Glut In Stolen Identities Forces Price Cut 152
CowboyRobot writes "The price of a stolen identity has dropped as much as 37 percent in the cybercrime underground: to $25 for a U.S. identity, and $40 for an overseas identity. For $300 or less, you can acquire credentials for a bank account with a balance of $70,000 to $150,000, and $400 is all it takes to get a rival or targeted business knocked offline with a distributed denial-of-service (DDoS)-for-hire attack. Meanwhile, ID theft and bank account credentials are getting cheaper because there is just so much inventory (a.k.a. stolen personal information) out there. Bots are cheap, too: 1,000 bots go for $20, and 15,000, for $250."
Comment removed (Score:5, Informative)
Re:those numbers seem unsustainable (Score:4, Informative)
Money mules are people tricked into agreeing to whitewash the stolen money by accepting the money withdrawn from the stolen account and then transferring it via wire transfer to the plunderer.
When the original owner of the account sees the transfer, he will call the bank and reverse it. At this time, the money mule will already have withdrawn the money from their account and transferred it. This leaves the money mule with the debt incurred, because they now lose the money from the stolen account, and are thus effectively paying the plunderer from their own money.
This puts the value of a stolen account to about the amount of money the money mule will be able to cough up until their own bank takes action.
Re:those numbers seem unsustainable (Score:5, Informative)
Usually the plan is not to withdraw money from the account directly. Too easy to get caught, owner of the account usually notices pretty quickly. Instead the account is used to open other accounts or take out loans which are then defaulted on.
This is pretty common in the UK. We have these shitty pay-day loan companies that charge 5000% interest and do only the most basic checks before handing over the cash. People give them someone else's name and bank account, so the first thing the victim knows about it is when Wonga starts taking internet payments by Direct Debit.
Re:Change your passwords ASAP! (Score:5, Informative)
I don't know how it is in the US, but here banks seem to deeply dislike OSs not retardedly easy to compromise. I have accounts in two banks. One of them started working in Linux only about four years ago, the other only did so last year. They both regularly splurt errors because of openJDK incompatibility - they want Sun's Java. And one of them hilariously has its https certification broken for almost a year now. Airlines are even funnier. At least one of them still only works on IE.
Re:those numbers seem unsustainable (Score:5, Informative)
Exactly this. When my identity was stolen, the thieves didn't use it to find and break into my bank account. Instead, they opened a credit card in my name (with my address, SSN, and DOB, but NOT with the correct Mother's Maiden name - red flag #1). The only reason they didn't get away with it was that they 1) paid for rush shipment of the credit card and 2) then immediately changed the address (red flag #2). So the card got shipped out quickly to my address and THEN the address was changed. The card arrived at my doorstep instead of theirs. Of course, that didn't stop them as they tried to get a $5,000 cash advance before even activating the card (red flag #3).
And the credit card company's response to me? "Are you sure your wife didn't open the card in your name without telling you? No? Well, we can't give you any information on the account because if you go and kill them then we're liable." They stonewalled me and when I got the police involved, they directed them to a number that was never answered. To them, they just closed the account and the problem was solved. Actually helping to catch the people who did this would involve effort that they weren't willing to put in. That's why Capital One credit card's are not and will never be "what's in my wallet."