Account takeovers and retrieval of personal information leading to identity theft.
Everyone forgets passwords. We all open up multiple online accounts and forget complicated passwords that security people insist we use. Usually we get out our small cheat sheets to try and figure out which similar password we used to buy clothes or transfer money on our E-bay purchase. It is because of this that many sites put a "Forgot Password" link right under their "Login In" box.
Well, guess what? This is where the hackers go to take over accounts and retrieve your personal information. It is here where the hackers get the pieces to build their mosaic of Identity Theft. The picture they are trying to complete is you...the consumer. Each piece gives them a clearer picture of you. Each piece gives them more information to see what shape the next puzzle piece needs to be. If they need a flat edge piece, which is a border puzzle piece, like a social security number, they just go at buy it at the site that sold our Attorney General John Ashcroft's number for $25. Or if they need street address or a credit card expiration date, they just go to one of the sites listed below.
It is because of this we have outlined the following vulnerabilities. Most of these sites innocently designed the ability to change or reset a password with "known" information to the consumer. Unfortunately what they didn't consider is that that E-commerce sites and data bases are hacked daily. We at CardCops have seen over 500 such hacks of orders and consumer personal information. This fact can be confirmed by Visa, MasterCard , and the United States Secret Service. The FTC can also confirm over 10 million Americans have fallen victim to Identity Theft.
The following sites are outlined as to what we see as a possible vulnerability. To us at CardCops, this clearly shows the connection of online credit card fraud leading to Identity Theft. Getting a new card at your bank doesn't mean "case closed". On the contrary, you are a viable candidate for Identity Theft...and you should take preemptive steps to protect yourself.
This sample is what we typically see from an E-commerce hack:
Name: John Smith
Address: 123 East Main: Fort Myers, Florida
Postal/Zip: 33919 Country: US ONLY
Email: JohnSmith@earthlink.net Phone: 239-555-1212
Credit Card Type: MasterCard Expiry Date: 11/2004
Name On Card: John C. Smith CC Number: 4111111111111111
The first thing the hackers look for in a batch of credit cards is an Earthlink.net email address. Going to this URL:
lets you reset the password by entering the email, credit card, and credit card expiration date. Now they have complete access to the email account, where they may have a field day looking for additional personal information to commit crimes.
Many consumers have told us that Earthlink.net emailed them strange passwords. Upon calling them and resetting the password again, Earthlink.net has not told them about the vulnerability or the fact that their credit card was used for a password reset.
The next site the hackers go to is Amazon, since they have the highest percentage of online shoppers. the odds are good that a hacked online order with personal information might work at Amazon. Going to this URL:
lets you reset the password and gain instant access to the account. Enter in email, last five digits of the credit card, card type, and zip code, and BINGO, you're in! Hackers then look at previous orders, maybe re-order a like product, change a shipping address, or even change the email address. They own the account.
Amazon is aware of this vulnerability and is investigating.
We don't think account takeover can be done here. Paypal does a nice job of asking for pieces of personal information along the way to reset your password, with an automated phone call sent for a request of a generated PIN number. Since they have so many online users, only GOD could get through to them with a human phone call.
But they do give out information. This URL lets you begin the password reset process:
A valid Paypal consumer email address will retrieve the card type, last two digits of the card, and expiration date of the card. This concerns us at CardCops. Many times we see just card numbers out in Cyberspace and the ability to add the proper expiration date is alarming.
Paypal also tells you if the account has a debit card or checking account attached to the email address checked. They also tell you the name of the bank. If you ask for the password to be sent by US mail, they retrieve the first three digits of your street, your city, state, and zip code. They do this on all accounts you have listed at Paypal. Again, way to much personal information exposed.
Bank of America:
If you want to enroll your credit card online, go here and click on "enroll".
If you click on "I only have a credit card", you can instantly get an online account with this information:
Social Security #
These sites also use credit card information for password resetting or order information:
First National Bank of Marin
These sites do a nice job of shutting down account takeover by eliminating credit card information on file upon the resetting of a password:
So you can see how the hackers waltz between sites, pick up information or buy information, and build the mosaic of Identity Theft. The sites discussed innocently aid the cause with cumulative information. Individually the vulnerability may be of medium concern, and the sites may downplay the potential impact. But on the "whole" picture, the vulnerability assessment is huge. Hackers know where to go to "connect the dots" to complete Identity Theft.
If you are a reporter, security company, or Law Enforcement agency and require supporting proof, please email email@example.com