Friday, February 22, 2008

Website Flaunts Potential Illegal Activity

I have learned of an online tool that benefits the identity thieves. Yet our nations law enforcement don't seem to be doing anything about it. Since 9/11, we think that security is tighter, and that online tools as this, would be shut down quickly. Since I have spoken out on consumer advocacy issues before, I can't continue to be quite about this website any longer.

The website is called Fake Name Generator. The owner (Jacob Allred) of the site has registered both the .com (registered since July 1, 2006) and .org (registered since Dec. 31, 2007) versions of this name. According to the Who is records, if he used his real contact, he lives in Suffolk, Virginia. Another person has registered the .NET version, but has not developed the site. That person, according to the records lives in the Bahamas (registered since Aug 16, 2007).

The website blatantly promotes on the website, "Your Randomly Generated Identity." Then easily and for free the user can get a fake name, address, credit card number and social security number generated. Not only that it will give you a fake email address and website, both of which you would have to register, before they could actually be used.

With the website so blatant, I don't understand why it even still exists after nearly 2-years. I myself first learned of this site a few months ago, when another blogger discussed it. Figuring that it would be gone pretty quickly, I ignored it, However, in recent weeks I have returned to the site and found it was still active. I even played around with the tool and found it to work pretty well. However, my big concern is that identity thieves will and probably do use this site to commit fraud. Whenever, you use a fake social security number to obtain credit or job, you are committing fraud.

Some of my fellow bloggers think the website is OK, because you can use it to generate a fake online name or names for a book. However, my concern, if that was the case the site would not need to generate fake credit card or social security numbers. I really don't see any reason to generate those 2 numbers, except for fraud.

I called the Kansas Bureau of Investigation (KBI) and asked them the question, figuring that ways the place to start. If my concern warranted the attention, that I thought it did, they would certainly bring in the FBI. Amanda with the KBI, didn't feel that any crime was actually committed, because they have free speech. When asked about the social security numbers being on the site, she said that as much as we might not like it, there is no crime unless it can be proved that someone identity was actually stolen.

The website does say, in the FAQ's section:

We do not condone, support, or encourage illegal activity of any kind. We will cooperate with law enforcement organizations to assist in the prosecution of anyone that misuses the information we provide or that asks us to provide illegal materials, such as forged documents or genuine credit card numbers.

That being said, we really don't see how it could be. If you make up a random name and address off the top of your head, do you really think its illegal?


As for the fake credit card, the website claims:

We use Graham King's PHP credit card generator. This script creates a fake, but syntax valid, credit card number. The expiration date is randomly generated to be a date in the near future. We use inactive prefixes to ensure that these cards are not used for fraud. These credit card numbers do not reflect anyone's real credit card number.


While it makes the following claim on the Social Security number it generates:

Social security numbers are generated using the pattern outlined by the Social Security Administration. Social insurance numbers are generated using the pattern outlined on Wikipedia. These numbers are completely random, and are extremely unlikely to match the generated name.


So they admit that they could in fact be real numbers. There lies the problem. It doesn't matter, if they match the name or not. Someone committing fraud whether they be an illegal alien, just trying to get a fake social security number to get a job, or someone that is more malicious trying to get credit without using their own number could easily misuse the number. This site, should be shut down or at least severely modified so that it does not include the fake numbers. Let me clarify my point, I have no problems with the fake name, address, phone, email, website or mothers maiden number. I do have a problem with the so called fake credit card and social security numbers and believe you should to.

I called Allred and asked him about my concerns and he claimed that his biggest clients were government agencies, like Australia. These organizations run computer software that needs national identity numbers to test basic computer software without risking disclosure of real information.

Um, OK, if you say so. He says the same thing about the credit card numbers. He did say that he understood my concern, but he really didn't see how it could be a problem.

His website does provide this response on the FAQ page:

We do not condone, support, or encourage illegal activity of any kind. We will cooperate with law enforcement organizations to assist in the prosecution of anyone that misuses the information we provide or that asks us to provide illegal materials, such as forged documents or genuine credit card numbers.




---
go ahead share your thoughts with me now.






Get Paid to Sign Up, Refer Others, Read E-Mail, Complete Offers, and More!

