Black market in stealing your data is thriving


July 20, 2008|By DAN THANH DANG

It wasn't clear what freaked Jerrell Ellerbe out more: when I read him his mother's maiden name, or the part when I told him his date of birth.

I'm guessing, though, that what disturbed him most was when I supplied his e-mail address and then read his complete Social Security number to him.

"Who are you again?" the 25-year-old data entry specialist said, clearly shaken. "Tell me who you are again?"

If I were someone with wicked intentions, I might have shaken him down for money. Or heck, not call him at all and just taken his data on a shopping spree.

But since I'm just your friendly neighborhood consumer columnist, I identified myself to him again and then explained why I was doing this: I wanted Ellerbe to know that his confidential information was floating out there on the World Wide Web on international chat rooms, message boards and Web sites that specialize in buying, selling and trading personal and financial data for criminal activities.

"I think I feel sick," said Ellerbe, who lives near Washington, D.C.

"The thought of it just turns my stomach. I had no idea my information, all that information, was out there. You can't even live a peaceful life anymore. There's always someone out there doing something crazy to you," he said

Little do many people such as Ellerbe know there is a thriving online black market in credit card account and PIN numbers, Social Security numbers and all manner of sensitive data for prices as little as $6 to $14 per victim. Every time a laptop goes missing, a corporation's security network is breached or a consumer gets duped into sharing passwords and financial data online, security and law enforcement experts say it's likely that information ends up in an online auction.

Security firm Symantec Corp. says it has seen a rise in the amount of data theft and data loss to the online black market. Dean Turner, director of Symantec's Global Intelligence Network, says, "If I had to guess, I'd say the losses could reach multimillions, if not billions, of dollars worldwide."

Steve Sakamoto-Wengel, the Maryland attorney general's consumer protection counsel for regulation, legislation and policy, agreed and said, "Remember the TJX Companies data breach last year? That was 47 million credit card numbers, maybe more, obtained by hackers just for those purposes."

"A lot of these chat rooms and Web sites are international, based in other countries," Sakamoto-Wengel said. "It's hard to track who is behind them."

Many consumers might not even realize their data have been compromised.

We received Ellerbe's information from Affinion CardCops, an Internet security company that monitors the Internet for compromised data and reports incidents to merchants, authorities and consumers.

CardCops initially pitched me this story about the underground market for identity thieves. When I asked if any Marylanders were affected, it sent me an e-mail that included the complete dossiers of about half-a-dozen Marylanders whose data were compromised. Some included driver's licenses, passwords and PIN numbers; all had Social Security numbers and addresses attached. Worried about handling such sensitive data, I asked Affinion if that was wise. The company said it wasn't giving me any information that wasn't already out there on the Web.

When I called Charles Lyke to tell him what I possessed, the 55-year-old was not surprised.

"I had my identity stolen a couple years ago," said Lyke, who declined to reveal where he lives now or what he does for a living. "It started with weird charges on my PayPal account. I'm not certain, but I think that's where the breach happened. Once they took out $600 from my bank account, which was linked to my PayPal account. Another time, I tried to buy a car, but couldn't get a good interest rate because my credit report was such a mess. Recently, they tried to take more money out, but PayPal stopped them.

"Every once in a while something pops up," Lyke said. "I have to keep changing my passwords. I keep a close eye on all my accounts. I don't share my information with anyone. I don't trust anyone. It's horrible. It ruins people's lives. There is no peace of mind."

While it's too late to save either Lyke's or Ellerbe's data from being sold online, both men and other consumers can take steps to protect themselves.

"You might want to assume that your stuff is already out there," said Dan Clements, president of CardCops, which sells a product that monitors the underground market online and alerts consumers when their personal data pop up. "People who have had their data compromised are potential victims for the rest of their lives."

Security and law enforcement experts advise consumers to be more cautious of sharing their personal data when shopping.

Tap into your Spidey sense. If you don't know the business or Web site, if you find it peculiar that so much personal data are being requested for a sale, if anything feels slightly off, you should probably end the transaction.

Baltimore Sun Articles
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.