If your information is stolen in a data breach and posted online, criminals will use it. Recent research conducted by the FTC shows that identity thieves are actively looking for consumer credentials and are ready to pounce the minute it becomes public.
Have you gotten a notice that your data was leaked in a data breach? Have you searched your email addresses on HaveIBeenPwned? You might have asked yourself, well, what now? Do criminals really use stolen information that’s made public?
The answer is a resounding YES.
The Federal Trade Commission had the same questions and conducted a study that tracked the attempted use of stolen consumer credentials. The findings were presented at the FTC’s Identity Theft Workshop on May 26. You can see a slideshow detailing the study and its findings here.
They created a database of information about 100 fake consumers. They used realistic information and included names, email addresses, phone numbers and either a bitcoin wallet, credit card or online payment service. The data was then posted two different times on a website hackers use to make stolen credentials public. The first time the data was posted, it got around 100 views. The second time the info was posted, it was picked up by a Twitter bot and got more than 550 views. On that second posting, it only took the criminals 9 minutes before they started trying to use the information.
Technology staff at the Maryland’s Coordination and Analysis Center provided research on the project and posted about it here.
“In total, there were over 1,200 attempts to access the email, payment and credit card accounts. The identity thieves tried to use our fake consumers’ credit cards to pay for all sorts of things, including clothing, games, online dating memberships and pizza,” according to the post about the study.
Other interesting things to note from the research:
- The IP addresses used in the access attempts overwhelmingly originated in the United States.
- In two weeks, the fraudulent credit card attempts amounted to $12,825.53 and included attempts at a pizza restaurant, hotels and online dating services, though most of the charges were for retailers (164).
- Two factor authentication does provide some protection against stolen credentials. There are six sites where you should really be using two-factor authentication in order to stay safe.
The takeaway is simple: “The research shows that identity thieves are actively looking for any consumer credentials they can find: if your account data becomes public, they will use it.”
Identity theft isn’t a matter of if, it’s a matter of when. And when it does happen, subscribers can count on LibertyID to clean up the mess
Are you covered for identity theft?