back to article Your entire ID is worth £820 to crooks on dark web black market

Fraudsters operating on the dark web could buy a person's entire identity ("fullz" in the cybercrook lingo) for just £820. Bank account details, Airbnb profiles and even Match.com logins are worth money to bidders that reside on the murkier side of the internet, a study by virtual private network comparison site Top10VPN.com …

  1. WibbleMe

    $820 nice, Where can I sell my ID?

    1. }{amis}{
      Trollface

      FB

      Got a Face B@&%$ or other social network account you all-ready did for the almighty currency of engagement!

    2. Anonymous Coward
      Anonymous Coward

      and to think I didn't even DARE ask the question.. Sigh.

    3. Skwosh

      @WibbleMe: $820 nice, Where can I sell my ID?

      What exactly would I get for my £850 though Mr/Ms WibbleMe?

      While you're making the list, remember to keep repeating to yourself 'if I've got nothing to hide, I've got nothing to worry about'.

  2. Anonymous South African Coward Bronze badge

    meh.

    just meh.

  3. alain williams Silver badge

    New business ...

    generate made up IDs by the dozen and flog them off. Getting a good reputation in the first place on the dark web might be hard.

    Do it too many times and someone might order me some cement overshoes, but I would have thought low risk.

    1. DJO Silver badge

      Re: New business ...

      With enough random permutations you will eventually hit on a real identity, sell that and you will be no better than the scum you are trying cheat.

    2. kain preacher

      Re: New business ...

      I was thinking you could up on the naughty list of the five eyes. In that case Cement shoes might be some thing you want. S sort of fast death,

  4. Anonymous Coward
    Anonymous Coward

    More importantly how much are myspace logins worth?

    1. Hans Neeson-Bumpsadese Silver badge

      More importantly how much are myspace logins worth?

      The fact that someone has an active MySpace login could be of some value to a crim. Knowing how much a mark does or doesn't embrace technology/trends could be a clue to what else you could harvest for them, how likely they are to spot ID theft straight away, etc.

      Compare with the spelling/grammar errors in Nigerian scammer letters. Most people will spot these as evidence that the proposal is fake. Those who are a little more hard of thinking won't...and so may be easier to pull into the scam.

      1. Anonymous Coward
        Anonymous Coward

        Hey I still log into my space account once a year. I use that for when board and customs ask to see my Farcebook page. No will belive that you don't have one

        1. Anonymous Coward
          Anonymous Coward

          > Hey I still log into my space account once a year. I use that for when board and customs ask to see my Farcebook page. No will belive that you don't have one

          Possibly because those of us who have the self-respect not to have one also have the self-respect to refuse travel to oppressive regimes, so their minions at ports of entry do not often get exposed to our kind.

          1. Anonymous Coward
            Anonymous Coward

            I know you are thinking of the US but Canada customs go one step further and active searches Computers and cell phones for child porn . IF you show up to Canada with an external HDD expect it to be searched.

            1. Anonymous Coward
              Anonymous Coward

              > I know you are thinking of the US but Canada customs go one step further

              Cool, that's another country to add to my blacklist.

              > and active searches Computers and cell phones for child porn

              No. Child porn is just a convenient excuse because it doesn't sound political.

    2. Anonymous Coward
      Anonymous Coward

      Forget MySpace

      > More importantly how much are myspace logins worth?

      On a semi-serious topic, how many here remember theglobe.com?

      That was the first attempt at inventing social media that got widespread public attention, in '99 or so. The guys behind it were on the headlines of every newspaper in the world when the company IPOed. Sadly for them, that was just weeks before the .com bubble burst so now they are complete and utter history.

      At least MySpace leaves on in the collective consciousness, if only as the subject of jokes.

  5. This post has been deleted by its author

    1. SkippyBing

      Re: How Are They Obtained....

      I doubt they'd have hacked a government system when they could just slip £100 to someone at an airline who feels they're underpaid.

    2. Anonymous Coward
      Anonymous Coward

      Re: How Are They Obtained....

