Illegally traded data soars fourfold in two years

news release

Illegally traded data soars fourfold in two years

Experian CreditExpert finds nearly 20 million pieces of personal information illegally traded online in the first 6 months of this year, as new “Life in a Box” experiment reveals our cyber security slips.

Stolen password and login combinations can travel across the globe within seconds where fraudsters open new accounts.

London, UK, 2nd October 2012 – Nearly 20 million pieces of personal information were illegally traded by fraudsters in the first six months of 2012, according to the latest quarterly figures from Experian CreditExpert.1

Released to mark the beginning of National Identity Fraud Prevention Week, the findings reveal that 19.7 million pieces of information were bought and sold illegally between January and June 2012 – more than in the whole of 2011, when 19.04 million records were traded. At current trend levels, this figure is set to be a fourfold increase on 2010 (when 9.46 million records traded illegally).

The findings come as Experian concludes an unusual experiment into online security and the average Briton’s web habits – Life in a Box.

The experiment saw a volunteer, Steve, placed in a London shop front for a week with just a laptop for company. He was set a series of online challenges to determine how often, where and when, but most importantly, how securely personally identifiable information (e.g. name, email, data of birth data) was submitted – particularly the combination of a login and password which forms 90% of the market for illegally traded information online1.

Steve was fully aware that this experiment would enable Experian to look for and identify any weaknesses in his online behaviour, expose them and see what a fraudster might potentially be able to discover.

The experiment revealed that although Steve showed himself to be a savvy web user, like many people he made basic security mistakes in his hurry to get things done. During the course of the week, he used the same password across multiple accounts, failed to update his web browser to a newer, more secure version and didn’t check that websites were secure by looking for the padlock icon when making online purchases.

Full results from the experiment can be found below.

As part of the experiment, Experian called upon the expertise of a third party security consultant to measure how far data can spread when it gets into the wrong hands. The results are as follows:

• All of the eight temporary email addresses were taken over within five hours, with the majority of credentials hijacked within five minutes
• The individuals who took over these accounts were located in a variety of countries, ranging from Albania to South Africa.**
• Password related emails were the first to be viewed, followed by correspondences with family or friends.

Peter Turner, Managing Director at Experian Consumer Services in the UK and Ireland, commented: “It’s a wonderful life online, and it is now second nature to many of us. We’re more confident and more comfortable than ever – but that also means that, like Steve, we can be complacent. Although fourteen per cent of Britons admit to being concerned about the risk of online ID theft, many more – 43 per cent – have no such worries.

“When managing multiple online accounts, users need to protect themselves with a service like CreditExpert’s Web Monitoring, which alerts members by text or email at the first signs that their details have been compromised.”

The risk of having details stolen is very real. Research from Experian CreditExpert2 finds that:

• Three fifths of us never log out of websites
• One in four people (26 per cent) never check for a website’s security padlock, even when making purchases

Perhaps most surprisingly of all, many simply let curiosity get the better of them. Despite the well-known risks, one in six Brits (16 per cent) admit to sometimes opening spam to see what it says, while one in 50 (two per cent) even click on links in spam emails.

Since Experian CreditExpert’s web monitoring service was launched in May 2012, members have already been alerted to more than 400,000 instances of their information being exposed or misused.

Web users can take the following steps to help protect themselves:

• Use a strong password and make sure you don’t use the same password for all your important accounts. Avoid things like dictionary words, maiden names or favourite pets, as these can be easily cracked. And although there’s no need to have a different address for every single different online account, try to have separate passwords for your main email address, online bank account and different social media accounts, which you don’t use for anything else. That way, if one is compromised, the others will remain safe.
• If in doubt, don’t click. Online is now second nature to many people. But don’t let that give you a false sense of security. If a website looks dubious, an online offer too good to be true, or an email with its subject line and content conflicting with what your bank would normally send you, don’t click. Check online to see if other people have encountered what might be a scam or virus, and contact your friend or bank to see if they the email is legitimate.
• Know where your details go. If personal information falls into the wrong hands, within minutes, the data can be used to access your accounts, and can be bought and sold in underground forums around the world. Protect yourself with a service like CreditExpert’s Web Monitoring, which alerts members by text or email at the first signs that their details have been compromised.

Findings from the Life in a Box Experiment:

1. Identification of re-use of passwords:

Every new account that was registered by Steve during the project used the same password. Services signed up for included shopping websites, social media sites and communication sites. The compromise of any of these accounts could have led to a compromise of any other details or credentials, due to the reuse across multiple services.

2. Not checking for SSL Encryption when sending confidential information:

SSL is used to protect confidential or secure information when it is being sent over the internet. Users should always check to see if the padlock icon is visible when interacting with any sites which are requesting personal or private data, including usernames and passwords.

Steve agreed to let a security consultant monitor his web traffic and see what details could be identified. On the fourth day of the experiment, the third-party security consultant used a number of tools to automatically strip SSL protection from websites. The goal of this was to identify if users automatically checked for the padlock icon every time when using a site, or if they only checked on the first occasion.

Throughout the whole day SSLStrip was used to remove SSL protection from a number of sites. Steve failed to identify the lack of SSL (signified by the lack of padlock icon) during this period, and it was possible to identify and extract various credentials belonging to him, including his password, address, credit card number and phone number.

-ENDS-

For more information on Experian data please contact Bell Pottinger Consumer PR:

Joseph Bradfield – 020 7861 3931 / jbradfield@bpconsumer.co.uk
Michael Sheen – 020 7861 3013 / msheen@bpconsumer.co.uk

For more information on Life in a Box please contact Melville Communications:

Victoria Melville – 07974 161 123 / 01483 489 009 / Victoria@melvillecommunications.co.uk

Notes to editors:

*Two sets of research were conducted:

• Internal research carried out by Experian CreditExpert.
• External consumer research conducted by Opinion Matters among a representative sample of 2,000 UK adults in September 2012.

** These email accounts were fake accounts, and the third party security expert was only able to identify the country in which the accounts were taken over, as opposed to any individual users.

1. Experian CreditExpert’s web monitoring system which scans forums where personal information is traded detected that 19.7 million pieces of data were traded illegally online, globally, with 90% of the market for traded data coming in the form of password and login details.
2. External consumer research conducted by Opinion Matters among a representative sample of 2,000 UK adults in June 2012.

Key benefits of Experian CreditExpert membership:

• Experian is the UK’s most trusted credit reference agency
• Experian is the credit expert with more than 30 years of experience
• Free 30-day trial of CreditExpert*(*New customers only. Monthly fee after trial ends)
• Unlimited access to your Experian Credit Score
• Weekly alerts of changes to your credit report
• 24/7 web monitoring service
• Access to an award-winning, UK-based customer services team
• Identity Protection Insurance of up to £75,000** (**terms and conditions apply)
• Expert advice and tools to help improve your credit rating
• Intelligent price matching to credit products suited to your credit history
• Consumers can apply directly from the website: www.creditexpert.co.uk

About Experian
Experian is the leading global information services company, providing data and analytical tools to clients around the world. The Group helps businesses to manage credit risk, prevent fraud, target marketing offers and automate decision making. Experian also helps individuals to check their credit report and credit score, and protect against identity theft.

Experian plc is listed on the London Stock Exchange (EXPN) and is a constituent of the FTSE 100 index. Total revenue for the year ended 31 March 2012 was US$4.5 billion. Experian employs approximately 17,000 people in 44 countries and has its corporate headquarters in Dublin, Ireland, with operational headquarters in Nottingham, UK; California, US; and São Paulo, Brazil.

For more information, visit http://www.experianplc.com