Stolen ID Search - Or Give Us Your ID To Steal
I know I’m a tad bit of a cynic but when id sent me the link to the Stolen Id Search page, my red flags popped up. Of course, this site is probably totally legitimate and takes all sorts of precautions and has security in mind at all costs - but let’s just pretend for a moment that I manufactured a fake site to have the exact same user interface. Except my interface is a lot more likely to steal your credentials than report them back to you.
Simple scenario: Enter your credential - oops, your account looks like it’s been stolen. Please enter your name, address, credit card number and pin as verification so that we can be sure it’s you. Thank you, we have contacted your bank on your behalf, rest assured, your account is now disabled.
I just don’t trust applications like this. Who knows if the site suffers from other sorts of data leakage as well - SQL injection or system vulnerabilities in general. There’s no way for me to verify that that site is safe, and if my identity is stolen, there’s no way for me to verify that they are keeping my information safe from the rest of the people who are interested in stealing it. Maybe they use encrypted databases. Maybe the site is hardened. Maybe they only store a hash of the credentials that are stolen. Of course the site does have this page saying they use SSL, encrypt the data to the “highest” standards and don’t store anything you type (my site would say the same thing incidentally). But it strikes me as odd that the TrustE logo and the TrustedID logos are both for other websites. That also sounds and awful lot like something I’d do for my proposed fake website, doesn’t it?
January 25th, 2007 at 3:37 pm
Do you want to log in to msn, yahoo and aol all at once via a handy web interface? Sure, just enter your details here.
January 25th, 2007 at 3:59 pm
I find it funny they have “more than 2,347,169 compromised numbers”, if you have such a precise number you have more than, why not just tell us how freakin many you have?
oh, and 2.3M cards? hahaha…I’ve found more than 11M on a single compromised host.
Anyway I hope whoever set it up did so as a way to revoke credit to people who are too dumb to protect it.
January 25th, 2007 at 8:05 pm
Wow, let’s teach everyone to enter your SSN into whatever website asks for it. Crazy marketing scheme.
January 25th, 2007 at 8:18 pm
This site embeds two scripts from external sources, both meant for user tracking and gathering data. How much does this tell about its security?
January 25th, 2007 at 9:56 pm
I understand the point that it would be easy to pop up a site like this, submit a few inexpensive press releases, and kick back and collect credit card and social security numbers.
But its even easier to simply send out a few million spam emails with XSS links for some charity’s site. Just ask for $5 and collect credit card numbers that way.
StolenIDSearch is owned by TrustedID so the first two logos are easy to explain. (TrustedID is also the Organization [O] on the www.stolenidsearch.com SSL certificate). The third logo for Verisign Secured is the important one. I would like to see Verisign’s page include some information on how the user can verify the SSL certificate. The link to the “Verisign Secured” page is meaningless if someone was able to spoof the address that the user sees (eg; XSS, DNS poisoning). Ok www.stolenidsearch.com is secured by Verisign, but is this actually www.stolenidsearch.com ?
Its just way too easy to trick most people. With something like this the site could stay up for months as long the bad guy didn’t get greedy and start using the information. Just let it ride and keep collecting numbers. In fact dig up some old stolen credit card lists and load up your fake stolen card search engine with them. This might make the investigators think you’re legit. If they plug in some canceled card numbers and get positive hits back they’ll probably then test it with their own personal card number next.
I came across mention of this site yesterday and I don’t think its a good idea either. If this company has a list of compromised credit cards surely the credit card companies have them too. Those cards have already been canceled. If they have lists of Social Security numbers hopefully those numbers have been reported to authorities. But I’m not sure that ‘possession of stolen social security numbers’ is even legal.
January 26th, 2007 at 2:40 am
reminds me of this image:
http://preview.tinyurl.com/2u7ne4
and Sid, yes, that is another good point, however services such as meebo do tend to be all completely legit and above board, and know that if that data gets leaked then they are deep in it (I can’t see how the operation would be so financially viable to oranised crime or whoever who could get the resources to keep the site completely seperated from any real entities, and meebo publicise the location of their offices and have parties for users).
)
Also, I dont know about most people, but I sure dont keep financial data in my msn account (and any emails that you get from your bank or online shopping wouldnt contain it either, so at very worst sites that offer this service will get access to your mailing lists, emails to friends and myspace adds…oh no. Meebo and similar services are essential for getting on msn at school, anyway
January 28th, 2007 at 1:37 pm
Can’t this service be exploited? Let’s assume you have a credit card generator which generates credit card numbers only that they are not all valid (they have to be registered in some DB by the issuing authority). So you don’t really know if you have hit the jackpot or not.
So you take the generated numbers and feed them to this service. If you hit a valid, compromised credit card you’ll know it. How about that?
Thanks a lot
January 29th, 2007 at 9:13 pm
Hello Everyone,
In the past few days, we’ve seen thousands of people make comments about our StolenID Search service. We appreciate everyone who sees value in the service as well as those who have questions.
We feel that it makes good sense to help address all those questions in one common forum. Please visit our TrustedID blog (link below), as a venue to find answers to your questions/concerns related to our new service.
http://blog.trustedid.com/?p=311
Thanks!
Scott Mitic
CEO, TrustedID