FBI Seizes Notorious Marketplace for Selling Millions of Stolen SSNs (techcrunch.com) 27
U.S. law enforcement have announced the takedown of SSNDOB, a notorious marketplace used for trading the personal information -- including Social Security numbers, or SSNs -- of millions of Americans. From a report: The operation was conducted by the FBI, the Internal Revenue Service (IRS), and the Department of Justice (DOJ), with help from the Cyprus Police, to seize four domains hosting the SSNDOB marketplace -- ssndob[dot]ws, ssndob[dot]vip, ssndob[dot]club, and blackjob[dot]biz. SSNDOB listed the personal information for approximately 24 million individuals in the United States, including names, dates of birth, SSNs, and credit card numbers, and generated more than $19 million in revenue, according to the DOJ. Chainalysis, a blockchain analysis company, reports separately that the marketplace has received nearly $22 million worth of Bitcoin across over 100,000 transactions since April 2015, though the marketplace is believed to have been active since at least 2013. These figures suggest that some users were buying personally identifiable information from the service in bulk, according to Chainalysis, which also uncovered a connection between SSNDOB and Joker's Stash, a large dark net market focused on stolen credit card information that shut down in January 2021.
Re: (Score:1)
Well, I think you're right that it doesn't do much. And there's the question as to what laws they've broken. (As you pointed out, Equifax and other companies do essentially the same thing.) But if they really have broken laws, then it's a reasonable thing to do, if less effective than a band-aid. (Band-aids keep dust etc. out of open wounds, so they do a reasonable job for minor problems.)
Re: (Score:3)
The credit rating companies are all shitlords but no, they don't sell SSNs. They sell information when you provide them a SSN.
Re: (Score:3)
Equifax' fault was lax security. There was no criminal intent there. Unlike in the case described in TFA...
Re: (Score:3)
Selling numbers is criminal intent?
The fact that selling SSNs is worth it, means that there's something very very wrong with how SSNs work.
Re: (Score:2)
Re: (Score:1)
Selling information (numerical or otherwise), that is supposed to be private, is a crime, yes.
This is as correct as it is irrelevant.
Re: (Score:2)
It's fair that it's irrelevant to this specific thing. But it's far more relevant to the wider idea that you have a number that's so important that apparently *needs* to be secret.
That's just not something that will ever work.
Anyway. Waaay off topic by now :D
Re:But how does this help? (Score:4, Insightful)
It was and is just a number, sort of like your street address, anyone using it solely for security purposes is an idiot.
Re: (Score:3)
It was and is just a number, sort of like your street address, anyone using it solely for security purposes is an idiot.
It was supposed to be used only for SSI, but that's over. The credit rating companies are making good money with their rating scam, so it's hard to say they're operating idiotically.
Re: (Score:3)
The "Security" in "Social Security Number" doesn't refer to, like, computer security, but to the financial security provided by the United States's Social Security program. US taxpayers pay in to this program throughout their working lives, and once they hit retirement age, are guaranteed a monthly payout until death. There are more details to it, but that's the very basic idea.
If you have one of these numbers, you should keep it more private than your street address, as (for better or worse) it is used by
Re: (Score:2)
Social Security Number is a misnomer, it is really just a taxpayer identification number. Anyone asking for this number that does not have to report your activity to the IRS should not be asking for it. I think the DMV wants it but that is to help you get a valid photo ID.
It was and is just a number, sort of like your street address, anyone using it solely for security purposes is an idiot.
This, it should be treated like public info... It can be used as a (weak) method of identification, but it's not a means of authentication.
The only people interested in my TFN (Tax File Number, Australia) or my NIN (National Insurance Number, United Kingdom) are entities where they would need to pay tax or report taxable income on my behalf. The DVLA (Driver and Vehicle License Agency) couldn't care less about my NIN, I'd need to provide valid ID like my birth certificate, passport or residency permit (a
Re: (Score:2)
What would make you think this is meant to benefit anybody other than the bureaucrats at these agencies? Because the bureaucrats said so? That's not how this works.
Re: (Score:3)
Maybe you do not understand how complicated and many-faceted "the Government" actually is. Just because the FBI does something does not imply anything about the rest of the government. Learn to make distinctions. And if you really want to assign blame, blame Congress for not passing laws that make losing SS numbers a crime. What they really need are laws stopping the use of SS numbers by anyone except the government and that only for tax and benefit calculations. And I mean laws with real teeth meaning heft
Finally.. (Score:2, Flamebait)
they busted the IRS?
Re: (Score:1)
The IRS tax collection is how we fund the government and its services. However, your dreams are about to come true. In roughly 12-13 years, SS and Medicare will be broke so you'll be wanting to get your spare room ready for Grandma. And you'll be wanting to save up for her meds, they are expensive but that won't bother your inner Ayn Rand.
It should be illegal to possess someone else&rsquo (Score:1)
It should be illegal to possess someone else’s SSN unless you are the parent of a minor, for a credit check or it's required by law for tax purposes.
Once the credit check is done the SSN should have to be deleted.
It should be illegal to use the SSN or the last 4 as an ID number except by the SSA or IRS.
Getting a replacement SSN should be easy.
Re:It should be illegal to possess someone else&am (Score:2)
SSNs are not identification and are not secrets. They are indexes into the government's Social Security and IRS databases. It should be illegal for companies to use SSNs as identification.
Yes. But s/identification/authentication/ (Score:2)
You're absolutely right they are not secret. Perhaps some people wish SSNs were secret; they aren't. I have millions of them.
They DO *identity* you, just like your email address does.
"Jbegt" is you, it identifies you vs someone else.
Knowledge of that doesn't *authenticate* you.
It's worth being clear on the difference between an identifier (name, email address, SSN) vs an authenticator (password, secret key). Identifiers are by their nature public - they are how others name you, how they refer to you vs some
Now go after the buyers! (Score:2)
Title says it all.
Re: (Score:2)
Err...because the U.S. doesn't have foreign police force? And they were selling information on Americans, sounds like a domestic concern to me.
Re: (Score:2)
Don't worry, soon J.Doe#1, J.Doe#2 and J.Doe#3 will soon have criminal convictions in a US court even though they have no idea who was actually running the servers. Of course due process wasn't violated by not allowing them any defence....
You just have to hope that they don't find (or create) any evidence linking you to one of these identities and lock you away for the rest of your days.
Re: (Score:2)
the U.S. doesn't have foreign police force?
Tell that to any of the many countries where we've initiated "police actions"
So they get jail, but the bankers ... (Score:1)
just had to give us a free service for a year that they control anyway. Pretty sure Equifax has scammed more people, and cost them more in higher interest than this site could dream of.
SSN = social security number, i.e. US ID code. (Score:2)
Outside the US, it means something a bit more serious. [wikipedia.org]
But why is this a problem? None of those things should be secret. SSN was never intended as a secret password. For a start, you cannot easily change it.
The real problem is all the utterly stupid organisations who treat such data as proof of identity.
It is similar with drivers licenses. It used to be that a physical license card was used as proof of ID, which made sense for low-stakes situations, as they are hard to forge. But now we have people using