Inside the Internet's Financial Black Markets – How Identity Thieves Buy and Sell Your Personal Information Online

• Tweet

September 16th, 2008 - Posted by Caitlin

Not so many years ago, "identity theft" occurred when someone stole your purse or wallet and made purchases with your credit cards or checkbook, or impersonated you by using your driver's license or passport. A more sophisticated identity thief might obtain your Social Security number or other personal information, perhaps by peering over your shoulder as you filled out a form or riffling through your trash, and open new accounts in your name. During this more innocent time, you could avoid becoming a victim of identity theft by taking relatively simple precautions, such as canceling a credit card as soon as it was lost and tearing up potentially sensitive documents before discarding them.

Identity theft is quite a bit different now. It has evolved into a sophisticated and profitable underground economy, characterized by specialization of the production of goods and services, outsourcing of production, multivariate pricing and adaptable business models. On hidden online message boards, anonymous users advertise and trade stolen information and illegal services.

Many of these black market forums are run from computer servers in Russia, China, Romania or other regions in which Internet security practices or legislation are not yet well developed. These data trafficking websites last for around six months before being rerouted through a new server in order to evade law enforcement. The most popular sites are in Russian, although there are also Vietnamese, Spanish, Chinese, Arabic and English websites. The variety of languages and geographical limitations also make it virtually impossible for authorities to prevent this online trafficking.

Registered board members buy and sell stolen credit card information, including card numbers, CCV numbers, expiration dates and cardholder names. Stolen credit cards have a relatively brief shelf life before the theft is discovered and the account is closed, so this type of data is usually bought in bulk and must be replenished constantly. According to Symantec's most recent Internet Security Threat Report, 50 credit card numbers sell for around $40.00 and 500 credit card numbers cost $200.00, making each card worth $0.40 to $0.80, when bought in bulk. An individual card number may cost as much as $20.00. The price of credit card numbers has been steadily decreasing over the past few years, which indicates that availability is increasing. Cards from the European Union cost more than those from the United States, presumably because there are approximately eight times as many credit cards circulating in the United States than the European Union. Rarer cards, such as those from smaller countries or smaller credit card companies, are typically twice as expensive as their more popular counterparts.

Banks accounts are the most commonly advertised item for sale, according to Symantec. In some cases, there are online forms that allow criminals to indicate the various types of data they have to sell or would like to purchase: address, date of birth, Social Security number, driver's license number, mother's maiden name, PIN numbers, passwords, etc. Account information that includes additional personal details and accounts with higher balances are advertised for considerably higher prices.

Thriftier shoppers can purchase raw data by the megabyte, then sort through the data themselves and sell it for more money. High-rollers can buy complete identities, which include all the information one would need to open new accounts in someone else's name. In bulk, 50 identities cost roughly $100.00. Full identities are very popular on the black market, probably due to their versatility and ease of use.

Hackers, phishers, spammers and other cybercriminals also advertise their services on these message boards. Programmers sell malicious code that gathers confidential information in various ways. Phishers create fake websites that imitate real websites or emails that appear to come from a bank or other trustworthy entity in the hopes that victims will be fooled into revealing passwords and other sensitive information. Spammers help the phishers reach their intended victims by gathering email addresses and sending phishing emails. Some criminals sell encoding devices and others sell blank credit cards and algorithms that can be used to encode the magnetic strip with a stolen account number, producing a usable card. Cashiers take the encoded plastic to ATMs and make daily withdrawals until the account id depleted. Droppers receive merchandise purchased with stolen credit cards at secure drop points.

Sometimes, sellers must pay a fee in order to advertise on black market forums. Site administrators or reviewers verify the integrity of the goods or services offered before they can be posted for sale. Registered users build a reputation rating based on peer reviews, similar to eBay. This prevents users from attempting to cheat one another by refusing to pay for goods or services rendered, or failing to provide promised goods or services once payment is received. The untrustworthy criminals who engage in this sort of scam are called rippers, and black market forums work hard to expose them as such.

The actual trading occurs off the message board, either via private messages sent through the forum or over anonymous online chat programs like ICQ. Payments are made using online payment systems like PayPal or money wiring services. Transactions may also be made in WMZ's, which are electronic monetary units equivalent to American dollars, issued by a company Moscow called WebMoney Transfer. Large transactions are sometimes split up, and sometimes cybercriminals are paid in merchandise or large numbers of compromised accounts.