      Employers like to see / photocopy your passport. They have systems. They will have been hacked. When will people learn to stop abusing specific documentation for other purposes?

      1. Anonymous Coward
        Anonymous Coward

        Re: How Are They Obtained....

        Employers these days have to see your passport if you have it or some other form of important ID to prove you can legally work in the UK. They keep them so they don't get fined at a later date so don't have a choice.

        1. Anonymous Coward
          Anonymous Coward

          Re: How Are They Obtained....

          > They keep them so they don't get fined at a later date so don't have a choice.

          You do have a choice: a tick box in the employment form that says "I have checked this person's ID". Or you could black out most details as mentioned above.

      2. Stork Silver badge

        Re: How Are They Obtained....

        In most countries all non-nationals must be reported to authorities by hotels. In Portugal the info includes date and place of birth and passport or id card number, and has to be entered on a website.

      3. Anonymous Coward
        Anonymous Coward

        Re: How Are They Obtained....

        > Employers like to see / photocopy your passport.

        In the UK, you may want to add. Where I mostly live that's not the case (I am an employer).

        In the very infrequent cases when you are requested to provide a copy of a form of ID, all personal details apart from name (but including photograph) are blacked out in your presence. Which I found rather impressive.

        I do not recall even providing a copy of a form of ID to a government agency (as opposed to proving my identity by showing one, that's very common). I doubt that's even possible since the law explicitly bars the possibility of authenticating a copy of an ID, it's either originals or nothing.

    3. Hans Neeson-Bumpsadese Silver badge

      Re: How Are They Obtained....

      It can be easier for the criminal to find someone on the inside of the security barrier who will obtain the information on their behalf in return for a cash reward. Saves the effort of figuring out how to break through the layers of security, and distances them to a degree from the actual theft.

      Given the level of wages in public sector and call centres, I would expect that the financial incentive could be tempting for some.

      1. This post has been deleted by its author

    4. Anonymous Coward
      Anonymous Coward

      Re: How Are They Obtained....

      Just about every hotel in Spain and Italy takes a photocopy of your passport when you check in. Also the car hire companies in most European countries (certainly the airport ones) ask for your passport.

      1. This post has been deleted by its author

        1. heyrick Silver badge

          Re: How Are They Obtained....

          "any copies of passports are stored in online systems ?"

          My passport is my ID in France. Numerous times the numbers are typed into a computer system (social security, bank, telephone contract) in addition to taking an electronic photocopy (it's a photocopy machine but no paper comes out so I presume it's set to email documents somewhere). I think quite often it is similar software involved as the typed information is always thrown at "IPA" as the issuer. I have no idea where that is (it was all done by post) so I tell everybody "Cardiff" because where my last passport was issued from, and they're all happy with that.

          So, yeah... Do you want some sort of database with names, addresses, and ID numbers or would you rather have a bunch of emails (JPEGs on a NAS?) with full colour scans of the documents? Your choice, but it's all going electronic these days...

    5. Anonymous Coward
      Anonymous Coward

      Re: How Are They Obtained....

      A article a bit back showed that Emirates Airline is an easy target for nabbing passports and other useful data.

  6. This post has been deleted by its author

  7. ' DROP TABLE users;

    El Reg login ?

    Priceless!

    1. Anonymous Coward
      Anonymous Coward

      Re: El Reg login ?

      I would value it at around £2, considering it merely contains public posts. However being able to view posts someone clicked as "Post anonymously" as their real identity would be an interesting target. That's where the value sits and why it reaches a whopping total of £2.

      Which is why you should never click "post anonymously". It makes your account more valuable. It's really not worth the risk to be honest.

      1. Anonymous Coward
        Anonymous Coward

        Re: El Reg login ?

