Security Watch

Keeping Track of patches and hacks in the IT security world.

Stolen Identities Selling for Cheap

Download the authoritative guide:

The personal price of having one's identity stolen can be high. But the price for buying that identity isn't.

A look at underground sites revealed stolen American credit cards can go for as little as 80 cents, Hugh Thompson, program committee chair of the RSA Conference, told eWEEK. But just as interesting is the other data that is for sale.

This data, Thompson said, includes not only credit card numbers, but also Social Security numbers, detailed banking information, log-ins, password reset questions and "anything else you'd need to appropriate an identity or clean out a bank account."

"What's becoming more common is this biographical data that you can buy," he said.

Records are typically stratified impersonally; usually the only thing that matters is location, account type/balance and the level of detail for a particular record, he noted. A record is worth more if there are details given beyond a credit card or Social Security number, such as date of birth and address. In addition, a record is valued based on the type of account and country of origin (U.S. credit card numbers are typically least expensive), he said.

The value of a record also varies "based on confirmed balances: In some cases cyber-criminals will actually do some legwork to verify card and account balances and then stratify their stolen data into bundles," he explained.

Typically, text-based ads are used to highlight what is available, as opposed to operating an eBay-style site for cyber-thieves, Thompson added.

"Usually you can't just go in and buy one item either," he said. "They usually are sold in blocks of a hundred, especially when you're dealing with stolen credit card numbers."

Just how much of the responsibility for protecting identities belongs to individual users as opposed to the security industry is an open question. But what is clear is that users need to educate themselves and "really think about the information they're making public," said Brendan Ziolo, vice president of marketing at Kindsight, a security company that works with Internet service providers.

"It's so easy to get answers to a lot of these password reset questions or guess someone's password based on public info on their Facebook profile," Ziolo said. "So users obviously have to take a certain responsibility. But I think the security industry and also service providers can play a very active role in helping to make updating easier right, if we are talking about security software or the patches you need to install."