Industrialized identity theft

Industrialized identity theft

The scale of identity theft has reached an industrial scale that deserves attention as its own economic sector within the larger cybercriminal economy that thrives off the sale of such information. Recently, my continuous surveillance of a major criminal marketplace of a potential emerging threat to consumer identity theft- often called SSN, or simply “base” - this refers to the sale of a Social Security Number, Date of Birth, and associated address history (all of which are more than sufficient to be used to open up phony bank accounts in the holders name, open up new lines of credit, etc..). The sale and use of such information poses a very real threat to average consumer’s whose private information is, for those over the age of the 35 (why this is the case, deserves its own post) widely available on a multitude of marketplaces for instant purchase.

Arguably the most thriving and active marketplace where cardholder information (both the physical data/magnetic information from the card used to make fraudulent in-person transactions, and “cvv” - consisting of all information visible on the card + the billing information of the cardholder) recently responded to market demand by implementing a convenient and scary effective lookup service.

To quote the market admins:

By popular demand we have partnered with best SSN providers on the market to bring you the most accurate SSN search & data.

True to their word, I was able to locate my social security number, date of birth, and address history and immediately purchase it - on an interface that boasts the convenience and responsive UI of an enterprise level e-commerce application. The service even offers a convenient bulk lookup service, allowing criminals to upload enormous files of potential victims for immediate processing and purchase.

Using the MINDWISE monitoring framework, I was able to gather 2 million unique compromised cardholders in the USA alone. Applying such an approach to identity-related information like SSN/DOB (which is arguably more damaging) would disrupt the cybercriminal ecosystem and expose a massive underground economy that causes billions of dollars in damage (growing) every year.