Ben Metcalfe

StolenIDSearch.com: Encouraging users to be too casual with their personal info?

I don’t get it – why are we asking people to put their credit card numbers and social security number into StolenIDSearch.com?

(It’s a site which claims it will search the Internet and files containing lists of exploited accounts/numbers).

Practically everyone in the industry has been persuading wider society not to put your this kind of information into unusual sites. All of that education goes out the window as suddenly the tune is changed.

The design is fancy, it’s “bought to you by TrustID” (whoever they are) and has a “VeriSign Secured” logo on the front page. But that means nothing – even the VeriSign Secured graphic could be fake.

Before anyone asks, this company is genuine with what it is claiming to do. It will search their records and it will help (read:charge) you to sort things out if the worst is discovered.

But the way it asks users to enter their credit card and SSN as the very first interaction with the site begins to break down in the continued positive reinforcement we’ve been trying to educate the wider public about only giving away your social security number or credit card into sites you know (like an online retailer or bank, etc).

Where are they looking?

According to the FAQ:

“The information that powers StolenID Search is found online, by looking in places where fraudsters typically trade or store this kind of information. All information behind StolenID search is publicly available, but not in places where search engines such as Yahoo and Google would look. TrustedID abides by all state and federal laws in the collection and provision of this compromised information.”

Now, I can understand why they are not simply releasing the lists publicly for people to check against – the volume of potentially still-valid numbers in those lists would ultimately empower the fraudsters more than it empowers the users.

However seeing as it’s easy to work out which bank a card originates from via the first initial account numbers, why not simply hand over these lists to the financial institutions (and the United States Treasury Department/Social Security Administration in the case of the SSN’s) to let them sort it out? I bet Mastercard, Visa, AmEx and Co would not only be very happy to take such a list off their hands, but reward them for it too.

Another benefit of the direct approach would be all those poor people who don’t know about the site or don’t use the Internet – they would benefit from the detection of their card number too.

I’m all for using the affordences of the Internet to create new business opportunities. But sometimes there isn’t really a business to be had – and this seems like one of them.

If my credit card number is discovered in one of those lists I need to call my bank, not pay some company called ‘TrustID’ $10 to sort it out. And those lists would be better handed over directly to the financial authorities in the first place anyway.

Clearly the ‘Intel Insider’ powering this operation is the way in which they are able to mine the data from the underground regions of the Internet – but that sounds like an (admittedly less lucrative) consultancy role for the credit card firms, not an end-user service.