
victims exactly matches the form used by potential customers on
VerizonWireless.com when they fill out the credit check application. 
Detailed information, such as driver's license and Social Security number,
is necessary so the company can perform a credit check before issuing a
phone. 

Verizon Wireless spokesman Jeff Nelson said the company was investigating
the incident, but declined to offer further details. 

"We take the security of our customers' information extremely seriously,"
he said. "Whenever we hear about a remote possibility that there has been
any kind of intrusion into our system, we quickly move to investigate and
work with our customers to rectify any possible damage." 

Nelson declined to say which credit agency Verizon Wireless uses to verify
applications filled out on the company's Web site. 

Eight other chat room victims interviewed by MSNBC.com said they had
ordered AT&T Wireless services in the past year. Several of the database
entries pasted into the chat room included the line "I agree to a one year
{sic} contract with AT&T Wireless Services." 

Four of the eight remember ordering the service through URDigital.com or
its parent, Advanced Digital Solutions, which once operated mall-based
sales booths. AT&T Wireless spokesperson Danielle Perry confirmed that in
at least two of the cases, the customers had signed up for AT&T Wireless
service through Advanced Digital Solutions, which she described as an
"unauthorized subagent's subagent that has gone bankrupt."  She could not
offer an explanation for the others. 

The chat room logs also point toward URDigital.com as a potential culprit.
Several times, one poster publishes a directory listing specifically
pointing to a folder named "URDigital." 

URDigital.com is now operated by Simply Wireless Inc. A spokesman for
Simply Wireless said his company had no connection with URDigital.com or
Advanced Digital Solutions 18 months ago when the chat room victims
indicate they signed up for their AT&T Wireless service. 

But not every victim ordered cell phone service online in recent months,
suggesting the data may have originally been taken from some other agency
that logs customer driver license and Social Security data. Five of the
victims interviewed by MSNBC.com said they didn't remember ordering a cell
phone online and don't recall entering their Social Security numbers or
driver's license numbers into any Web site. 
       
FRAUDULENT CHARGES SHOW UP

Experts say the victims could be dealing with the potential identity theft
for years; unlike credit card numbers, Social Security numbers and date of
birth information cannot be canceled and reissued. That's what
distinguishes this theft from other computer break-ins like the January
2000 theft from CDUniverse.com, when criminals stole 300,000 credit card
numbers from that e-commerce site. 

Theft of customer databases full of credit card numbers has been fairly
common since the CDUniverse incident, but there have been no widespread
reports of stolen databases that include social security numbers and
drivers' licenses. In the most famous identity theft incident to date, a
New York City restaurant worker managed to impersonate famous
personalities like Steven Spielberg, Warren Buffett, Martha Stewart and
Oprah Winfrey, and in some cases stole money from their brokerage
accounts.  But the driver had to steal each identity one at a time, via
imposter telephone calls and other "social engineering" tricks. 

The data which appeared in the chat room, which in some cases even
includes employer and job title, is already in active circulation among
the Internet's underground. About half of the victims contacted by
MSNBC.com had already discovered fraudulent charges on their credit cards
within the past week, soon after the stolen data was posted in the chat
room. But several others indicated their cards had been loaded with bad
charges two months ago, suggesting the data may have originally been
stolen in April or May. 

Computer criminals armed with a full set of personal data, including
Social Security numbers and date of birth, can wreak havoc on a victim's
credit history by signing up for credit cards or opening online bank
accounts. 

"Oh man, this is not good," said Maribell Ruiz of Chicago.  She claims the
only place she ever entered her license or Social Security number online
was at VerizonWireless.com. "They are supposed to be a secured site." 

Local police have already opened investigations into the incident in
Rancho Cucamonga, Calif., and Kiowa County, Okla. Another Chicago-based
victim, who asked to have her name withheld, has already contacted
attorney Jed Weissbluth, an expert in identity theft, to investigate. 

"I never enter my Social Security number online," said Maria Zeller of
Farragut, Ill. In fact, she didn't remember ever doing so until asked if
she had ever purchased a cell phone contract online. "The cell phone is
the only thing I purchased that I would have," Zeller said. 

Adam Feign of Crystal Lake, Ill., ordered his Verizon Wireless phone in
December using the company's Web site; then two months ago there were
$4,000 in false charges on his Visa card. 

"Most of the charges were at Network Solutions," he said. 

Cory Johnston of Indianapolis, Ind., was called by his bank Monday and
told a criminal had charged $1,000 on his card over the weekend at Network
Solutions.

"I'm going to change my driver's license number right away," he said. 

One expert, who requested anonymity, called the victims who had their data
published in the chat room "the lucky ones," since they can be warned
about what has happened. Criminals often publish only a small slice of the
data that's been stolen. It's possible a much larger database of personal
dossiers has been taken, and since authorities don't yet know where the
data came from, other victims can't be warned. 

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iQCVAwUBO2CPedCClfiU/BIVAQHNwQQAj8zJ8FJ05UuO4C740NXh7CqaAu+6WnZr
rC8ranBNUpEN7I+3cbgh9aDxKfh22c1ExT9zs7yZLAnBPqo2NQX/Izg6RKoBgs9Z
4zhOlBK85iFoDaVSLkPchQUxv2eGOsOLzHyD/ZitGKoFK63wnzEZnL57QS4Z6vNT
zdby44s5sHI=
=soP4
-----END PGP SIGNATURE-----


-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.