Identity theft

Pornhub prepares to block five more states rather than check IDs

adult content, adult entertainment, age verification, arkansas, aylo, child safety, idaho, Identity theft, Indiana, kansas, Kentucky, lousiana, mississippi, montana, Nebraska, North Carolina, phishing, Policy, pornhub, texas, Utah, Virginia / Mike M. / June 22, 2024

“Uphill battle” —

The number of states blocked by Pornhub will soon nearly double.

Ashley Belanger – Jun 20, 2024 8: 33 pm UTC

Pornhub will soon be blocked in five more states as the adult site continues to fight what it considers privacy-infringing age-verification laws that require Internet users to provide an ID to access pornography.

On July 1, according to a blog post on the adult site announcing the impending block, Pornhub visitors in Indiana, Idaho, Kansas, Kentucky, and Nebraska will be “greeted by a video featuring” adult entertainer Cherie Deville, “who explains why we had to make the difficult decision to block them from accessing Pornhub.”

Pornhub explained that—similar to blocks in Texas, Utah, Arkansas, Virginia, Montana, North Carolina, and Mississippi—the site refuses to comply with soon-to-be-enforceable age-verification laws in this new batch of states that allegedly put users at “substantial risk” of identity theft, phishing, and other harms.

Age-verification laws requiring adult site visitors to submit “private information many times to adult sites all over the Internet” normalizes the unnecessary disclosure of personally identifiable information (PII), Pornhub argued, warning, “this is not a privacy-by-design approach.”

Pornhub does not outright oppose age verification but advocates for laws that require device-based age verification, which allows users to access adult sites after authenticating their identity on their devices. That’s “the best and most effective solution for protecting minors and adults alike,” Pornhub argued, because the age-verification technology is proven and less PII would be shared.

“Users would only get verified once, through their operating system, not on each age-restricted site,” Pornhub’s blog said, claiming that “this dramatically reduces privacy risks and creates a very simple process for regulators to enforce.”

A spokesperson for Pornhub-owner Aylo told Ars that “unfortunately, the way many jurisdictions worldwide have chosen to implement age verification is ineffective, haphazard, and dangerous.”

“Any regulations that require hundreds of thousands of adult sites to collect significant amounts of highly sensitive personal information is putting user safety in jeopardy,” Aylo’s spokesperson told Ars. “Moreover, as experience has demonstrated, unless properly enforced, users will simply access non-compliant sites or find other methods of evading these laws.

Age-verification laws are harmful, Pornhub says

Pornhub’s big complaint with current age-verification laws is that these laws are hard to enforce and seem to make it riskier than ever to visit an adult site.

“Since age verification software requires users to hand over extremely sensitive information, it opens the door for the risk of data breaches,” Pornhub’s blog said. “Whether or not your intentions are good, governments have historically struggled to secure this data. It also creates an opportunity for criminals to exploit and extort people through phishing attempts or fake [age verification] processes, an unfortunate and all too common practice.”

Over the past few years, the risk of identity theft or stolen PII on both widely used and smaller niche adult sites has been well-documented.

Hundreds of millions of people were impacted by major leaks exposing PII shared with popular adult sites like Adult Friend Finder and Brazzers in 2016, while likely tens of thousands of users were targeted on eight poorly secured adult sites in 2018. Niche and free sites have also been vulnerable to attacks, including millions collectively exposed through breaches of fetish porn site Luscious in 2019 and MyFreeCams in 2021.

And those are just the big breaches that make headlines. In 2019, Kaspersky Lab reported that malware targeting online porn account credentials more than doubled in 2018, and researchers analyzing 22,484 pornography websites estimated that 93 percent were leaking user data to a third party.

That’s why Pornhub argues that, as states have passed age-verification laws requiring ID, they’ve “introduced harm” by redirecting visitors to adult sites that have fewer privacy protections and worse security, allegedly exposing users to more threats.

As an example, Pornhub reported, traffic to Pornhub in Louisiana “dropped by approximately 80 percent” after their age-verification law passed. That allegedly showed not just how few users were willing to show an ID to access their popular platform, but also how “very easily” users could simply move to “pirate, illegal, or other non-compliant sites that don’t ask visitors to verify their age.”

Pornhub has continued to argue that states passing laws like Louisiana’s cannot effectively enforce the laws and are simply shifting users to make riskier choices when accessing porn.

“The Louisiana law and other copycat state-level laws have no regulator, only civil liability, which results in a flawed enforcement regime, effectively making it an option for platform operators to comply,” Pornhub’s blog said. As one of the world’s most popular adult platforms, Pornhub would surely be targeted for enforcement if found to be non-compliant, while smaller adult sites perhaps plagued by security risks and disincentivized to check IDs would go unregulated, the thinking goes.

Aylo’s spokesperson shared 2023 Similarweb data with Ars, showing that sites complying with age-verification laws in Virginia, including Pornhub and xHamster, lost substantial traffic while seven non-compliant sites saw a sharp uptick in traffic. Similar trends were observed in Google trends data in Utah and Mississippi, while market shares were seemingly largely maintained in California, a state not yet checking IDs to access adult sites.

