When you apply for a loan or try to recover your lost e-mail password, you'll often be asked to give information about a long-ago address, employer, or bank account. You might also be asked for your Social Security number or driver's license. The idea is that only the real you would know such obscure details about your past.
This system provides a convenient way to authenticate consumers, but it also has an important vulnerability: anyone who has access to a comprehensive database that contains this kind of information can impersonate you.
And this is no longer just a theoretical risk. On Wednesday, journalist Brian Krebs published an investigative report that hackers appear to have compromised the networks of major data aggregators, and seem to be selling that information online.
The site is called ssndob.ms (SSNDOB), and it has marketed itself to cybercriminals as a broker of Social Security numbers, birth records, credit card and background reports on millions of Americans for the past few years. It's essentially an identity theft service that sells personal information that can be used to commit fraud for a few bucks in anonymous virtual currencies like Bitcoin.
Earlier this year some teenage hacktivists demonstrated how deep the service ran by using it to expose the personal information of about a dozen people ranging from celebrities like Beyonce and Kanye West to public figures like first lady Michelle Obama and CIA Director John Brennan. Those postings resulted executives at Equifax, Trans Union and Experian acknowledging that their systems had been breached by individuals using data to trick their knowledge based authentication processes.
Until Krebs' reporting Wednesday it wasn't really clear how SSNDOB got the information that it sold to identity thieves. But Krebs got his hands on a copy of the SSNDOB database and after doing an analysis of the networks, activities and credentials used by administrators he determined they were also running a "small but very potent botnet." That collection of hacked computers seemed to show that the SSNDOB operators controlled at least five infected systems at U.S. consumer and business aggregators.
Based on the information Krebs discovered, it appears that among those affected by the breaches were LexisNexis, which operates the world's largest electronic database of legal and public record information, New Jersey-based data aggregator Dun & Bradstreet, and a background check company that is now part of HireRight. Files related to the infection suggest that in some cases they had access to internal systems for months. So that's one way they may have accessed a lot of information about a lot of people.
The FBI confirmed to Krebs they were looking into the breaches, and a vice president at LexisNexis parent company Reed Elsevier told him the company "identified an intrusion targeting our data but to date has found no evidence that customer or consumer data were reached or retrieved," but because it is the subject of an active investigation couldn't provide any further information. The other companies were less willing to discuss the issue but both told him how data security is a company priority.
While it's great to have data security as a priority, this isn't the first time data aggregators have had major breaches and it probably won't be the last. In fact, Krebs reported on a somewhat similar incident involving LexisNexis in 2005 while working for the Post. At that point, five individuals ages 19 to 24 were arrested for a 2005 database breach at LexisNexis that reportedly led to the theft of records on more than 310,000 people. In 2009 the company also warned 32,000 people that their personal information may have been accessed as part of a credit card fraud scheme.
Obviously, the entire identity theft and fraud industry can't be blamed on data aggregators. But the security breaches identified by Krebs and in the past suggest that there is a real danger in collecting all of this personal information in one place. It's a very attractive target to bad guys.