There are forums on the internet called Carder sites where people post ‘I have 3,000 clean American cards for sale’ and such information is bought and sold. Such sites come and go, within the last few weeks a big one was taken down. They also move drugs and identity theft information. Some of the information is gained through card skimmers installed on point of sale terminals, such as what happened to Barnes & Noble and to Nordstroms, but also at gas pumps and ATMs. Some is obtained through server compromises, such as happened to TJ Maxx a few years ago where criminals roamed their network with impunity and undetected for months, sniffing credit card information by the bucketful.
Then there’s the criminals that get it directly from Experian and Lexis/Nexis.
There are three major credit bureaus in the U.S., Experian is one of them. Through a third-party vendor connected to their data, criminals paid for an account with Experian, posing as U.S. private investigators, while they were based in Vietnam and they paid for the account with wire transfers from Singapore. No red flags there, no siree!
The criminals had an Experian account for a year. So clearly Experian was doing zero due diligence to make sure their systems were only being accessed by the people who should be accessing them. As long as the checks came in, they didn’t care. The criminals had everything on people that would allow them to do a full impersonation: name, address, social security number, mother’s maiden name, job info, bank account info including routing numbers, etc. The indictment of the head of the operation alleges that they bought and sold information on half a million people. Secret Service lured him out of Vietnam to Guam where he was arrested and moved to New Hampshire where he’s facing 15 criminal counts that could amount to basically a life sentence if he’s convicted on all counts.
The greatest irony is the fact that Experian claims they are data breach experts and sell credit monitoring services to observe to see whether your info is compromised.
Last month Krebs broke a story of how LexisNexis, Dunn & Bradstreet, and a service called Kroll were compromised by identity theft criminals. LexisNexis is an invaluable tool for attorneys, but also for crooks. It’s also a pay-for service, but apparently free accounts are given to law students all over the country, and one such inactive account was compromised to gain access to the service for criminals. Again, all the information that you’d need to impersonate someone or get credit issued in their name was available through their service.
The way this compromise was discovered is kind of interesting. The information was found on a criminal web site called SSNDOB which sold the info, their site got hacked and plundered by other hackers, and their database was posted publicly, the records had a field that showed where it came from, with codes such as DNB, LX, etc. Quickly a botnet was discovered and everything was unraveled.