Stolen Data: Trouble's Just A Click Away If You Know Where To Look

If news of the recent theft of a Veterans Affairs laptop containing records of 26.5 million vets and their spouses has you feeling insecure, here's something you'll really like: marketplaces where this stolen information can be bought and sold so that criminals can not only steal your identity, but gain access to all that your identity provides. While these marketplaces aren't new, I recently sat down with a couple of RSA Security Inc. anti-fraud researchers to learn how these marketplaces operate.One active site is TalkCash.net, a network where fraudsters can buy and sell everything from stolen account information to CVV anti-fraud credit card codes to the software needed to exploit this data. "The market has evolved so much that you can buy everything you need online to launch an attack," including hosting services, Amir Orad, VP of marketing for RSA Consumer Solutions, told me.

In a case of honor among thieves, the site even offers a list of "Rippers," those who've used the marketplace but are unreliable. "Verified vendors," on the other hand, are those who've proven that they can deliver on their promised goods.

EBay-like setups such as TalkCash or TheftServices vary in the amount of time they're able to operate. While TalkCash has been around since 2002, others are around for six months or so before they morph into new sites with new addresses, even though the players are often the same, Orad told me. TalkCash qualifies its business model by posting rules that state, "If you suspect that information obtained through this site may be in violation of any laws or statutes of your country or nation: Please Leave This Forum Immediately!"

Payment often takes the form of Western Union wire transfers or payments of E-gold. CVV codes have been sold on TalkCash for $3 each, or more if the CVV code comes with date-of-birth information.

The sites have evolved from information postings to actual marketplaces, Orad said. Law enforcement is likewise improving its ability to track this illegal activity, "but the pace of the bad guys is way faster than that of the good guys," he added.

Online fraudsters are slippery but not impossible to catch. The U.S. Secret Service in 2004 made its biggest online fraud operation bust when it shut down the Shadowcrew.com Web site and arrested six Shadowcrew members. This online marketplace was responsible for trafficking at least 1.5 million stolen credit and bankcard numbers that resulted in losses of more than $4 million. Shadowcrew members pled guilty to a number of charges, including unlawful transfer of identification to facilitate criminal conduct and conspiracy.

Federal authorities said Shadowcrew had about 4,000 members, many of whom specialized in the electronic theft of personal identifying information and credit card and debit card fraud. The Secret Service used wiretaps, an undercover informant, and their own understanding of Web technology to infiltrate the group's private chat rooms and monitor their conversations and transactions. Shadowcrew obfuscated their actions by using a number of proxy servers that kept law enforcement from finding the sources of the different transactions. The Secret Service was able to get a break in the case by setting up its own virtual private network and inviting Shadowcrew members to connect.

These online black markets help us understand what's at stake when data is lost or stolen. While the VA was quick to point out that the unencrypted data on its stolen PC was likely of little use to the thief, it's obvious that someone with even the most basic computer skills can cause big trouble if they know where to look.

Weigh in with your thoughts on the state of IT security here.