Mission
          Management
          Press
          Contact Us
          Site Map
IdentitySecure monitors the internet 24/7 for fraudulent activity involving your credit cards and personal information.
Username: 
Password: 
 
Account takeover leading to identity theft
 

Concept:

Account takeovers and retrieval of personal information leading to identity theft.

Everyone forgets passwords. We all open up multiple online accounts and forget complicated passwords that security people insist we use. Usually we get out our small cheat sheets to try and figure out which similar password we used to buy clothes or transfer money on our E-bay purchase. It is because of this that many sites put a "Forgot Password" link right under their "Login In" box.

Well, guess what? This is where the hackers go to take over accounts and retrieve your personal information. It is here where the hackers get the pieces to build their mosaic of Identity Theft. The picture they are trying to complete is you...the consumer. Each piece gives them a clearer picture of you. Each piece gives them more information to see what shape the next puzzle piece needs to be. If they need a flat edge piece, which is a border puzzle piece, like a social security number, they just go at buy it at the site that sold our Attorney General John Ashcroft's number for $25. Or if they need street address or a credit card expiration date, they just go to one of the sites listed below.

It is because of this we have outlined the following vulnerabilities. Most of these sites innocently designed the ability to change or reset a password with "known" information to the consumer. Unfortunately what they didn't consider is that that E-commerce sites and data bases are hacked daily. We at CardCops have seen over 500 such hacks of orders and consumer personal information. This fact can be confirmed by Visa, MasterCard , and the United States Secret Service. The FTC can also confirm over 10 million Americans have fallen victim to Identity Theft.

Research:

The following sites are outlined as to what we see as a possible vulnerability. To us at CardCops, this clearly shows the connection of online credit card fraud leading to Identity Theft. Getting a new card at your bank doesn't mean "case closed". On the contrary, you are a viable candidate for Identity Theft...and you should take preemptive steps to protect yourself.

This sample is what we typically see from an E-commerce hack:

Name: John Smith

Address: 123 East Main: Fort Myers, Florida

Postal/Zip: 33919 Country: US ONLY

Email: JohnSmith@earthlink.net Phone: 239-555-1212

Credit Card Type: MasterCard Expiry Date: 11/2004

Name On Card: John C. Smith CC Number: 4111111111111111

CVV2: 377

Order amount:$39.95

 

Earthlink:

The first thing the hackers look for in a batch of credit cards is an Earthlink.net email address. Going to this URL:

https://myaccount.earthlink.net/cam/passverify.jsp

lets you reset the password by entering the email, credit card, and credit card expiration date. Now they have complete access to the email account, where they may have a field day looking for additional personal information to commit crimes.

Many consumers have told us that Earthlink.net emailed them strange passwords. Upon calling them and resetting the password again, Earthlink.net has not told them about the vulnerability or the fact that their credit card was used for a password reset.

 

Amazon:

The next site the hackers go to is Amazon, since they have the highest percentage of online shoppers. the odds are good that a hacked online order with personal information might work at Amazon. Going to this URL:

https://www.amazon.com/exec/obidos/subst/help/self-service-password-forgot.html

lets you reset the password and gain instant access to the account. Enter in email, last five digits of the credit card, card type, and zip code, and BINGO, you're in! Hackers then look at previous orders, maybe re-order a like product, change a shipping address, or even change the email address. They own the account.

Amazon is aware of this vulnerability and is investigating.

 

Paypal:

We don't think account takeover can be done here. Paypal does a nice job of asking for pieces of personal information along the way to reset your password, with an automated phone call sent for a request of a generated PIN number. Since they have so many online users, only GOD could get through to them with a human phone call.

But they do give out information. This URL lets you begin the password reset process:

https://www.paypal.com/cgi-bin/webscr?cmd=_forgot-password

A valid Paypal consumer email address will retrieve the card type, last two digits of the card, and expiration date of the card. This concerns us at CardCops. Many times we see just card numbers out in Cyberspace and the ability to add the proper expiration date is alarming.

Paypal also tells you if the account has a debit card or checking account attached to the email address checked. They also tell you the name of the bank. If you ask for the password to be sent by US mail, they retrieve the first three digits of your street, your city, state, and zip code. They do this on all accounts you have listed at Paypal. Again, way to much personal information exposed.

 

Bank of America:

If you want to enroll your credit card online, go here and click on "enroll".

http://www.bankofamerica.com/

If you click on "I only have a credit card", you can instantly get an online account with this information:

Social Security #

Card Number

Card Expiration

Zip Code

Email Address

 

These sites also use credit card information for password resetting or order information:

First National Bank of Marin

Macromedia

DigialRiver

 

These sites do a nice job of shutting down account takeover by eliminating credit card information on file upon the resetting of a password:

Orbitz

Travelocity

Expedia

LandsEnd

Conclusion:

So you can see how the hackers waltz between sites, pick up information or buy information, and build the mosaic of Identity Theft. The sites discussed innocently aid the cause with cumulative information. Individually the vulnerability may be of medium concern, and the sites may downplay the potential impact. But on the "whole" picture, the vulnerability assessment is huge. Hackers know where to go to "connect the dots" to complete Identity Theft.

 

If you are a reporter, security company, or Law Enforcement agency and require supporting proof, please email proof@cardcops.com

 
 
     
Dan and Chris CardCops On Dateline NBC
Watch Part 1 on Tues Mar 27
and Part 2 on Tues Apr 3
27 Jun '2008

Wards didn't tell consumers about credit card hack ( USAToday )

Read More...
1 May '2008

How thieves are stealing you ( ABC News )

Read More...
2 May '2008

You Asked, We Answered: An Identity Theft Expert Tells All ( ABC News )

Read More...
1 May '2008

Cloned Credit Cards Are 'Stealing You' ( ABC News )

Read More...
11 Apr '2008

ID theft monitor draws RSA conferees ( SFGate )

Read More...
14 Oct '2007

Governor rejects California ID theft bill, says it lacks clarity ( OCRegister )

Read More...
Past News...
 © 2000 - 2011 All rights reserved by Affinion Group Inc.. Site Map | Privacy Policy | Terms of Use