StarDestroyer.Net BBS

Identity theft on the Internet is no new phenomenon, but new data from Symantec reveals that credit card numbers and full identities can be had for much cheaper than one might expect. In its semiannual Internet Security Threat Report for the time period between July and December of 2006, Symantec tracked a number of threats, including bot-infected computers, DoS attacks, browser exploits, malicious code, and phishing scams. In the most recent report, however, the company tracked for the first time the trade of personal data through the use of underground economy servers.

"Underground economy servers" were defined by Symantec as places were "criminals and criminal organizations sell stolen information, typically for subsequent use in identity theft." This includes everything from credit and debit card numbers, PIN numbers, user accounts and passwords, government-issued ID numbers, and other personal information. 51 percent of those servers were found in the US—significantly more than any other country—with Sweden coming in second at 15 percent, and Canada third at 7 percent. Symantec attributed the US's high number of underground economy servers to the country's "expansive Internet infrastructure and continual broadband growth," which presents lots of opportunity for criminals to carry out their activities.

But the news, at least for our US readers, gets worse. 86 percent of the credit card information sold underground were from US banks, according to the report, with cards from the UK coming in second at 7 percent, and Canada at one percent. Those numbers, however, devalue our credit cards in the eyes of criminals, as Symantec said that CCs coming from the US are advertised for about half as much as they are if they come from the UK—between $1 and $6 for a US card, and between $2 and $12 for a UK card. That's right: a criminal can buy your personal credit or debit card number, complete with PIN, for less than the price of a Happy Meal at McDonald's.

Full identities are also for sale via underground economy servers. Symantec said that this information often includes government-issued ID numbers (including social security numbers), bank information with passwords, personal information such as date of birth, as well as other identity verification methods such as mother's maiden name. Symantec's data only provided advertised prices for full identities from the US, which were advertised for anywhere between $14 and $18 apiece.

Symantec found that a number of other "items" were for sale as well, including Skype accounts, World of Warcraft accounts, online banking accounts with a guaranteed $9,900 balance, and PayPal accounts with balances. A verified PayPal account with a balance could fetch anywhere from $50 to $500, depending on how much money the PayPal user has sitting in the account; an unverified account with a balance goes for as little as $10 to $50.

How are these criminals getting ahold of all of this information? During the second half of last year, Symantec says that 54 percent of all data breaches that could lead to identity theft were directly related to the theft or loss of a computer or data-storage medium (such as an external hard drive or even a USB thumbdrive). This information makes me slightly more nervous about my lost my USB thumbdrive from some months ago.

"Insecure policy" accounted for another 28 percent of breaches, which could have included a "failure to develop, implement, and/or comply with adequate security policy" according to the report. This is a PEBKAC problem, said Symantec, as some examples that the company listed included posting personal information on a public web site or sending it through unencrypted e-mail. The report emphasizes that the majority of these breaches are preventable to some degree or another. Developing a personal and organizational policy of encrypting all sensitive data and practicing a little more common sense could go a long way in ensuring that no one will be buying your information with the change they found under the couch cushion.

I wonder where all these credit card numbers come from. And how do they get them in bulk? Course, I work as a cashier, and it'd be trivial to get a lot of credit card information from my receipts. Still, with prices so low, there's got to be tons of them out there.

Sarevok wrote:I got a question. If you are running SP2 and got the built in firewall on could are you safe from keyloggers transmitting captured data ?