If your personal information is made public, how long will it take identity thieves to use it?
The answer may surprise you. New research by the Federal Trade Commission’s (FTC) Office of Technology shows it could take only nine minutes for identity thieves try to access the stolen credentials once they’re made public.
FTC staffers created a database of about 100 fake consumers, using popular names based on U.S. Census data and email addresses using common naming techniques, along with phone numbers and one of three types of payment information – an online payment service, a bitcoin wallet, or a credit card. Bitcoin is a type of digital payment system used for online transfers.
The fake data was posted on two different dates – April 27 and May 4 – on “a website that hackers and others use to make stolen credentials public,” according to the FTC press release. “The criminals were quick to pounce.”
The first posting got 100 views, and identity thieves took about 1.5 hours to attempt to use it. But the second posting, on May 4, got 550 views and was picked up by a Twitter bot. The first access attempt came nine minutes after the information was posted.
Equifax spoke to Christina Yeung, an FTC technologist who worked on the research. “Data, once it’s made public, gets used almost immediately,” said Yeung.
In all, there were more than 1,200 attempts to access the information. Identity thieves attempted to access more than 90 percent of the fake email and payment accounts and tried to use more than 90 percent of the fake consumers’ credit card numbers.
“It just shows that identity thieves do use different types of accounts,” Yeung said, adding that some identity thieves may want access to email accounts, while others want access to credit card numbers or online payment accounts.
The attempts to access the data appeared to come from 28 countries, according to the FTC.
In total, identity thieves attempted to charge more than $12,800 to the credit card accounts, including preauthorization charges, according to the FTC. “The identity thieves tried to use our fake consumers’ credit cards to pay for all sorts of things, including clothing, games, online dating memberships and pizza.” The maximum attempted charge was for nearly $2,700 at a clothing website.
The attempts peaked in the first few days after the information was posted, but continued for days afterward.
The research shows “Identity thieves are actively looking for any consumer credentials they can find,” according to the FTC.
Using two-factor authentication is one way to help better protect your information, the researchers found. Two-factor authentication adds an extra step to a login, requiring a PIN, a second password or another type of authorization using things like a smartphone or a fingerprint. Some of the fake profiles were set up using two-factor authentication for comparison purposes.
But while two-factor authentication can help, “it’s not a cure-all,” Yeung said.
Other recommendations from the FTC research include:
— So-called “paste sites” where compromised data may be posted should be monitored by email and payment service providers, the FTC said. Paste sites are where people paste information in plain text. Hackers have been known to use paste sites to make stolen data available.
— Merchants should consider refusing multiple purchase attempts at a single site within a short period of time.
The research was presented in May at an FTC conference aimed at examining how identity theft has evolved and how to address its challenges. In the future, the FTC plans to analyze the email spam, text spam, and phone calls received by the fake consumer accounts, and will also research posting other types of “fake” consumer data in an effort to gain more intelligence about how identity thieves behave – and the measures we can consider to help better protect ourselves.
The information contained in this blog post is designed to generally educate and inform visitors to the Equifax Finance Blog. The blog posts do not give, and should not be assumed to provide, personalized tax, investment, real estate, legal, retirement, credit, personal financial, or other professional advice. Before making any financial decision, you should always consult with the appropriate professionals who can explain your options, rights, and legal responsibilities, and advise you on any tax, legal, credit, or business implications that may result from those decisions. The views and opinions expressed by the authors of blog posts are their own views and may not be the views or opinions of Equifax, Inc. and/or its affiliates.