Scammer dupes Experian into selling Social Security Nos

Byron Acohido | USA TODAY

SEATTLE – Don't feel too bad if you've ever fallen for an online scam. You're in the same boat as giant credit checking bureau Experian.

Cybersecurity investigative blogger Brian Krebs is reporting that a Vietnamese hacker duped Experian into selling him valid social security numbers, probably paid for via hijacked online accounts.

According to Krebs, Experian sold SSNs to Hieu Minh Ngo, operator of SuperGet.info, through its subsidiary, Court Ventures.

Context: Hackers target the credit industry's 'secret questions' system

Experian declined Krebs' interview request, instead sending him a carefully vetted statement acknowledging that Court Ventures sold data to Ngo. Here's the statement Krebs received:

"Experian acquired Court Ventures in March, 2012 because of its national public records database. After the acquisition, the US Secret Service notified Experian that Court Ventures had been and was continuing to resell data from US Info Search to a third party possibly engaged in illegal activity. Following notice by the US Secret Service, Experian discontinued reselling US Info Search data and worked closely and in full cooperation with law enforcement to bring Vietnamese national Hieu Minh Ngo, the alleged perpetrator, to justice. Experian's credit files were not accessed. Because of the ongoing federal investigation, we are not free to say anything further at this time."

This disclosure supplies more evidence of the tenuous nature of the online credit -checking and loan-selling system ported to the Internet by the financial sector to save costs. It's much cheaper to conduct sensitive transactions online that it is hiring staff and erecting buildings to needed to conduct transactions face-to-face.

The trove of PII, which stands for Personally Identifiable Information, that the financial industry has amassed to support something called KBA , or Knowledge Based Authentication, is vast and complex. That means, of course, that this online infrastructure is "relatively easily beaten by criminals," says Avivah Litan, Gartner banking security analyst.

"As consumers, we just have to realize that there is no data privacy anymore," Litan writes in her blog. "Our life history and records on major financial transactions are for sale in the underground."