7 comments:

  1. I would recommend including the nofollow attribute in the link to that website so your link doesn't help it any (Wikipedia info on nofollow)

    ReplyDelete
  2. Oh ye gods, you have *got* to be kidding. Welp, I'll bite and assume you're not, so let's run down a few flawed bits of reasoning in this writeup:

    1) This site does *exactly* what it purports to do: it generates completely bogus identities for testing purposes. Read through that little sentence over and over until you fully comprehend it. There is absolutely *no* promise to create a set of information that could be used to "steal" someone else's real identity.

    2) None of the information generated is related to any other information generated. Go ahead and plug all the information you get from a single "run" from this site into any online loan application or credit card application, or try to order something. It won't work.

    3) The information generates *is* "syntactically" valid, meaning that the credit card numbers generated will be identified as "valid" for the given card type (by the published algorithm from the card application provider -- i.e. Visa or Mastercard). This means if you're writing a shopping cart application and want to test *your* function, let's call it "validateCreditCardNumber()", you can get a syntax-compliant number from this site really quick to run through your function. If it validates, you're halfway there. If you change a digit or two and it *doesn't* validate, then you know your checker works.

    Do you actually think this information can be used to instantly create a brand new identity, complete with birth certificate, social security number, passport, photo ID, mailing address, and credit cards? There is a remarkably low probability (think "winning the Powerball jackpot ten times in a row is more likely" here) that any given pairing of randomly-generated name + algorithmically compliant social security number would ever be a legitimate match. Add in the probability of actually randomly generating an *accurate* mailing address at the same time as the name and SSN are generated, and we're talking impossibly slim odds ("winning the Powerball jackpot ten times in a row, then being struck by lightning after having lunch with the actual Greek god Zeus," only harder still).

    It's a tool, and nothing more. This isn't in the "identity thief's toolkit." It's not valuable for break-in purposes. It's useful for developers to plug "seemingly" real data into their apps while they're being developed, not for the teeming masses of identity thieves.

    ReplyDelete
  3. stealing real information is a crime, but making up fake information is not. nor should it be.

    if i needed to test a secure information system, i'd pay this guy to give me some fake identities.

    if i needed to authenticate applicants, i'd test my system using data this guy provides. i could run it against real data, and see if my system detected real data vs. fake data.

    if i was making a 'honey pot' to catch criminals, i'd love this kind of data!

    and most importantly: if i think i can detect a "real" identity, this guy is here to show me IT'S NOT SO EASY.

    are you advocating "security by obscurity"? dangerous criminals already have tools like this. hiding the public, legitimate ones would make it harder to prepare for the illegitimate ones.

    security experts tell people how to crack systems so systems can be made more secure. often this might seem criminal, but in fact it helps us all.

    ReplyDelete
  4. That's pretty outrageous. Even though it may not be an actual crime, as mcfnord says, I think it encourages criminal behavior. Kudos to you for contacting law enforcement.

    ReplyDelete
  5. willfe -
    You obviously have never had your identity stolen and aren't concerned if it is. I on the other hand, thought it couldn't happen to me, but when a collection agency contacted me seeking money they thought they owed me, because someone used my social security number and a very different spelling of my last name at an address in Florida, in which I never lived, I learned that it can happen to me (or anyone else). I for one would very pissed if my SS# came up on this site, because as I said the potential for ID theft is there.
    I for one don't buy into the crap about testing software. If that was the case that portion of the website should be private, so that only authorized persons, with the clearance for such tasks can gain access. The public portion would just be the fake names. The so called fake credit card numbers and identity numbers would only be on the private portion.

    It's not that hard to figure out. This site seemingly doesn't really care about peoples privacy. It certainly doesn't matter that if the names and numbers match each other, as was the case when someone in Florida stole my ID.

    ReplyDelete
  6. I'm afraid I'm much more in willfe's court. But I AM curious as to whether you heard back from law enforcement and what their take was.

    ReplyDelete
  7. Kate -

    "I called the Kansas Bureau of Investigation (KBI) and asked them the question, figuring that ways the place to start. If my concern warranted the attention, that I thought it did, they would certainly bring in the FBI. Amanda with the KBI, didn't feel that any crime was actually committed, because they have free speech. When asked about the social security numbers being on the site, she said that as much as we might not like it, there is no crime unless it can be proved that someone identity was actually stolen."

    ReplyDelete