Experian CreditExpert finds nearly 20 million pieces of personal information illegally traded online in the first 6 months of this year, as new “Life in a Box” experiment reveals our cyber security slips.
Stolen password and login combinations can travel across the globe within seconds where fraudsters open new accounts.
London, UK, 2nd October 2012 – Nearly 20 million pieces of personal information were illegally traded by fraudsters in the first six months of 2012, according to the latest quarterly figures from Experian CreditExpert.1
Released to mark the beginning of National Identity Fraud Prevention Week, the findings reveal that 19.7 million pieces of information were bought and sold illegally between January and June 2012 – more than in the whole of 2011, when 19.04 million records were traded. At current trend levels, this figure is set to be a fourfold increase on 2010 (when 9.46 million records traded illegally).
The findings come as Experian concludes an unusual experiment into online security and the average Briton’s web habits – Life in a Box.
The experiment saw a volunteer, Steve, placed in a London shop front for a week with just a laptop for company. He was set a series of online challenges to determine how often, where and when, but most importantly, how securely personally identifiable information (e.g. name, email, data of birth data) was submitted – particularly the combination of a login and password which forms 90% of the market for illegally traded information online1.
Steve was fully aware that this experiment would enable Experian to look for and identify any weaknesses in his online behaviour, expose them and see what a fraudster might potentially be able to discover.
The experiment revealed that although Steve showed himself to be a savvy web user, like many people he made basic security mistakes in his hurry to get things done. During the course of the week, he used the same password across multiple accounts, failed to update his web browser to a newer, more secure version and didn’t check that websites were secure by looking for the padlock icon when making online purchases.
Full results from the experiment can be found below.
As part of the experiment, Experian called upon the expertise of a third party security consultant to measure how far data can spread when it gets into the wrong hands. The results are as follows:
Peter Turner, Managing Director at Experian Consumer Services in the UK and Ireland, commented: “It’s a wonderful life online, and it is now second nature to many of us. We’re more confident and more comfortable than ever – but that also means that, like Steve, we can be complacent. Although fourteen per cent of Britons admit to being concerned about the risk of online ID theft, many more – 43 per cent – have no such worries.
“When managing multiple online accounts, users need to protect themselves with a service like CreditExpert’s Web Monitoring, which alerts members by text or email at the first signs that their details have been compromised.”
The risk of having details stolen is very real. Research from Experian CreditExpert2 finds that:
Perhaps most surprisingly of all, many simply let curiosity get the better of them. Despite the well-known risks, one in six Brits (16 per cent) admit to sometimes opening spam to see what it says, while one in 50 (two per cent) even click on links in spam emails.
Since Experian CreditExpert’s web monitoring service was launched in May 2012, members have already been alerted to more than 400,000 instances of their information being exposed or misused.
Web users can take the following steps to help protect themselves:
Findings from the Life in a Box Experiment:
1. Identification of re-use of passwords:
Every new account that was registered by Steve during the project used the same password. Services signed up for included shopping websites, social media sites and communication sites. The compromise of any of these accounts could have led to a compromise of any other details or credentials, due to the reuse across multiple services.
2. Not checking for SSL Encryption when sending confidential information:
SSL is used to protect confidential or secure information when it is being sent over the internet. Users should always check to see if the padlock icon is visible when interacting with any sites which are requesting personal or private data, including usernames and passwords.
Steve agreed to let a security consultant monitor his web traffic and see what details could be identified. On the fourth day of the experiment, the third-party security consultant used a number of tools to automatically strip SSL protection from websites. The goal of this was to identify if users automatically checked for the padlock icon every time when using a site, or if they only checked on the first occasion.
Throughout the whole day SSLStrip was used to remove SSL protection from a number of sites. Steve failed to identify the lack of SSL (signified by the lack of padlock icon) during this period, and it was possible to identify and extract various credentials belonging to him, including his password, address, credit card number and phone number.
For more information on Experian data please contact Bell Pottinger Consumer PR:
For more information on Life in a Box please contact Melville Communications:
Victoria Melville – 07974 161 123 / 01483 489 009 / Victoria@melvillecommunications.co.uk
Notes to editors:
*Two sets of research were conducted:
• Internal research carried out by Experian CreditExpert.
• External consumer research conducted by Opinion Matters among a representative sample of 2,000 UK adults in September 2012.
** These email accounts were fake accounts, and the third party security expert was only able to identify the country in which the accounts were taken over, as opposed to any individual users.
Key benefits of Experian CreditExpert membership:
Experian is the leading global information services company, providing data and analytical tools to clients around the world. The Group helps businesses to manage credit risk, prevent fraud, target marketing offers and automate decision making. Experian also helps individuals to check their credit report and credit score, and protect against identity theft.
Experian plc is listed on the London Stock Exchange (EXPN) and is a constituent of the FTSE 100 index. Total revenue for the year ended 31 March 2012 was US$4.5 billion. Experian employs approximately 17,000 people in 44 countries and has its corporate headquarters in Dublin, Ireland, with operational headquarters in Nottingham, UK; California, US; and São Paulo, Brazil.
For more information, visit http://www.experianplc.com