As if it wasn’t disturbing enough that identity thieves are working around the clock to get their grubby paws on your credit card numbers, a recent investigation found that some brazen hackers are now angling to make off with consumers‘ entire credit files. The methods they use show how poorly protected our data is — even by the companies we trust to safeguard it.
Overseas websites, many located in the former Soviet Union, host online bazaars where hackers buy and sell stolen data. They also swap tips for cracking into supposedly secure systems like CreditReport.com, a site owned by credit bureau Experian, and AnnualCreditReport.com, which is overseen by the Federal Trade Commission.
Even if they possess stolen personal information, identity thieves are supposedly thwarted by a series of multiple-choice questions intended to prove that you are who you say you are. The site may ask, for instance, what bank holds your mortgage or what street you lived on previously.
The trouble is that most use the same set of questions, so hackers can pretty much guess the answers by process of elimination. MSNBC.com’s Red Tape Chronicles blog, which raised the alarm about credit report theft, even shows a screen shot (truncated in order to be legible) that offers step-by-step instructions for how to do this. Armed with a stolen credit report, criminals have enough background information to open all sorts of new accounts in your name, which can be such a headache to resolve that some victims pay out of their own pockets for credit freezes.
It’s no wonder consumers are frustrated, says Geoff Webb, director of product marketing at Credant Technologies. “We have no direct control over the security of these online services, nor is it easy to know who has information about you,” he points out.
What’s scariest about this is that crooks aren’t hacking company networks, like the data breach with Visa and MasterCard third-party processor Global Payments last week. They’re exploiting the security loopholes of legitimate websites — one of which is overseen by a government regulatory agency — that are operated by the bureaus which have built an enormous business out of cataloging and quantifying every detail of our financial histories.
What should bureaus and the FTC be doing in response? “The long term solution is to have a far more robust, and globally accepted, way of proving identity online,” Webb says. Unfortunately, the infrastructure and technology to create and manage something like this don’t exist yet. “Until then, we’re stuck with approaches developed decades ago – approaches that clearly have their limitations,” he says.
What exactly these organizations are doing is far from clear. Credit bureau Experian, which owns one of the sites specifically mentioned as a hacker target in the Red Tape Chronicles, was vague about its efforts to thwart report thieves. “We have taken measures within our systems to help mitigate the issue,” spokeswoman Susan Henson said in an emailed statement, adding that the company will “not comment publicly on the specifics of our fraud prevention methods.”
The FTC was even more tight-lipped. “I can neither confirm nor deny that we are investigating this matter,” spokeswoman Claudia Bourne Farrell said via email.
Neil Roiter, director of research at Corero Network Security, says there’s no excuse for security holes big enough to drive a truck through. “Credit report providers must implement deep, layered security controls to protect the information with which they are entrusted,” he says. Roiter doesn’t let the FTC off the hook, either. “Oversight agencies should push for rigorous security efforts,” he adds.
Adam Levin, co-founder and chairman of Identity Theft 911, also warns that many of us unwittingly give hackers personal information. “Public records, online profiles and blogs, as well as social networking account provide criminals with a nice supply of information in order to get through the authentication process,” he says. Take a look at your Facebook page. Could someone figure out, say, your mother’s maiden name or where you went to high school? If the answer is yes, you could be putting yourself at risk.