Your identity for sale online

Thieves sell credit numbers, more on members-only sites

By John Branton, Columbian Staff Reporter

Published:

 

Did you know ?

• For an extensive look at the underground world of selling stolen credit-card numbers online, visit http://www.justic...>

• When doing business on a web page, perhaps to buy something, watch the page’s URL address. On the page where you would enter your personal information, the URL should change from ‘http’ to ‘https,’ meaning it’s secure, says the U.S. Postal Inspection Service.

• An expert-recommended website service for jobseekers is http://phishbucke..., which helps and protects them.

When it comes to identity theft, experts say many of us have no idea of the Internet Goliath we’re facing.

Sure, we knew there’s an underworld of thieves out there who, hunkered over their computers, hack into ours — or those of major corporate or government data systems — and steal folks’ personal information, sometimes in big chunks.

But thieves also sell those lists of our stolen credit numbers, by the thousands and millions, to other thieves on crooked members-only websites, a panel of experts said earlier this month.

The online black markets, called carding sites, deal in big batches of folks’ Visa-card numbers, PIN numbers and more, Kerry Tomlinson, an investigative reporter with KATU TV News, told an audience on Nov. 4 during Scam Jam 2010, organized by the Better Business Bureau and held at Jantzen Beach Center.

About a dozen experts from agencies and groups including the FBI, U.S. Postal Inspection Service, Federal Trade Commission and Portland Crime Prevention spoke about scams.

You only have to Google “carding” to take a look inside that strange, theft-based etherscape, Tomlinson said.

You won’t like what you see. It’s organized crime on an international scale on websites that also are called carding forums. By the thousands in our area, folks are being victimized, their money stolen, their credit ratings garbled, and they are subjected to big-time hassles to clean up the mess.

Perhaps the most maddening thing is that these carding websites sometimes offer tutorials and kits for those who buy stolen personal information there, to teach them how to make crime pay, and do more of it, at our expense.

One report you’ll find describes http://www.shadowcrew.com, a global website with thousands of members who conducted their business anonymously, using nicknames and passwords, and running their online business through “proxy servers,” separate computers that cover their trails by not revealing the true IP addresses on the crooks’ computers. Shadowcrew operated for two years before being taken down after a yearlong undercover operation by the U.S. Secret Service.

“Shadowcrew members collectively trafficked in at least 1.5 million stolen credit card numbers that resulted in over $4 million in actual losses to credit card companies and financial institutions,” says the report. It was written by Kimberly Kiefer Peretti, a senior counsel with the U.S. Department of Justice’s Computer Crime & Intellectual Property Section.

More such websites sprang up after the bust of Shadowcrew in October 2004, including one calling itself the International Association for the Advancement of Criminal Activity, Kiefer Peretti wrote. Some high-profile carders have been based in Eastern Europe, she wrote.

The problem of ID theft remains big, organized and out of control, experts said.

“You can never fully protect yourself from ID theft,” said Kyle Kavas, the BBB’s Oregon public relations manager.

“You may not have done anything wrong,” Tomlinson said. “It’s probably going to happen to you at some point.”

But there are things we can do to defeat many scammers, the panel said.

Let’s say your credit card is stolen. You’ll need to call the toll-free number on the back pronto to have your account taken down, but now the thieves have the card. To prepare for such a possibility, enter the number in your cellphone contacts, an expert said, and “keep your phone on you.”

When it comes to your credit cards, watch for crooks’ data skimmers placed on gas pumps, which has happened in Vancouver. And don’t let restaurant servers take your card out of your sight where they can skim it. Instead, keep hold of your card and meet servers at the counter.

You can also check your account statements, and those of your kids who have cards and can be victimized. And call the three major credit agencies now and then, to look for unauthorized purchases and, if necessary, flag your account for extra security.

It’s a bad idea to carry your Social Security card in your wallet, which could be lost. You should also check your medical cards to see if they bear your Social Security number.

Basically, experts said, treat every bit of personal information like gold — on the phone, in e-mails and in the postal mail — and keep it out of the hands of crooks who might want to “cobble” together enough to establish a false identity, make illegal purchases and empty your accounts.

These days that’s necessary, particularly for senior citizens who grew up in a world where more people could be trusted, said Walter Yohn with the Postal Inspection Service.

Now we’re being “bombarded” with phony sweepstakes, lottery scams and worthless counterfeit checks.

And with jobs scarce, job scams are all too frequent, experts said.

Experts said people looking for employment need to do research on online job offers, making at least three independent checks on each one.

In what’s called ‘phishing,’ scammers can easily copy a legitimate employer’s logos and typestyles onto an e-mail or bogus website, then pose as the legitimate company.

One way to check is to contact the company yourself, directly, not by clicking on a proffered e-mail link or calling a phone number in an e-mail.

Instead, look the company up yourself and ask for the human-resources department.

Many of these job offers are bogus, the experts said.

And don’t give out your Social Security number or bank account numbers until you’ve made sure it’s for real.

And never click on a link in an unsolicited, unverified e-mail, they said. Doing that could allow unexpected things to root into your computer, such as a “torpig,” Tomlinson said.

According to http://www.ehow.com, “Torpig is a type of malicious software that is installed onto your computer system without your consent when you open up an infected e-mail or attempt to install an infected program. The Torpig software logs each keystroke you make and scans your computer for specific types of text documents to try to steal your passwords and personal information.”

Experts say Internet security protection including updated antivirus software, firewalls and more is costly. But with torpigs, worms, viruses, Trojan horses, botnets, malware, spyware and crimeware on the loose, it’s worth it in these larcenous times.

John Branton: 360-735-4513 or john.branton@columbian.com.