Hackers access databases searching for personal information that can be extracted and misused or traded to fraudsters for purposes of identity theft. We look at how your identity and ultimately your clean credit file can be put at risk. By GRAHAM DOESSEL.
It’s Saturday night in Las Vegas. Thousands of pairs of shoes sit neatly in boxes on warehouse shelves in the dark. The store’s customers and staff are at home enjoying their evening. In the credit information office, the lights are off, the filing has been done. But in the dark, thousands of the store’s computers are being remotely accessed by hackers.
The personal information of the shoe store’s customers is likely being transferred. It is likely this information will now be sold on the black market to fraudsters. This information could now be used to further attack those unsuspecting customers. Those customers could now be a target for identity theft and receive phishing emails in order to get further information from victims, including the credit card number.
This may have been how the saga transpired for shoe company, Zappo.com on the weekend. In a story from the Sydney Morning Herald this morning it was reported that on Sunday Amazon.com owned shoe retailer Zappos.com announced it was hacked. Hackers broke into the credit card database. Up to 24 million of its customers’ personal information may have been accessed. The company said customers’ credit card information was not stolen, but names, phone numbers, email addresses, billing and shipping addresses, along with the last four digits from credit cards and more may have been accessed in the attack.
Here is an excerpt from that story, titled ‘Zappo’s customers details walk out the door’:
It is not yet known how hackers gained access to the database or if a zero day exploit was used, but a security expert said it is likely customer data will now be sold in the cyber underground.
Robert Siciliano, a McAfee consultant and identity theft expert, told Mashable he expects whoever hacked Zappos’s site to now sell the data to people who run phishing scams.
“They’ll sell it 10,000 accounts at a time, short money, like $100,” he said adding there is enough information for a hacker to approach affected users as either Zappos or the credit card company and then ask them for more data — the classic phishing scam — which might be supplemented with a voicemail “vishing” attack as well, Mashable reported.
Zappos said it was contacting customers by email and urging them to change their passwords.
Las Vegas-based Zappos said the hackers gained access to its internal network and systems through one of the company’s servers in Kentucky.
And in the news last week, we get an insight in to the type of crime ring that hackers may sell this information to. AFP report titled ’50 held in Puerto-Rico based identity ring’.
The U.S. Justice Department announced late last week it has charged 50 people with conspiracy in a scheme to acquire personal identification information on US citizens in Puerto Rico and then sell it through fraudulent documents.
Typically, the documents consisted of forged Social Security cards and birth certificates. They were sold for prices ranging between $700 and $2,500.
The documents were sold from April 2009 until December 2011 to buyers throughout the United States.
“The alleged conspiracy stretched across the United States and Puerto Rico, using suppliers, identity brokers and mail and money runners to fill and deliver orders for the personal identifying information and government-issued identity documents of Puerto Rican US citizens,” said Assistant Attorney General Lanny Breuer in a statement.
The indictment alleges that identity brokers ordered the forged documents for their customers from Puerto Rican suppliers by making coded telephone calls.
They would refer to “shirts,” “uniforms” or “clothes” as codes for various kinds of identity documents.
“Skirts” meant female customers and “pants” meant male customers who needed documents in various “sizes,” which referred to the ages of the identities sought by the customers.
Payment was made through money transfers while the documents were sent by mail.
Some of the persons receiving the forged documents used them to obtain drivers licenses, US passports and visas, the Justice Department reported. Others are accused of using the documents to commit financial fraud.
Sure this crime went on in the U.S. but it couldn’t happen here – could it?
Well, to begin with – how many Australians have credit card details registered with Amazon, for example? We might live on an island, but U.S. crime can always reach our shores via the internet. Just look at the Sony PlayStation saga as a specific incident of how our details are not immune to theft on overseas shores.
With identity theft being the fastest growing crime in Australia – it seems criminals here will be hot on the heels of the U.S. with newer, better, more sophisticated ways to get something for nothing.
Interestingly, many hacks are actually not instigated to commit identity theft, but are statements to different industry bodies. For example the recent Robin Hood-style hacking of Texas security analysis company, Stratfor on Christmas Eve. Hackers obtained thousands of credit card numbers and other personal information from the firm’s clients and started making payments to several charities.
“The assault was believed to have been orchestrated by a branch of the loosely affiliated hacker group called Anti-Sec and appeared to be inspired by anger at the imprisonment of Bradley Manning, the US army private accused of leaking US government files to WikiLeaks. An online statement from the group said the attack would stop if Manning was given ”a holiday feast … at a fancy restaurant of his choosing”,” the Brisbane Times reports.
MP Malcolm Turnball and billionare businessman David Smorgon were amongst the victims who had relatively small amounts extracted from their credit card and donated to charities such as Save the Children, Red Cross and CARE.
But for those hackers whose main aim is to extract details from databases and onsell them to fraudsters – we should all be very wary. And unfortunately, there is always that element of doubt about the security of our personal information in company databases.
A leading fraud expert made this suggestion for online credit card use:
In a story the Courier Mail featured in October last year, titled ‘Queensland Police Fraud chief Brian Hay calls for banks to bring in credit cards that can only be used in Australia to stop cyber-crime’, Det. Supt. Hay made some valid suggestions about how Australians can protect themselves from this type of fraud. One included for shoppers to have a credit card specifically for online purchases with a small credit limit. This is good advice to follow to prevent having large amounts extracted from credit cards if the companies with those details are ever hacked.
Unfortuanately, it doesn’t stop identity thieves ‘phishing’ for further information on their victim for purposes of full-blown identity theft.
If credit is taken out by fraudsters in the victim’s name, they can end up with defaults on their credit file – and this is not easy to recover from. First the victim has to prove they didn’t initiate the credit themselves. This would require documentary evidence and Police reports. But the identity theft victim would be virtually banned from obtaining credit until they are able to wade through the mess that has been created for them on their credit report, and clear their good name.
For help with credit repair following identity theft, contact MyCRA Credit Repairs on 1300 667 218 or visit our main website www.mycra.com.au.