Oh Ngo! Consumer Credit Company Experian, Which Sells ID Theft Protection, Duped by Cybercriminal into Selling Credit Card and Other Data on Millions of Americans.
Hieu Minh Ngo (We presume Ngo pronounces his name “No” – hence our headline) ran an underground service called Superget info. This registration-free site made it possible for cybercriminals to look up full Social Security numbers, birthdays, drivers’ license records and financial information on millions of Americans. Payment to the site was made via WebMoney and other virtual currencies.
Brian Krebs in KrebsOnSecurity did a painstaking, lengthy investigation, which as you might surmise, turned into a rather lengthy piece. Following you’ll find our briefer edited version. However, you can always find his full piece at krebsonsecurity.com.
Each SSN search on Superget.info returned consumer records that were marked with a set of varying and mysterious two- and three-letter “sourceid:” identifiers, including “TH,” “MV,” and “NCO,” among others. …(The) abbreviations matched data sets produced by Columbus, Ohio-based USInfoSearch.com.
… U.S. Info Search CEO Marc Martin said the data sold by the ID theft service was not obtained directly through his company, but rather via Court Ventures, a third-party company with which US Info Search had previously struck an information sharing agreement. Martin said that several years ago US Info Search and CourtVentures each agreed to grant the other company complete access to its stores of information on US consumers.
Founded in 2001, Court Ventures described itself as a firm that “aggregates, repackages and distributes public record data, obtained from over 1,400 state and county sources.” Cached, historic copies of courtventures.com are available through archive.org.
In March 2012, Court Ventures was purchased by…Experian, one of the three major consumer credit bureaus. According to Martin, the proprietors of Superget.info had gained access to Experian’s databases by posing as a U.S.-based private investigator. In reality, Martin said, the individuals apparently responsible for running Superget.info were based in Vietnam…
…While the private investigator ruse may have gotten the fraudsters past Experian and/or CourtVentures’ screening process, according to Martin there were other signs that should have alerted Experian to potential fraud associated with the account. For example, Martin said the Secret Service told him that the alleged proprietor of Superget.info had paid Experian for his monthly data access charges using wire transfers sent from Singapore.
“The issue in my mind was the fact that this went on for almost a year after Experian did their due diligence and purchased” Court Ventures, Martin said. “Why didn’t they question cash wires coming in every month?
“Experian portrays themselves as the data breach experts, and they sell identity theft protection services. How this could go on without them detecting it I don’t know. Our agreement with them was that our information was to be used for fraud prevention and ID verification, and was only to be sold to licensed and credentialed U.S. businesses, not to someone overseas.”
(KrebsOnSecurity received this statement from Experian.)
“Experian acquired Court Ventures in March, 2012 because of its national public records database. After the acquisition, the US Secret Service notified Experian that Court Ventures had been and was continuing to resell data from US Info Search to a third party possibly engaged in illegal activity. Following notice by the US Secret Service, Experian discontinued reselling US Info Search data and worked closely and in full cooperation with law enforcement to bring Vietnamese national Hieu Minh Ngo, the alleged perpetrator, to justice. Experian’s credit files were not accessed. Because of the ongoing federal investigation, we are not free to say anything further at this time.”
(A) scammer-friendly forum called talkgold.com (had) a user named “hieupc” …promoting Superget.info as his site. Further searching showed that there was a fairly active Vietnamese hacker who used the nickname “hieupc;” That user appears to have gotten started defacing Web sites, even attacking the Web site of his former university in New Zealand after the school kicked him out for alleged credit card fraud. As it happens, the Web server address history for Superget.info shows that it was hosted last year in Vietnam.
According an indictment unsealed last week by the U.S. District Court for the District of New Hampshire, Hieupc was none other than Hieu Minh Ngo, the 24-year-old Vietnamese individual named in Experian’s statement.