E-gold, another electronic currency that claims to be backed by gold bullion, has been one of the most popular payment systems among cybercriminals. In July, E-gold Ltd. and its corporate affiliate, Gold & Silver Reserve Inc., pled guilty to conspiracy to engage in money laundering and conspiracy to operate an unlicensed money transmitting business. How this will impact financial transactions within this underground economy remains to be seen.

In addition to facilitating illegal transactions, these black market forums also provide a venue for aspiring identity thieves to learn tricks of the trade. Veteran criminals offer their shared wisdom, advising newcomers on how to make payments and the best time of the month to make purchases with a stolen account.

In 2004, the United States Secret Service arrested 28 key members and ringleaders of a group called Shadowcrew for their involvement in facilitating the cybercriminal black market. "Operation Firewall," as it was called, revealed some of the first details of this underground economy. Since then, the cybercrime economy has expanded and matured, becoming more profitable and more difficult for the authorities to infiltrate. The Symantec Internet Security Threat Report states that "organizations and individuals currently operating within this underground economy appear willing and able to change their business models or adopt new ones in response to changes in the threat landscape."

The extent of this black market economy for personal information is certainly shocking. Luckily, there are many steps that consumers can take to help limit the risk that they will be victimized by identity thieves.

Guarding your own personal information is the first and foremost way to avoid becoming an identity theft victim. There are many precautions you can take to protect yourself.

Although cybercriminals now rely on an arsenal of increasingly sophisticated technology to steal data, some identity thieves are still doing things the old fashioned way. Dumpster diving is still a very real threat, so you should continue shredding sensitive documents and consider opting out of preapproved credit card offers.

Many attempts to gain access to your personal data through the Internet can be thwarted by security software. Firewalls and updated virus and spyware protection will prevent malicious software from forcibly installing itself on your computer. All of the Internet security software providers included in our reviews and comparison chart also offer anti-phishing protection that will alert you when you are visiting a suspected phishing site. Regardless of what type of Internet security software you have, you should always be vigilant and skeptical when downloading files and clicking on unknown links. Phishing sites imitate well-known financial or social networking sites and attempt to lure potential victims into downloading malicious software or revealing their log-in information.

You should also avoid revealing sensitive personal information online, particularly on social networking sites like Facebook and MySpace. According to Symantec's Internet Security Threat Report, an unnamed two social networking sites, believed by industry executives to be the two biggest, MySpace and Facebook, were together the target of 91% of U.S.-based phishing attacks. For more about how to safeguard your identity while using social networking sites, see our Facebook and MySpace Identity Theft Protection Guides. A lost or stolen laptop or iPhone can also put you at risk for identity theft. Symantec reports that theft or loss of computer or other data-storage medium is the cause of the most data breaches that could lead to identity theft, accounting for 57% of the total during the second half of 2007. For more information, see our guides on how to safeguard your personal information in the event of a missing laptop or iPhone.

Unfortunately, common sense safety measures like creating strong passwords and canceling a lost credit card can only protect you to a certain extent. Symantec's report shows that educational institutions account for the most data breaches that could lead to identity theft and that government is the top sector for total identities exposed. If your credit card or bank account information or your Social Security number is included in a government database, a business's database or the records of an educational institution, you are at risk of having your personal information compromised by a data breach. You cannot prevent this from occurring, but there are services that can help keep you as secure as possible.

TrustedID, Identity Guard, LifeLock and Identity Truth are all identity theft protection services that specifically address the risks of the Internet's black market for stolen personal data. Each of these services utilizes advanced technologies to scour thousands of websites where criminals buy and sell stolen credit card numbers, Social Security numbers and other information. Additionally, each of these services offers proactive protection against various forms of financial identity theft and varying levels of recovery assistance in the case that a subscriber is victimized by identity thieves. While it would be great if these services could prevent all identity theft, the truth is that none of them is totally fool proof. That being said, we believe that these services represent some of the best identity theft protection available. You can learn more by visiting the NextAdvisor.com identity theft protection service reviews and comparison.