> The seller told Motherboard that 100 million people had their data compromised in the breach. In the forum post, they were offering data on 30 million people for 6 bitcoin, or around $270,000.
Is it possible that one day the market for SSNs and other private data will become so saturated that exfiltrating such data becomes unprofitable?
On a slightly more serious note, is anyone aware of a compilation of prices paid for such data? I'm imagining something like a Consumer Price Index [1], but for stolen private data. Maybe far in the dystopian future inflation will make life harder for hackers.
That's one way of looking at it, the other is that the financial system itself begins to fail under the volume and price of fraud.
Ransomware ransoms have increased massively. They were often a few thousand dollars only a few years ago, now often hear about $50m+.
On the smaller scale SMS/email phishing has got absolutely enormous too in volumes. Banks and credit card providers are refunding 100s of millions (if not more) in fraud, in actually a very low margin business (retail banking). It genuinely could threaten the ability of banks to continue operating retail banking services if it continues to almost exponentially grow.
> It genuinely could threaten the ability of banks to continue operating retail banking services if it continues to almost exponentially grow.
Preventing this kind of fraud is a solved problem. The reason it still happens is that banks are forced, through competition, to minimise "identity proving" burden for consumers, in a "get credit now with instant approval!" kind of way.
At the moment we're stuck in a "marketing armageddon" of banks competing with each other by not properly verifying identity before granting credit or transferring away money. This seems to me like a Tragedy of the Commons.
If, across the board, people were required to prove their identity properly before banks rely on them, then the problem would go away overnight. It'd be a bit more tedious for consumers, but I don't see how that would cause banks to fail. The cost would merely move from fraud to identity verification.
Perhaps some people wouldn't be sold credit that they can't afford, but I don't buy that such people are keeping the banks afloat. Before banks stop operating retail banking services, I'm sure they'll just start actually verifying identity properly to keep that market.
As someone in the banking industry, this is the "right" answer. When I got started in banking I was pretty shocked about how easy it was to "authenticate" yourself to open a bank account. For example, this breach has pretty much all the things needed to open an account in someone else's name: Name, SSN, DoB, Address. That's pretty much all the KYC services use for validating an account application.
There are, of course, easily added forms of additional verification - for example, Stripe just added their Identity service which lets you take a picture of your driver's license and then match the image against a selfie. But that puts "friction" in front of the application process, so most banks don't do something like this unless other signals make them think the application has a high fraud risk.
If basically everyone's Name, SSN, DoB and Address is easily viewable public info, this will all change.
On the other side of that, there is such thing as too much friction.
Shortly before BBVA closed them, I was in a back-and-forth to open an account with Simple.
First, my ID was too shiny, then it wasn't black and white, then it wasn't color, then they wanted a picture of my apartment building, then ...
it was just on and on and on for three weeks. It got to the point where I asked what exactly they wanted and they literally told me that they cannot tell me because it would allow me to commit fraud. I asked if I could talk directly to their fraud team to figure out what exactly: nope. Can't do that, they can't talk to you.
So I was expected to either read their minds or play infinite whack-a-mole with them where they say one thing in one email then say the opposite in the next.
Yes, no problem with that. Eventually a long standing established digital identity is needed. Provided by anyone, state, bank, etc. Opening a new one should be easy though, but risk assessment should be done at every step (as the account gains new trust in whatever system).
Security doesn’t appear on a balance sheet, but security expenditures and related depreciating assets certainly do appear. A classic example of measuring the wrong thing.
If you can explain to me how a monthly service where payment is required in full every month requires a credit agreement, I'll (don't know, do something crazy like eating my hat) - this is the standard service provider contract, for some reason it is considered a credit instrument and can land on your credit report.
That being said, you are right, there are prepaid options and postpaid with a deposit ($50) that can put you outside of this SSN requirement on T-Mobile. I guess you have to know to ask for them. It is for credit, that's the only reason they can ask for your SSN.
Everything is credit based now, and for some people their phone bill might even be their first positive (or negative) mark on a credit score rating.
It's credit because, regardless is you pay in full every month, you receive the service before you make the payment. That opens up the service provider to the risk that you'll ring up a huge bill and then skip out on the payment, and all of the rules around credit are designed to mitigate this fact.
The standard service provider contract you mention (in the US) is "postpaid": you pay at the end of the month for the usage you had during that month. This is credit: you use the service, then pay after for what you used. That's opposed to "prepaid" service, where you buy "minutes" or "data" before use, and must manually buy more if you run out.
I have been through many phone sales and the postpaid model does not always have to account for price variability. There are plenty of fixed cost plans with unlimited calling. They will still ask for your social security number and try to make you a new credit account before they tell you there is a deposit option possible.