According to court documents, Ngo resided in New Zealand and Vietnam, and operated Superget.info and a similar ID theft service called findget.me, along with an unnamed co-conspirator, identified in the complaint only as John Doe One.
These services specialized in selling “fullz” or “fulls,” a slang term that cybercrooks use to describe a package of personally identifiable information that typically includes the following information: an individual’s name, address, Social Security number, date of birth, place of work, duration of work, state driver’s license number, mother’s maiden name, bank account number(s), bank routing number(s), email account(s) and other account passwords. Fulls are most commonly used to take over the identity of a person in order to engage in other fraud, such as taking out loans in the victim’s name or filing fraudulent tax refund requests with the IRS.
All told, findget.me and Superget.info acquired or sold fullz information on more than a half million people, the government alleges.
(It’s believed) undercover federal agents set up a phony business deal to lure Ngo out of Vietnam and into Guam, an unincorporated territory of the United States in the western Pacific Ocean….Ngo was arrested upon his arrival in Guam and transferred to New Hampshire. There he is currently facing 15 separate criminal charges, including conspiracy to commit identification fraud, aggravated identity theft, and wire fraud, among others.
(Statutory) maximum penalties are five years on the identity fraud and identity fraud conspiracy counts; two years each on the aggravated identity theft counts; 20 years on the wire fraud count and wire fraud conspiracy counts; 10 years on the substantive access device fraud count; and five years on the conspiracy to commit access device fraud count.
Meanwhile, it’s not clear what — if any — trouble Experian may face as a result of its involvement in the identity theft scheme… .ChoicePoint (a data aggregator which had a similar information breach) was later sued by the U.S. Federal Trade Commission, an action that produced a $10 million settlement — the largest in the agency’s history for a violation of federal privacy law….
Avivah Litan, a financial fraud analyst with Gartner Inc., said this latest exposure raises serious questions about U.S. regulators’ capacity to monitor the due care of extremely sensitive consumer data, in accordance with the Fair Credit Reporting Act. Litan said that under 15 U.S.C. 1681b (PDF) credit reporting agencies have strict guidelines regarding to whom they may distribute consumer reports….
(FTC Chairperson) Edith Ramirez said “the time has come for businesses to move their data collection and use practices out of the shadows and into the sunlight. In other words, with big data comes big responsibility. Firms that acquire and maintain large sets of consumer data must be responsible stewards of that information.”
Ramirez noted that the FTC can already bring actions under Section 5 of the FTC Act, and that it will continue to be active in punishing data brokers that fail to secure the information they collect. But she said stronger incentives to push firms to safeguard big data must be in place, and that the FTC has urged Congress to give the agency civil penalty authority against companies that fail to maintain reasonable security.
“Firms of all sorts are using consumer data in ways that may not just be contrary to consumers’ expectation, but could also be harmful to their interests,” Ramirez said. “This problem is perhaps seen most acutely with data brokers — companies that collect and aggregate consumer information from a wide array of sources to create detailed profiles of individuals. Their success depends on having more and better data than their rivals. The concern is that their mega-databases may contain highly sensitive information. The risk of improper disclosure of sensitive information is heightened because consumers know nothing about these companies and their practices are invisible to consumers.”
…FTC Chairwoman Ramirez said the agency also issued subpoenas to nine data brokers, seeking information about the nature and sources of the consumer information the data brokers collect; how they use, maintain, and disseminate the information; and the extent to which they allow consumers to access and correct their information or opt out of having their personal information sold. The FTC said it expects to issue a report later this year with its findings.
ThreatMetrix is the fastest-growing provider of integrated web fraud and cybersecurity solutions. The TrustDefender™ Cybercrime Protection Platform helps companies prevent unauthorized access to web and mobile applications, protect sensitive data, and secure transactions against account takeover, payment fraud, identity spoofing, malware, and data breaches. ThreatMetrix protects more than 1,900 customers and 9,000 websites across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.
To join in the cybersecurity conversation, follow us on Twitter @ThreatMetrix.