Pornhub prepares to block five more states rather than check IDs Read More »

Men plead guilty to aggravated ID theft after pilfering police database

Biz & IT, doxxing, extortion, Identity theft, Security / Ari B / June 19, 2024

GUILTY AS CHARGED —

Members of group called ViLE face a minimum of two years in prison.

Dan Goodin – Jun 18, 2024 8: 30 pm UTC

Two men have pleaded guilty to charges of computer intrusion and aggravated identity theft tied to their theft of records from a law enforcement database for use in doxxing and extorting multiple individuals.

Sagar Steven Singh, 20, and Nicholas Ceraolo, 26, admitted to being members of ViLE, a group that specializes in obtaining personal information of individuals and using it to extort or harass them. Members use various methods to collect social security numbers, cell phone numbers, and other personal data and post it, or threaten to post it, to a website administered by the group. Victims had to pay to have their information removed or kept off the website. Singh pled guilty on Monday, June 17, and Ceraolo pled guilty on May 30.

Impersonating a police officer

The men gained access to the law enforcement portal by stealing the password of an officer’s account and using it to log in. The portal, maintained by an unnamed US federal law enforcement agency, was restricted to members of various law enforcement agencies to share intelligence from government databases with state and local officials. The site provided access to detailed nonpublic records involving narcotics and currency seizures and to law enforcement intelligence reports.

Investigators tied Singh to the unlawful access after he logged in with the same IP address he had recently used to connect to a social media site account registered to him, prosecutors said in charging papers filed in March 2023. Prosecutors said Singh also threatened to harm one victim’s family unless the victim, referred to as Victim-1 in court papers, turned over credentials for an Instagram account.

“In order to drive home the threat, Singh appended Victim-1’s social security number, driver’s license number, home address, and other personal details,” prosecutors wrote. “Singh told Victim-1 that he had ‘access to [] databases, which are federal, through [the] portal, I can request information on anyone in the US doesn’t matter who, nobody is safe.’” The defendant ultimately directed Victim-1 to sell Victim-1’s accounts and give the proceeds to Singh.

The criminal complaint went on to allege that Ceraolo used a compromised email account belonging to a Bangladeshi police official to email account to pose as a Bangladeshi police official to contact US-based social media companies and ask them for personal information belonging to certain users under the false pretense that the users were committing crimes or were in life-threatening danger. In one case, one of the social media companies complied. The pair then used the data belonging to victims to extort them in exchange for not publishing it.

On a different occasion, the pair used the compromised email account to request user information from a different social media company after claiming that the user had sent bomb threats, distributed child abuse images, and threatened officials of a foreign government. The social media company ultimately refused and later posted on X (formerly Twitter) that it had identified the fraudulent request.

Both defendants face a minimum sentence of two years in prison and a maximum of seven years. The date of sentencing isn’t immediately known.

Men plead guilty to aggravated ID theft after pilfering police database Read More »

AT&T: Data breach affects 73 million or 51 million customers. No, we won’t explain.

AT&T, Biz & IT, Data breaches, Identity theft, Security / Ryan Harris / April 10, 2024

“SECURITY IS IMPORTANT TO US” —

When the data was published in 2021, the company said it didn’t belong to its customers.

Dan Goodin – Apr 10, 2024 10: 28 pm UTC

AT&T is notifying millions of current or former customers that their account data has been compromised and published last month on the dark web. Just how many millions, the company isn’t saying.

In a mandatory filing with the Maine Attorney General’s office, the telecommunications company said 51.2 million account holders were affected. On its corporate website, AT&T put the number at 73 million. In either event, compromised data included one or more of the following: full names, email addresses, mailing addresses, phone numbers, social security numbers, dates of birth, AT&T account numbers, and AT&T passcodes. Personal financial information and call history didn’t appear to be included, AT&T said, and data appeared to be from June 2019 or earlier.

The disclosure on the AT&T site said the 73 million affected customers comprised 7.6 million current customers and 65.4 million former customers. The notification said AT&T has reset the account PINs of all current customers and is notifying current and former customers by mail. AT&T representatives haven’t explained why the letter filed with the Maine AG lists 51.2 million affected and the disclosure on its site lists 73 million.

According to a March 30 article published by TechCrunch, a security researcher said the passcodes were stored in an encrypted format that could easily be decrypted. Bleeping Computer reported in 2021 that more than 70 million records containing AT&T customer data was put up for sale that year for $1 million. AT&T, at the time, told the news site that the amassed data didn’t belong to its customers and that the company’s systems had not been breached.

Last month, after the same data reappeared online, Bleeping Computer and TechCrunch confirmed that the data belonged to AT&T customers, and the company finally acknowledged the connection. AT&T has yet to say how the information was breached or why it took more than two years from the original date of publication to confirm that it belonged to its customers.

Given the length of time the data has been available, the damage that’s likely to result from the most recent publication is likely to be minimal. That said, anyone who is or was an AT&T customer should be on the lookout for scams that attempt to capitalize on the leaked data. AT&T is offering one year of free identity theft protection.