I have no idea why it would be to the advantage of a business like T-mobile to get you on a postpaid plan when there is no possibility of running up your bill. It's still the option they push on hardest when you walk up to the storefront.
The credit model is the default model. That was my point. I don't know that I had a point.
You shouldn't need to maintain a credit account just to keep a phone number, but I guess it's real estate and that's valuable, they will put it back into the pool if you ever stop paying the bill. I haven't had to deal with these kind of problems myself for a long time, but the pain is still fresh.
> The reason it still happens is that banks are forced, through competition, to minimise "identity proving" burden for consumers, in a "get credit now with instant approval!" kind of way.
The best solution would be if the US introduced mandatory passports or other forms of ID cards with smartcard capability, similar to the German Personalausweis. It has a secure cryptoprocessor with key vault, meaning it can be used to sign documents (if the bureaucracy to get a signature CA wouldn't be completely stuck for years now, SIGH), but especially companies willing to use authenticated data can fetch them securely over any NFC enabled terminal. Quite ingenuous.
This would entirely kill ID fraud at the source. The problem only seems to be an aversion in some parts of the US population against ID documents.
I don’t think you’ll see this happen in the US any time soon, literally because of a Bible verse; Revelation 13:16-17 (King James Version):
16 And he causeth all, both small and great, rich and poor, free and bond, to receive a mark in their right hand, or in their foreheads:
17 And that no man might buy or sell, save he that had the mark, or the name of the beast, or the number of his name.
It’s not talked about a lot here, but this verse is the go-to for many flavors of Christian politics in the context of federal law and national identity.
The pathetic irony is that intelligence services and dozens of corporations have already done this. So we citizens, err consumers, have all of the downsides and none of the benefits of authenticity.
In addition to the sky faerie grifters, the anti-rationality mentats categorically oppose allowing government to govern.
The problem is the US would first need to grow the political will to ban most businesses from demanding and then long term storing that ID. As it stands right now, for needlessly invasive things like supermarket discount cards you can just give them a bunch of fake info, and get a new nym every year or so to make your history less useful. But with an unrestricted smartcard ID, there would be no escape from the commercial surveillance web. Something like the GDPR is a hard requirement before stronger identification is palatable in the US.
> The best solution would be if the US introduced mandatory passports or other forms of ID cards with smartcard capability, similar to the German Personalausweis. [...] This would entirely kill ID fraud at the source.
Sure, fake or stolen passports and (often preliminary) ID Cards from public offices exist and are traded on the darkweb but ID fraud is so rare it´s almost unheard of compared to the rampant fraud in the US
I think part of it is deregulation in the USA too. As has been mentioned it is sooo easy to sign up for credit cards because banks want citizens drowning in debt. When I lived there I got like 4 credit card applications in the mail per day; every store has its own credit/rewards card; every company has the same idea to extract as much wealth from citizens at the expense of their good health.
All of this fraud is an extension of that deregulation, which leaves people exposed. Frankly a slower moving economy is probably BETTER in the long run, but it’s all numbers and figures nowadays. People are reduced to an SSN number.
No. Doing so in a way that is intentionally designed to be more difficult for disadvantaged groups to fulfill so that they do not participate in the democratic process--that is not "considered" racism, it is racism.
But you know that. It must be hard to be so aggrieved.
> intentionally designed to be more difficult for disadvantaged groups
Why is obtaining an ID "intentionally designed" this way. Don't you need to get a driving license to drive? A passport to re-enter the country? Do disadvantaged groups not get driving licenses?
> Why is obtaining an ID "intentionally designed" this way.
Because when you make the places to get them few in number and difficult to get to, then make the lines to get them very long, you create hurdles for people who have jobs that are not overly friendly towards long or variable absences.
This is intentional, much as many places in the United States have reorganized voting locations to themselves be difficult to get to. Disenfranchisement is intentional.
> Don't you need to get a driving license to drive? ... Do disadvantaged groups not get driving licenses?
Many in the United States live in urban areas where they're not required and where they may not be economically feasible. (These folks tend not to vote for the people who are pushing ID requirements.)
> A passport to re-enter the country?
The set of Americans who never have cause to leave the country is very large.
I've never seen the problem explained this way. Thanks for helping me to understand. Seems like we could "fix it" if there was some way to make obtaining the IDs easy and quick. I doubt there's a solution for that, however...
There are ways, but they would require the cooperation of the political actors who don't want people whose votes they do not have--and, more generally, who they appreciate being at the mercy of the police in very actionable ways, which is the other issue with a lack of identification.
I'm still kinda shocked that it took so long to get chipped credit / debit cards in the US, and the fact that credit cards still don't have pins...
Most of the online transactions I do with my credit card in Europe require me to verify them via some approval app (often the bank's own app) before they're submitted.
