An underground cyber criminal ring has stolen the personal records of over 4 million Americans and has been selling them to other cyber criminals. The group, called SSNDOB for “social security number / date of birth” stole these data as well as drivers license numbers and credit and background reports from large data aggregators like LexisNexis, Dunn & Bradstreet, and Koll Background America by directly attacking their servers with malware. The malware went undetected by the top 46 anti-malware tools on the market, meaning it was quite an original piece of bad code that used crafty means of covering its whereabouts. SSNDOB collected all this information and then made it available for purchase by sites like Expose.SU and other hacker data resources. According to the article, they would then charge between $0.50 and $2.50 per SSN/DOB record and between $5 and $15 for credit reports. With all the data they collected, there was certainly a lot of money to be made, but it is unclear how much cash they actually have taken in thus far thanks to this deviousness.
A student in our Master of Science in Information Security program asked if it would be against the law to purchase records from SSNDOB, not to use it to hurt the victims of the group’s theft, but instead to see if any of his company’s customers’ records had been compromised. I honestly don’t know what the law would say in this regard. After all, I only impersonate a lawyer to impress others when the Ph.D. after my name just won’t cut it and I need to wow them to satisfy my own thirst for admiration. My hunch is that, unless you use the information to harm others, you are not breaking any laws by purchasing the data. Just having someone else’s social security number and drivers license number isn’t illegal. Using it to gain special privilege is. However, I could be very wrong about the legality of this, especially since the act of paying is helping finance an illegal endeavor. I certainly could use a lawyer’s opinion on this one.
Legal issues aside, this is yet more bad news for us Internet citizens. We confront an interesting set of challenges, don’t we? We crave the ease and efficiency of a data-driven life, and yet we all now walk around virtual space with virtual targets on our virtual backs. As the line between the virtual and the real gets fuzzier, that increased personal attack surface becomes especially worrisome. It leaves one rather longing for the safety and innocence of handwritten sentiments.
Wait, did a professor of Computer Science just write that? Handwritten sentiments? I didn’t mean it. Honest. There’s no way I’d even think that. No way. Clearly, somebody must have stolen my identity,