        > Which is why you should never click "post anonymously"

        You forgot to consider the case where every single one of your posts from day one has been an anonymous one. :-)

  8. Robert Carnegie Silver badge

    Doubtful

    Not everyone's details are equally hacked and equally available at that price. I would suppose that for instance Theresa May's or David Beckham's identity is more difficult to get hold of - although maybe you'll tell me that they've been hacked already. Or that I am about to be - an expensive for you, more so for me, way to make a point though. Still, I think the prices stated are for ordinary people with a reasonably good reputation whose credentials happen to be available to be abused. Most people's aren't.

    Also, pick good random-letter passwords, and don't ever open disreputable web sites. Yes, I'm writing this on The Register :-)

    1. heyrick Silver badge

      Re: Doubtful

      I don't know about Theresa May's identity, but I think her personality has certainly been compromised, hacked, and mostly erased.

  9. Anonymous Coward
    Anonymous Coward

    "a person's entire identity ("fullz" in the cybercrook lingo) for just £820."

    Time to start manufacturing huge quantities of apparently-real but actually-fake pseudo-people to sell to the crooks. I'll have to automate the process. Standby for human population that's actively on-line to double over night.

    I'm. Gonna. Be. Rich...

  10. Graham Cobb Silver badge

    What are these guys selling?

    Our research is a stark reminder of just how easy it is to get hold of personal info on the dark web and the sheer variety of routes that fraudsters can take to get hold of your money.

    No, it isn't a reminder of either of these things.

    There is no evidence shown that the personal info is actually valid, and is for someone who is a valuable catch. And the quantity of information available is tiny compared to the population. The real killer is the apparently very low prices: if buying someone's ID would allow me to "get hold of their money" I would presumably be willing to pay more than a few pounds for it.

    What it is a reminder of is how relatively useless personal info on the dark web is and how effective fraud protections are.

    So what are these people trying to sell with this scare story?

  11. Pen-y-gors

    This starts to makes sense...

    Lately I've had several attempted fraud e-mails - addressed to 'accounts' from a company director instructing immediate fastpay transfer of £9926 to Jane Edwards ac/ no ...blah...invoice to follow etc.

    Some of them are quite convincing, and I am pretty sure the bank details are genuine hacked accounts - as available for £168 on the darkwebs. Setting up a new a/c is too much hard work. and £168 isn't a lot if you can net several times £9K (they're all under £10K)

    These are a step on from phishing and Nigerian scams. They are direct attempts at fraud, and involve a bank a/c that has been hacked (and presumably emptied).

    Obvious thing to do is report to local fuzz. I did. Got a call back fairly promptly. Basically, nothing to do with us, report it to 'ActionFraud' who handle these things. I enquired whether they had contacted the bank about the compromised a/c. No, report it to ActionFraud.

    Okay, so contact ActionFraud. Will they immediately contact the bank? No, we just record details and pass on to City police who may use the info if they can be arsed. So, no contact bank to warn them about compromised a/c? No, we will pass the details on.

    Tried to report problem to bank. They have no mechanism for third parties to report account hacking fraud, you can only report your own a/c.

    What the feck is going on here? This isn't "Can I give you TEN MILLION DOLLARS " emails - it is a theft in progress. If I saw a bloke put a brick through a jeweler's window and he was standing in the shop helping himself, would the plods say "We'll take a note of the details"? (Actually, don't answer that one)

    In this case, all of them are using spoofed 'Reply To' addresses which go to myco-name.com-8.eu (or com-2 or com-v) so shouldn't be too tricky to trace the domain registrations, no? After two weeks they're still coming in so the fuzz have done SFA to block the registrations.

    I despair. Who do we complain to? PCCs?

    1. heyrick Silver badge

      Re: This starts to makes sense...

      "I despair. Who do we complain to? PCCs?"

      Make a big fuss on Twitter and hope a newspaper picks it up and runs with it? Seems to be about the only way anything gets done these days. I despair too.

      1. This post has been deleted by its author

      2. Anonymous Coward
        Anonymous Coward

        Re: This starts to makes sense...

        > Make a big fuss on Twitter

        For which you would have to, ironically, rent a bunch of "followers" who will "trend" and "repost" and whatnot your denunciation.

