Huge identity theft uncovered

R. A. Hettinga rah at shipwright.com
Thu Jul 26 10:59:38 EDT 2001 

http://www.msnbc.com/news/604496.asp

Huge identity theft uncovered

Files with Social Security and driver's license numbers
pasted in chat room; possible link to cell phone applications

By Bob Sullivan
MSNBC

July 25 - Key personal data belonging to hundreds of individuals have been
shared in an Internet chat room, in what one expert says could become one
of the largest identity theft cases ever. The data include Social Security
numbers, driver's license numbers, date of birth and credit card
information - everything a criminal would need to open an online bank
account, apply for a credit card, even create the paperwork necessary to
smuggle illegal immigrants. It is still unclear how the data ended up in
the chat room, but an MSNBC.com investigation has revealed common threads
among the victims - including the purchase of a cell phone online from
VerizonWireless.com or an AT&T Wireless reseller.

		       ACCORDING TO A SOURCE who requested anonymity, the
customer data started flowing July 14 and continued at least through July
22. It's unknown just how many records were published, but at one point new
records were flying by at a rate of two per minute.
       The source provided MSNBC.com with a two-hour slice of log files
from the chat containing information from about 50 people. MSNBC.com
attempted to talk with all of the people named and interviewed 29. Of
those, 17 said they had ordered wireless services online, using the Web
site of Verizon Wireless, a joint venture of Verizon Communications Inc.
and Vodafone Group PLC. In each case, the victims had ordered service
between December and April, and in almost every case, the victims lived in
Illinois or Indiana.
       The form of the data pasted into the chat room connected to those 17
victims exactly matches the form used by potential customers on
VerizonWireless.com when they fill out the credit check application.
Detailed information, such as driver's license and Social Security number,
is necessary so the company can perform a credit check before issuing a phone.

		       Verizon Wireless spokesman Jeff Nelson said the company
was investigating the incident, but declined to offer further details.
       "We take the security of our customers' information extremely
seriously," he said. "Whenever we hear about a remote possibility that
there has been any kind of intrusion into our system, we quickly move to
investigate and work with our customers to rectify any possible damage."
       Nelson declined to say which credit agency Verizon Wireless uses to
verify applications filled out on the company's Web site.
       Eight other chat room victims interviewed by MSNBC.com said they had
ordered AT&T Wireless services in the past year. Several of the database
entries pasted into the chat room included the line "I agree to a one year
{sic} contract with AT&T Wireless Services."
       Four of the eight remember ordering the service through
URDigital.com or its parent, Advanced Digital Solutions, which once
operated mall-based sales booths. AT&T Wireless spokesperson Danielle Perry
confirmed that in at least two of the cases, the customers had signed up
for AT&T Wireless service through Advanced Digital Solutions, which she
described as an "unauthorized subagent's subagent that has gone bankrupt."
She could not offer an explanation for the others.


       The chat room logs also point toward URDigital.com as a potential
culprit. Several times, one poster publishes a directory listing
specifically pointing to a folder named "URDigital."
       URDigital.com is now operated by Simply Wireless Inc. A spokesman
for Simply Wireless said his company had no connection with URDigital.com
or Advanced Digital Solutions 18 months ago when the chat room victims
indicate they signed up for their AT&T Wireless service.
       But not every victim ordered cell phone service online in recent
months, suggesting the data may have originally been taken from some other
agency that logs customer driver license and Social Security data. Five of
the victims interviewed by MSNBC.com said they didn't remember ordering a
cell phone online and don't recall entering their Social Security numbers
or driver's license numbers into any Web site.
       
FRAUDULENT CHARGES SHOW UP

		       Experts say the victims could be dealing with the
potential identity theft for years; unlike credit card numbers, Social
Security numbers and date of birth information cannot be canceled and
reissued. That's what distinguishes this theft from other computer
break-ins like the January 2000 theft from CDUniverse.com, when criminals
stole 300,000 credit card numbers from that e-commerce site.
       Theft of customer databases full of credit card numbers has been
fairly common since the CDUniverse incident, but there have been no
widespread reports of stolen databases that include social security numbers
and drivers' licenses. In the most famous identity theft incident to date,
a New York City restaurant worker managed to impersonate famous
personalities like Steven Spielberg, Warren Buffett, Martha Stewart and
Oprah Winfrey, and in some cases stole money from their brokerage accounts.
But the driver had to steal each identity one at a time, via imposter
telephone calls and other "social engineering" tricks.
       The data which appeared in the chat room, which in some cases even
includes employer and job title, is already in active circulation among the
Internet's underground. About half of the victims contacted by MSNBC.com
had already discovered fraudulent charges on their credit cards within the
past week, soon after the stolen data was posted in the chat room. But
several others indicated their cards had been loaded with bad charges two
months ago, suggesting the data may have originally been stolen in April or
May.
       Computer criminals armed with a full set of personal data, including
Social Security numbers and date of birth, can wreak havoc on a victim's
credit history by signing up for credit cards or opening online bank accounts.

		       "Oh man, this is not good," said Maribell Ruiz of Chicago.
She claims the only place she ever entered her license or Social Security
number online was at VerizonWireless.com. "They are supposed to be a
secured site."
       Local police have already opened investigations into the incident in
Rancho Cucamonga, Calif., and Kiowa County, Okla. Another Chicago-based
victim, who asked to have her name withheld, has already contacted attorney
Jed Weissbluth, an expert in identity theft, to investigate.
       "I never enter my Social Security number online," said Maria Zeller
of Farragut, Ill. In fact, she didn't remember ever doing so until asked if
she had ever purchased a cell phone contract online. "The cell phone is the
only thing I purchased that I would have," Zeller said.
       Adam Feign of Crystal Lake, Ill., ordered his Verizon Wireless phone
in December using the company's Web site; then two months ago there were
$4,000 in false charges on his Visa card.
       "Most of the charges were at Network Solutions," he said.

       Cory Johnston of Indianapolis, Ind., was called by his bank Monday
and told a criminal had charged $1,000 on his card over the weekend at
Network Solutions.
       "I'm going to change my driver's license number right away," he said.
       One expert, who requested anonymity, called the victims who had
their data published in the chat room "the lucky ones," since they can be
warned about what has happened. Criminals often publish only a small slice
of the data that's been stolen. It's possible a much larger database of
personal dossiers has been taken, and since authorities don't yet know
where the data came from, other victims can't be warned.

-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list