But I guess it's more profitable to just let US folks spend spend spend and rack up huge debt burdens. The interest is probably higher than whatever anti-fraud efforts cost them at the moment.
I think you would be surprised how much fraud still happens with strong identity protections.
Here in the UK strong customer authentication and strong proof of identity is a requirement in law, breaching it lands you in significant amounts of hot water. So at the bank I used to work at, identity theft was pretty rare and only made up a tiny fraction of the fraud we saw.
A much bigger share of the pie, and the area that we really struggled with, is customer authorised payments. The customer gets socially engineered into parting with their cash, and as a bank we're expected to reimburse them if we can't prove that we didn't take steps to detect the scam in progress and prevent the customer making the transaction.
Doing that has “economic costs” too. I have seen both the models. In the US, you can walk in to a dealer and walk out with a car. Elsewhere, you usually get your preapproval before you start car shopping. Then usually you have to go to the bank to close the paperwork and get the car in a few days to a week. It’s for the best in general. But it’ll make people make more informed decisions and that’ll reduce the spending.
And proper identify verification - like looking at the document in person - also has downsides. It still can be forged. Just a little harder than what we have. (Other countries with mandatory physical KYC and a wet signature still have fraud issues)
Overall I think it’s a lot of added cost and inconvenience for a slightly better benefit.
As a counterpoint, I recently tried to sign up for a store card to take advantage of promotions on a large purchase. I was not approved- apparently because “my phone number could not be validated”. This even though I had my drivers license, ssn, and spoke personally with a bank representative. Weird.
Can't comment on why the other things weren't enough, but do you have a "real" phone number or is it VoIP? I was unable to verify my Twitter account until I contacted support, nor could I get the IRS website to take my number when doing taxes, and I think the reason is that my (small) carrier uses VoIP: https://help.republicwireless.com/hc/en-us/articles/36002509...
The US system of credit reporting and associated ease of establishing credit is like super convenient. But it's largely based on trust. There isn't a whole lot of identity verification, and there are a lot of parties in the system that take identifying information at face value and run with it.
This is nice when it's actually you, but it's a giant PITA to unravel when it's not. My spouse's name and SSN was used to rent an apartment in Oakland, as well as attempts to open credit cards at the apartment address (thankfully they tried to open an account at Amex but she already had one there and they called to confirm; at least one issuer said they were likely to approve). We were able to get all the credit applications denied/cancelled, but the rental lease is harder; the leasing office says they can't do anything without a criminal complaint and Oakland PD won't talk to us.
I don't want to contradict your experience, I'm sure it's real as you describe it.
Are you aware that California Penal Code sections 530.5-530.8 require the law enforcement agency in the area of an identify theft victim to take a police report?
If you call them, they ask you to fill out a report online. If you fill out a report online, they don't appear to do anything with it.
Also, we're not in California. We reported to our local PD, who did call us to get additional information, but obviously isn't going to spend a lot of time on something they can't do anything about. Oakland PD could presumably visit the apartment and see who's there or something.
Most of the things you're supposed to do revolve around documenting things (which allowing a police report does), so that when these accounts get reported on credit reports later, you can contest them and they'll be dropped. But in the mean time, there's nothing to be done about a fraudulent lease.
Good! Maybe then the government will actually start to care once the lobbyists start to ask for help.
The downside is that the "help" will probably just consist of funneling more taxpayer money to large shareholders and execs, while banks figure out ways to dodge liability without actually solving the problem.
Different parts of government. Legislators, specially, need to care about digital identity. They don’t care enough (see below copy pasta, rest of the FCW piece talks about how identity legislation has been punted to fall Congressional sessions) yet.
Maybe banks have to bleed more (Reg E mostly protects consumers from this fraud exposure) before they’ll come willing to regulators asking for it. If that’s the path to success, it’s a shame but not surprising.
“A draft version of the Senate infrastructure bill, which was obtained by FCW, included $500 million for the Department of Labor to institute a grant fund to supply states with digital identity proofing tools that are compliant with National Institute of Standards and Technology to combat fraud in unemployment insurance benefits.
In addition to the program administered by the Labor Department, the draft legislative language called for the Office of Management and Budget to develop a plan for federal digital identity verification, including an inventory of current efforts and a study of the feasibility of establishing a governmentwide system that provides equitable access to users of government services and protects privacy. There was talk in the administration and in the Senate of adding $3 billion in funding for governmentwide identity solutions as part of the infrastructure bill.
Instead, the entire section on program integrity covering the digital identity grants program and the OMB policy push was removed from the bill before it came up for a vote and was not offered in any of the amendments that came up as the bill was debated on the Senate floor.
The White House and various Senate press offices by and large did not respond to emailed questions from FCW about what happened with the digital identity section of the bill.”