        The other poster may wish to try emailing The Register's newsroom though, and that of a few other publications usually running these sort of stories (The Grau?)

    2. Phil Endecott

      Re: This starts to makes sense...

      > They have no mechanism for third parties to report account hacking

      > fraud, you can only report your own a/c.

      It might actually be possible to phone your own bank. Tell them that you weren't taken in by the fraud but you want to report the account number anyway. Banks DO have methods to report this to other banks. Yours might invoke that without you having made a transfer. Or they might not.

    3. ThatOne Silver badge
      Devil

      Re: This starts to makes sense...

      > it is a theft in progress

      So what? The plods won't make any money spending time on it (besides the chances to catch the perpetrators are admittedly rather small), the bank doesn't care because it's not their money anyway and they'd only lose money trying to solve this, so nobody will do anything unless they are really forced to (by law or scandal).

      Being the ones in charge for that kind of problem does not mean they are meant to find a solution. It only means they are supposed to be the ones to hear about it (and maybe in the end give you a paper stating they did so).

  12. This post has been deleted by its author

  13. Anonymous Coward
    Anonymous Coward

    Hollywood keeps making optimistic / pollyannic Star-Wars / Star-Trek sequels

    But I fear we're on a much darker path towards Blakes-7 reality... The slow inevitable trench to Cloud-everything, the reluctant succumbing to government ID-cards and biometrics, large-scale hacks like Equifux, and the Facebook/Google industrial slurp complex... All of this can only lead to a far-darker consequences for ID theft... Even if ID spoofing / fraud is fixed magically overnight with some unexpected innovative solution, we needed it yesterday as the 'data' Genie-Bottle is already firmly toast!

    Plus, the big tech oligarchs have such unhealthy ambitions over our lives and behavioral data, that its hard to keep enthusiasm. Follow big tech talking to investors in conference calls or read what ex-FB-executives say, and its not pretty! At the risk of using a polarizing word, its a little totalitarian.

    Google-Facebook want to connect every cent of physical real-world data to digital profile activity, with them in the middle. So every time you look up a flight or buy health insurance, or choose a school for your kids, they have trading data to create individual custom pricing and t&c, right into your news feed etc. Transparency / fairness / openness? That's not the goal here...

    Anyone look forward to the day that you search for a local bar with pizza and Google/FB sells that info to health and car insurers the next time you need a quote. That's the goal... Are regulators going to stop that: Irish-DPC? It paints a dystopian picture of a world that individuals have little control over...

    GDPR will bring some new protections, but the EU is just not moving fast enough. Politicians / legislators / media apart from El-Reg, just don't get it! In parts of the world right now, its absolute Wild West unaccountability.

    1. Anonymous Coward
      Anonymous Coward

      Will 'the Elite' help? They're part of the problem:

      https://www.bloomberg.com/news/features/2018-03-01/britain-s-white-collar-cops-are-getting-too-good-at-their-job

      1. Anonymous Coward
        Anonymous Coward

        Re: Will 'the Elite' help? They're part of the problem:

        > https://www.bloomberg.com/news/features/2018-03-01/britain-s-white-collar-cops-are-getting-too-good-at-their-job

        That's a rather, how shall we say, "explicit" article. And yes, I think we can all remember vivid examples of the "frustrations and worries and concerns" that Mr Cameron referred to. Such as every time there is an arms sale to Saudi Arabia (or pretty much everyone else).

  14. Anonymous Coward
    Anonymous Coward

    I'm not a number

    Not only am I just a number I'm seen as just a very small number.

    With the way everyone tries to get hold of my details via slurping and stealing you would have thought it was worth a good bit more than that.

    It's not as if products are designed and then someone sees an opportunity to use the product to slurp, its the other way around, they see a need to slurp and then design a product that can entice you to use it for the purpose of slurping.

    Slurped data is then so valuable that companies even design software and hardware to store it, manage it and pay staff to make adverts based upon it.

    ...just surprised I'm only worth 820 when so much effort goes into getting the stuff off me.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like