*OT* But might be important to some........
Huge identity theft uncovered
Files with Social Security and driver's license numbers
pasted in chat room; possible link to cell phone applications
By Bob Sullivan
MSNBC
July 25 - Key personal data belonging to hundreds of individuals have been
shared in an Internet chat room, in what one expert says could become one of
the largest identity theft cases ever. The data include Social Security
numbers, driver's license numbers, date of birth and credit card information
- everything a criminal would need to open an online bank account, apply for
a credit card, even create the paperwork necessary to smuggle illegal
immigrants. It is still unclear how the data ended up in the chat room, but
an MSNBC.com investigation has revealed common threads among the victims -
including the purchase of a cell phone online from VerizonWireless.com or an
AT&T Wireless reseller.
ACCORDING TO A SOURCE who requested anonymity, the customer data
started flowing July 14 and continued at least through July 22. It's unknown
just how many records were published, but at one point new records were
flying by at a rate of two per minute.
The source provided MSNBC.com with a two-hour slice of log files from
the chat containing information from about 50 people. MSNBC.com attempted to
talk with all of the people named and interviewed 29. Of those, 17 said they
had ordered wireless services online, using the Web site of Verizon
Wireless, a joint venture of Verizon Communications Inc. and Vodafone Group
PLC. In each case, the victims had ordered service between December and
April, and in almost every case, the victims lived in Illinois or Indiana.
The form of the data pasted into the chat room connected to those 17
victims exactly matches the form used by potential customers on
VerizonWireless.com when they fill out the credit check application.
Detailed information, such as driver's license and Social Security number,
is necessary so the company can perform a credit check before issuing a
phone.
Verizon Wireless spokesman Jeff Nelson said the company was
investigating the incident, but declined to offer further details.
"We take the security of our customers' information extremely
seriously," he said. "Whenever we hear about a remote possibility that there
has been any kind of intrusion into our system, we quickly move to
investigate and work with our customers to rectify any possible damage."
Nelson declined to say which credit agency Verizon Wireless uses to
verify applications filled out on the company's Web site.
Eight other chat room victims interviewed by MSNBC.com said they had
ordered AT&T Wireless services in the past year. Several of the database
entries pasted into the chat room included the line "I agree to a one year
{sic} contract with AT&T Wireless Services."
Four of the eight remember ordering the service through URDigital.com
or its parent, Advanced Digital Solutions, which once operated mall-based
sales booths. AT&T Wireless spokesperson Danielle Perry confirmed that in at
least two of the cases, the customers had signed up for AT&T Wireless
service through Advanced Digital Solutions, which she described as an
"unauthorized subagent's subagent that has gone bankrupt." She could not
offer an explanation for the others.
The chat room logs also point toward URDigital.com as a potential
culprit. Several times, one poster publishes a directory listing
specifically pointing to a folder named "URDigital."
URDigital.com is now operated by Simply Wireless Inc. A spokesman for
Simply Wireless said his company had no connection with URDigital.com or
Advanced Digital Solutions 18 months ago when the chat room victims indicate
they signed up for their AT&T Wireless service.
But not every victim ordered cell phone service online in recent
months, suggesting the data may have originally been taken from some other
agency that logs customer driver license and Social Security data. Five of
the victims interviewed by MSNBC.com said they didn't remember ordering a
cell phone online and don't recall entering their Social Security numbers or
driver's license numbers into any Web site.
FRAUDULENT CHARGES SHOW UP
Experts say the victims could be dealing with the potential identity
theft for years; unlike credit card numbers, Social Security numbers and
date of birth information cannot be canceled and reissued. That's what
distinguishes this theft from other computer break-ins like the January 2000
theft from CDUniverse.com, when criminals stole 300,000 credit card numbers
from that e-commerce site.
Theft of customer databases full of credit card numbers has been
fairly common since the CDUniverse incident, but there have been no
widespread reports of stolen databases that include social security numbers
and drivers' licenses. In the most famous identity theft incident to date, a
New York City restaurant worker managed to impersonate famous personalities
like Steven Spielberg, Warren Buffett, Martha Stewart and Oprah Winfrey, and
in some cases stole money from their brokerage accounts. But the driver had
to steal each identity one at a time, via imposter telephone calls and other
"social engineering" tricks.
The data which appeared in the chat room, which in some cases even
includes employer and job title, is already in active circulation among the
Internet's underground. About half of the victims contacted by MSNBC.com had
already discovered fraudulent charges on their credit cards within the past
week, soon after the stolen data was posted in the chat room. But several
others indicated their cards had been loaded with bad charges two months
ago, suggesting the data may have originally been stolen in April or May.
Computer criminals armed with a full set of personal data, including
Social Security numbers and date of birth, can wreak havoc on a victim's
credit history by signing up for credit cards or opening online bank
accounts.
"Oh man, this is not good," said Maribell Ruiz of Chicago. She
claims the only place she ever entered her license or Social Security number
online was at VerizonWireless.com. "They are supposed to be a secured site."
Local police have already opened investigations into the incident in
Rancho Cucamonga, Calif., and Kiowa County, Okla. Another Chicago-based
victim, who asked to have her name withheld, has already contacted attorney
Jed Weissbluth, an expert in identity theft, to investigate.
"I never enter my Social Security number online," said Maria Zeller
of Farragut, Ill. In fact, she didn't remember ever doing so until asked if
she had ever purchased a cell phone contract online. "The cell phone is the
only thing I purchased that I would have," Zeller said.
Adam Feign of Crystal Lake, Ill., ordered his Verizon Wireless phone
in December using the company's Web site; then two months ago there were
$4,000 in false charges on his Visa card.
"Most of the charges were at Network Solutions," he said.
Cory Johnston of Indianapolis, Ind., was called by his bank Monday
and told a criminal had charged $1,000 on his card over the weekend at
Network Solutions.
"I'm going to change my driver's license number right away," he said.
One expert, who requested anonymity, called the victims who had their
data published in the chat room "the lucky ones," since they can be warned
about what has happened. Criminals often publish only a small slice of the
data that's been stolen. It's possible a much larger database of personal
dossiers has been taken, and since authorities don't yet know where the data
came from, other victims can't be warned
msnbc.com |
