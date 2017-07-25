Cyber hackers are trading the details of over 254,000 people in Belfast on the dark web every day in a bid to extort them for cash and goods, a group of undercover online moles has found.

Across the UK that number has leapt from one million to three million in just four years in a shocking sign that illicitly obtained personal data has become one of the fastest growing tradeable commodities online.

Dark web marketplaces are now offering money back guarantees for bulk purchases of credit card numbers, passwords, account details and more.

Now Johnston Press investigations has teamed up with London data firm C6 to reveal the true extent of the booming identity trade among the criminal underworld.

The study has revealed that in Belfast a total of 254,155 people are almost certainly unaware that their very identity is being traded with the hardest hit postcode being BT4, the Strandtown-Stormont area, which has 46,405 identities for sale. By comparison BT10, the Finaghy area, was the least hit postcode in the city, with only 864 names being traded.

The worrying data has been collated over a series of years by a team of cyber moles embedded in the murkiest reaches of the dark web, observing wholesale transactions through encrypted chat rooms.

Chief operating officer of C6, which runs the hasmyidentitybeenstolen.com website, Emma Mills, said the spiralling amount of people at risk of being defrauded needs to act as a wake up call.

She said: “As consumers we have never really paid the price for fraud we’re used to the banks picking up the credit and debit card losses, we don’t see the downside to ourselves of being careless with our personal information.

“We don’t clearly understand the impact of having our identities compromised and how long and painful it is to re-build that genuinely, it causes problems with applying for credit or any other form of account.”

Often the online marketplaces sell only partial information about an individual.

One site visited by Johnston Press Investigations allowed users to bulk purchase Paypal accounts for one US dollar per account, with a minimum purchase of 100 at a time.

The store, which also purported to sell Ebay accounts, offered an 80 per cent working guarantee.

On its own, a person’s streaming service account details could be seen as innocuous. But profiles can then be ‘enriched’, often over a series of months, or even years.

If, like half of all internet users, a person uses the same password for multiple accounts those Netflix login details could be crucial to gaining access to a person’s email address - and with it a host of other accounts simply by pressing the ‘forgotten password’ button.

Once the identity is rich enough, fraudsters can open credit card accounts in a person’s name, buy goods and transfer money.

They can also sell on the so called ’full person profile’ in bulk.

Modern day gangs have a sophisticated hierarchy, Ms Mills said, operating in similar ways to a credit bureau, working from postcode area to postcode area, gathering details from a range of sources.

“They will have a group of people searching the electoral role, for example,” she added.

“They will start on a post code and start working through it.

“If someone knows your email, where you live and your date of birth it becomes quite a rich record.

“Once that information is gathered they can then sell it to a gang to ‘phish’ for your banking details.

“They will sit between you and the genuine site watching your keystrokes on the computer, they will know when you are logged on to your internet banking account.

“When you enter the fourth, fiftth and sixth digit of your password they will know that.

“Then they will be patient.

“They will watch you log in on multiple occasions until they have built up a full picture of you.”

And while early dark web sites were largely text-only, many are ditching their functional aesthetics in favour of more user-friendly interfaces.

“These sites are just like any online shopping site now,” said Ms Mills.

“You can find which bank you want to buy details from, you can select what bank of card you want to buy. You could choose to buy gold cards for example.

“Depending on what that brand indicates, that gives them an idea of the credit worthiness of its owner.

“They will even issue you with a money back guarantee if you cannot make the transaction work within 24 hours.

“Some of them offer good customer service – some have a helpdesk. The idea is they want you to continue to go back.”

The ability to steal details en masse represents a far cry from the fraudsters of the 1990s seen hanging outside call centres in the hope of convincing employees to evince confidential information.

And the number of stolen identities being traded online is rising at an alarming rate.

In March, 9.3 million UK identities were circulating in the hidden web to C6’s knowledge. As of July that total had risen to 10.8 million.

Mrs Mills said that the amount of personal data for sale spikes whenever a major company’s data has been breached.

“Things like the Ashley Maddison breach – a massive spike, the Talk Talk breach, a massive spike,” she said.

“It comes in in a big bulk and gets divided out for criminal gangs to do things with.”

Ms Mills said C6 Intelligence sees spikes of data entering the dark web long before companies have told their customers, though she praised Talk Talk as one of the few exceptions.

In 2014, C6’s online moles saw a massive rise in customer details from a range of telecommunications companies on the dark web, not just Talk Talk.

“Either the same consumers were hacked because they were using the same username, e-mail password combinations,” said Ms Mills. “Or other organisations were similarly hit and did not disclose it.”

C6, owned by Acuris, has been researching this type of data since 2002 and works by updating a database of known records being traded in the far reaches of the dark web.

Its website, hasmyidentitybeenstolen.com, allows users to see whether their address or data has been compromised.

Top tips to avoid being a hacker’s hero:

• Social media: Don’t fill in the personal details, like age, email address and phone numbers

• Social privacy: Check your Facebook pages and posts have the highest privacy settings.

• Email: Use a variety of email accounts for different things. If you have linked an email address to social media, do not use this address for things like online banking.

• Passwords: Consider password vault software like LastPass to keep your passwords secure. Never let your web browser ‘remember’ your passwords

• Use Password strength calculators like howsecureismypassword.net to assess the integrity of your passwords, in conjunction with password vaults. Never put your password in them, use a similar one to test.

• Be alert: Question everything. If you receive a bank letter asking you to call them, verify the number through the bank’s official website.

