Feeds

Typosquatters hijack US credit report site

Be careful out there, warns privacy forum

  • alert
  • submit to reddit

3 Big data security analytics techniques

Privacy-sensitive US citizens aiming to get their government-mandated annual free credit reports have to be careful not to endanger their sensitive data instead, stated a report released last Thursday.

More than 200 domains with similar spellings to the official AnnualCreditReport.com site have been registered by private companies to take advantage of consumers' typos. At least 112 of the domains direct wayward consumers to sites that take advantage of a victim's mistake, including sites that collect the visitor's social-security number (SSN) for marketing purposes, said Pam Dixon, executive director for the World Privacy Forum, the privacy advocacy group that published the report.

"When you have 220 million people who are ready to put in an SSN, but a typo sends them to the wrong domain, then you have a problem," Dixon said. "I don't know how a consumer could wind their way through this labyrinth and see all the pitfalls."

The report outlines one downside of the government's response to identity theft, as announcements of new data leaks continue to plague the financial and healthcare industries and universities.

In June, MasterCard International warned that a security slip-up at third-party credit-card processor CardSystems Solutions endangered up to 40 million credit-card accounts. Earlier this month, the University of Southern California shut down its online system for accepting applications after a flaw was found to endanger the personal information of as many as 280,000 prospective students.

The Annual Credit Report website was mandated by Congress with the passage in December 2003 of the Fair and Accurate Credit Transactions (FACT) Act, a mix of consumer and credit-industry protections. Among the pro-consumer parts of the legislation is a mandate that the three major credit agencies allow Americans to receive a free credit report every year. Consumers must be allowed to order the reports through the mail, by phone or over the internet. The three credit agencies established the AnnualCreditReport.com site to service internet requests. The site is managed by a joint effort, known as the Central Source, between those credit agencies and the Federal Trade Commission.

The site has rolled out services to consumers based on the geographic region of the United States in which they reside. People living on the West Coast were able to access their credit information on 1 December, 2004. Both the Midwest and Southeast regions of the country now have access, with Northeast residents gaining access by 1 September.

However, a steady stream complaints from consumers, whose typos or use of similar names have landed them on link farms and impostor sites, also began with the activation of the services, said Dixon.

"People started calling us, complaining about various domains," she said. "There is a whole range of computing skill out there among consumers - educating 200 million people is hard. I think there is a lot more work to do."

The number of sites have more than doubled to 112, since the WPF published its first report, based on consumer complaints, in February.

In one case, the domain "wwwannualcreditreport.com" led to a site that requested visitors' social-security numbers and then shared that information with a number of other companies, according to the report. After a complaint to the Central Source in early June, the site was taken down.

Another 68 domains are owned by Domain Sponsor, a subsidiary of Oversee.net, and lead to websites hosting links of other sites offering credit reports. Oversee.net did not return requests for comment.

Legitimate companies, or their affiliates, are also using visitors' typos to redirect consumers to their websites, according to the report. For example, "annualcreditmonitoringreport.com" leads people to FreeCreditReport.com, a site owned by TrueCredit, a subsidiary of the TransUnion credit bureau.

TransUnion did not immediately respond to requests for comment.

Another four websites, with names such as "creditreportannually.com" and "annualonlinecreditreport.com," lead consumers to credit-checking company, Intelius. The company offers background checks and people searches for a fee.

While the company is under agreement with an affiliate to not sell the sites, chairman and CEO Naveen Jain said the company is now considering asking visitors if they intended to go to the AnnualCreditReport.com site.

"I don't have a problem with making sure that people want to be at our site and sending them to the annual credit report site if that's where they want to go," he said.

While many of the sites using the controversial tactic may not be where a consumer intends to visit, in many cases, the only harm is confusion. Only in a few cases do websites ask a trusting visitor for sensitive information, WPF's Dixon said.

"A lot of people who contacted us spent $35 on a credit report and that was their only harm," she said.

In the end, Dixon believes that navigating the online world may be too difficult for the average consumer and recommends that any non-technical users contact the credit bureaus by phone or mail.

Copyright © 2004, SecurityFocus logo

Related stories

Database misuse: who watches the watchers?
Privacy from the trenches
Fraudsters expose 100,000 across US

Combat fraud and increase customer satisfaction

More from The Register

next story
Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
Veep testifies for Samsung during Apple patent trial
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Big Content goes after Kim Dotcom
Six studios sling sueballs at dead download destination
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Alphadex fires back at British Gas with overcharging allegation
Brit colo outfit says it paid for 347KVA, has been charged for 1940KVA
Jack the RIPA: Blighty cops ignore law, retain innocents' comms data
Prime minister: Nothing to see here, go about your business
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.