Cyber hackers are trading more than 100,000 pieces of stolen identity information in the Edinburgh area, an investigation has revealed.
The shocking extent of the illicit trade was exposed after an examination of so-called “crypto” marketplaces on the hidden dark web.
The information, which could include online passwords, can be sold on to be used in so-called phishing scams to extort money.
While there is no way of knowing how many people in the Capital may have had their accounts compromised, experts said today the sheer volume of information being sold should act as a “wake-up call”.
Across the UK, an investigation by the Evening News and its sister titles in Johnston Press, showed nearly 11 million sets of identity details belonging to Britons are being traded.
Our investigations unit teamed up with London data firm C6 to examine the true extent of the booming identity trade.
We found a total of 115,333 pieces of identity information apparently from the Edinburgh area being traded, with the hardest hit postcodes being EH1 and EH4.
Chief operating officer of C6, which runs the hasmyidentitybeenstolen.com website, Emma Mills, said the rapidly growing number of people at risk of being defrauded was a major concern.
She said: “As consumers we have never really paid the price for fraud, we’re used to the banks picking up the credit and debit card losses, we don’t see the downside to ourselves of being careless with our personal information.
“We don’t clearly understand the impact of having our identities compromised and how long and painful it is to re-build that genuinely, it causes problems with applying for credit or any other form of account.”
Often the online marketplaces sell only partial information about an individual that can be fledged out over a period of time.
One site visited by journalists allowed users to bulk purchase Paypal accounts for one US dollar per account, with a minimum purchase of 100 at a time.
The store, which also purported to sell Ebay accounts, offered an 80 per cent working guarantee.
On its own, a person’s streaming service account details – a username and password – could be seen as innocuous. But profiles can then be “enriched”, often over a series of months, or even years.
If, like half of all internet users, a person uses the same password for multiple accounts those Netflix login details could be crucial to gaining access to a person’s e-mail address – and with it a host of other accounts simply by pressing the “forgotten password” button.
Once the identity is rich enough, fraudsters can open credit card accounts in a person’s name, buy goods and transfer money.
They can also sell on the so called “full person profile” in bulk.
Modern day gangs have a sophisticated hierarchy, Ms Mills said, operating in similar ways to a credit bureau, working from postcode area to postcode area, gathering details from a range of sources.
“They will have a group of people searching the electoral role, for example,” she added.
“They will start on a postcode and start working through it.
“If someone knows your e-mail, where you live and your date of birth it becomes quite a rich record.
“Once that information is gathered they can then sell it to a gang to ‘phish’ for your banking details.
“They will sit between you and the genuine site watching your keystrokes on the computer, they will know when you are logged on to your internet banking account.
“When you enter the fourth, fifth and sixth digit of your password they will know that. Then they will be patient.
“They will watch you log in on multiple occasions until they have built up a full picture of you.”
And while early dark web sites were largely text-only, many are ditching their functional aesthetics in favour of more user-friendly interfaces.
“These sites are just like any online shopping site now,” said Ms Mills.
“You can find which bank you want to buy details from, you can select what bank or card you want to buy. You could choose to buy gold cards for example.
“Depending on what that brand indicates, that gives them an idea of the credit worthiness of its owner.
“They will even issue you with a money back guarantee if you cannot make the transaction work within 24 hours. Some of them offer good customer service – some have a helpdesk. The idea is they want you to continue to go back.”
The ability to steal details en masse represents a far cry from the fraudsters of the 1990s seen hanging outside call centres in the hope of convincing employees to evince confidential information.
And the number of stolen identities being traded online is rising at an alarming rate.
In March, 9.3 million UK identities were circulating in the hidden web to C6’s knowledge.
As of July that total had risen to 10.8m.
Ms Mills said that the amount of personal data for sale spikes whenever a major company’s data has been breached.
But a company spokeswoman added that a spike has been in progress for the last three months, leading to the possibility that the recent WannaCry attack and other large scale breaches, such as that on AA customers, could be a contributing factor.
But, perhaps more concerning, is the theory that the recent rise could be down to a number of unreported hacks that companies are unwilling to disclose through fear of reputational damage.
“Things like the Ashley Maddison breach – a massive spike; the Talk Talk breach – a massive spike,” Ms Mills said.
“It comes in a big bulk and gets divided out for criminal gangs to do things with.”
Ms Mills said C6 Intelligence sees spikes of data entering the dark web long before companies have told their customers, though she praised Talk Talk as one of the few exceptions.
In 2014, C6’s online moles saw a massive rise in customer details from a range of telecommunications companies on the dark web, not just Talk Talk.
“Either the same consumers were hacked because they were using the same username/ e-mail password combinations,” said Ms Mills.
“Or other organisations were similarly hit and did not disclose it.”
Chief Inspector Scott Tees, Police Scotland Safer Communities, said: “Anyone who feels they have fallen victim to cybercrime in any form, including hacking, phishing scams, ransomware or malware, is always encouraged to come forward and report it to us.
“If you suspect you have been targeted please contact us on 101.
“The most effective way for people to protect their identity and avoid fraud online is to stay secure. Prevention is key.”
Reporting team: Aasma Day, Cahal Milmo, Don Mort, Chris Burn, Ruby Kitchen, Paul Lynch, Oli Poole, Gavin Ledwith, Ben Fishwick, Philip Bradfield and Deborah Punshon