Is the government required here [0]? Could commercial operators not improve their own security through their own investment and taking it seriously? If ransomware hits them in the chequebook where stolen customer data didn't, then they might find that quite motivating?
The government is the final arbiter in a bunch of cases you care about. Whether you are (for example) a US citizen is not a decision for T-Mobile, or Amazon, or Walmart, or Delta, that's up to the US government†
The government (and not private corporations) tracks births, deaths, immigration, emigration, and of course it chooses to issue identity paperwork.
In general the closest commercial entities like banks can do is identity matching. So e.g. maybe Bank A asks you "Hey, do you have, like, a mortgage? Who with?" and you pick Bank X from the list of six options and OK, either that's a lucky guess or you know that "you" have a mortgage with Bank X.
This is pretty poor, it's something, but it's not very much, it's up there with Facebook's "Here are some pictures of people, which of them is your friend?" which of course falls down when either: You "friend" people you don't actually know and wouldn't recognise; or your "friends" don't like Facebook having accurate photo data and intentionally mislabel random other people or things with their name...
And as with the Facebook thing it breaks in surprising and hard to reproduce/ demonstrate ways. Maybe you think of this as your Big Bank mortgage, but if you check the small print it's actually a Different Bank mortgage, that Big Bank are re-branding, and so you just picked wrong.
So yes, in practice government is where this would get solved, if you've any appetite for solving it.
Is it possible that one day the market for SSNs and other private data will become so saturated that exfiltrating such data becomes unprofitable?
The revenue isn't 6 BTC. It's 6 BTC * however many people are willing to buy at that price. More suppliers would surely drive the price down, but at this point there are probably tens of thousands of people who'd buy if the data was cheaper, so it'll remain profitable for a long time.
> FULLZ: Slang for a full package of personal information connected to an individual, fullz provide enough information for a criminal to steal and profit from a victim’s identity. Fullz generally include the victim’s name, Social Security number, date of birth, account numbers, and more.
> REPRESENTATIVE SAMPLE OF 2019 FULLZ PRICING IN USD
> 2018 credit card and fullz from service industry $10
> Cashing out bank accounts and fullz empty it $4
> EU/Asia/UK credit cards / fullz $860
> $20,000 bank loan cashout using fullz $30
> Fullz SSN - DoB $5
> REPRESENTATIVE SAMPLE OF 2019 IDENTIFICATION DOCUMENTS AND PRICES IN USD
Yeah a less liability inducing and common thing to do is that you can use these to make accounts at exchanges and private equity that exclude people from your country
Usually US and China and the OFAC list are excluded due to differing regulations
Nobody knows or cares. The financial institution, the capital raiser, the person with their ID used
You’re just trying to get into some presales or trade derivatives and that doesnt have criminal liability
Tell that to Carvana. This is their method of identification when they deliver a car. I told them I would just show the driver my license when he got here. Nope, they wouldn't do that.
Terrible company IMO. I ended up not doing a transaction with them and they wouldn't delete my data from their systems. Companies are just asking to be hacked when the store all this unnecessary data for people who are not even their customers.
Not to mention that it's somewhat pointless as a method of verification in the first place since you can't exactly check the validity of an ID in a grainy selfie.
> “ Is it possible that one day the market for SSNs and other private data will become so saturated that exfiltrating such data becomes unprofitable?”
Not before the bevy of PII data points can be integrated into larger and larger datasets describing _individuals_.
Right now if you breach one database, you have one ‘snapshot’ of the elephant. Add more and more data, and soon you can make connections between private and public information.
What then? You could model a lot of information.
What street were you born on? First school? Early childhood friend?
no, because people who get compromised will eventually put in place anti-fraud measures, effectively making stale data have a halflife and at the same time creating new targets
Not really. The prices of leaked data are already at rock bottom.
People can do very lucrative things with your identity that dont cause any liability to you. This may be more common than the horror stories, and there is no way to collect the data.
Think about it, someone shut out of the credit system uses your identity and gets a credit card and helps improve your credit score. Many people might see the unfamiliar line and just not bother, many people would never notice.
Think about things which wouldn't get reported: you would never know if someone had opened another checking account in your name, right now.
What about doing ID verification at an exchange merely to pass know-your-customer and anti-money laundering requirements to get greater withdrawals? Innocuous, as all account holders have to do that.
Yeah some people are probably getting framed.
Its more likely that this gets investigated properly and shocks everyone into repealing some money-stigmatizing laws since the wrong people are getting indicted.
Is it possible that one day the market for SSNs and other private data will become so saturated that exfiltrating such data becomes unprofitable?
On a slightly more serious note, is anyone aware of a compilation of prices paid for such data? I'm imagining something like a Consumer Price Index [1], but for stolen private data. Maybe far in the dystopian future inflation will make life harder for hackers.
[1] https://www.bls.gov/cpi/