AT&T: Data breach affects 73 million or 51 million customers. No, we won’t explain. Read More »

Man pleads guilty to stealing former coworker’s identity for 30 years

ancestry.com, Identity theft, Policy / Ari B / April 3, 2024

“My life is over” —

Victim was jailed for 428 days after LA cops failed to detect true identity.

Ashley Belanger – Apr 3, 2024 8: 08 pm UTC

A high-level Iowa hospital systems administrator, Matthew Kierans, has admitted to stealing a coworker’s identity and posing as William Donald Woods for more than 30 years, The Register reported.

On top of using Woods’ identity to commit crimes and rack up debt, Kierans’ elaborate identity theft scheme led to Woods’ incarceration after Kierans’ accused his victim of identity theft and Los Angeles authorities failed to detect which man was the true William Donald Woods. Kierans could face up to 32 years in prison, The Register reported, and must pay a $1.25 million fine.

According to a proposed plea agreement with the US Attorney’s Office for the Northern District of Iowa, Kierans met Woods “in about 1988” when they worked together at a hot dog stand in New Mexico. “For the next three decades,” Kierans used Woods’ “identity in every aspect of his life,” including when obtaining “employment, insurance, a social security number, driver’s licenses, titles, loans, and credit,” as well as when paying taxes. Kierans even got married and had a child using Woods’ name.

Kierans apparently hatched the scheme in 1990 when he was working as a newspaper carrier for the Denver Post. That’s when he first obtained an identification document in Woods’ name. The next year, Kierans bought a vehicle for $600 using two checks in Woods’ name, the plea agreement said. After both checks bounced, Kierans “absconded with the stolen vehicle to Idaho, where the car broke down and he abandoned it.” As a result, an arrest warrant was issued in Woods’ name, while Kierans moved to Oregon and the whereabouts of the real Woods was seemingly unknown.

Eventually in summer 2012, Kierans relocated to Wisconsin, researching Woods’ family history on Ancestry.com and then fraudulently obtaining Woods’ certified birth certificate from the State of Kentucky, seemingly to aid his job hunt. Sometime in 2013, Kierans was hired by a hospital in Iowa City to work remotely from Wisconsin as a “high level administrator in the hospital’s information technology department,” using Woods’ birth certificate and a fictitious I-9 form to pass the hospital background check.

Over the next decade, Kierans earned about $700,000 in that role, while furthering his identity theft scheme. Between 2016 and 2022, Kierans used Woods’ name, Social Security number, and date of birth and “repeatedly obtained” eight “vehicle and personal loans” from two credit unions, each one totaling between $15,000 and $44,000.

Woods only discovered the identity theft in 2019, when he was homeless and discovered that he inexplicably had $130,000 in debt to his name. Woods attempted to close bank accounts that Kierans had opened in Woods’ name, and that’s when Kierans went on the defense, successfully pushing to get Woods arrested to conceal Kierans’ decades of identity theft.

LAPD fails to detect true identity

In 2019, Woods walked into the branch of a national bank in Los Angeles, telling an assistant branch manager that “he had recently discovered that someone was using his credit and had accumulated large amounts of debt,” the plea agreement said.

Woods presented his real Social Security card and an authentic state of California ID card, but the assistant branch manager became suspicious when Woods could not answer security questions that Kierans had set for the bank accounts.

The bank employee called the phone number listed on the accounts, which was Kierans’ number. At that point, Kierans correctly answered the security questions, and the assistant branch manager contacted the Los Angeles Police Department to investigate Woods.

As a result of LAPD’s investigation—which included contacting Kierans and reviewing Kierans’ fraudulent documents, which at times used a different middle name—Woods was arrested for unauthorized use of personal information. Subsequently, Woods was charged with committing felony crimes of identity theft and false impersonation, facing as much as three years’ incarceration for each count.

Woods continued insisting that he was the real victim of identity theft, while the California court system insisted he was actually Kierans. This continued until December 2019 when a state public defender told a court that Woods did not have the mental competency to stand trial. The court ordered Woods to be detained in a publicly funded California mental hospital until his mental competency improved, where he was given psychotropic medication in 2020.

Ultimately, in March 2021, Woods was convicted of the felony charges and after his release, he was ordered to “use only” what California decided was his “true name, Matthew Kierans.” In total, Woods spent 428 days in jail and 147 days in a mental hospital because California officials failed to detect his true identity.

Man pleads guilty to stealing former coworker’s identity for 30 years Read More »

SIM-swapping ring stole $400M in crypto from a US company, officials allege

Cryptocurrency, cryptocurrency scam, cryptocurrency scheme, cryptocurrency wallets, device fraud, Identity theft, mobile device security, Policy, sim swap, sim swapping, wire fraud / Blake Jones / January 30, 2024

Undetected for years —

Scheme allegedly targeted Apple, AT&T, Verizon, and T-Mobile stores in 13 states.

Ashley Belanger – Jan 30, 2024 7: 18 pm UTC

The US may have uncovered the nation’s largest “SIM swap” scheme yet, charging a Chicago man and co-conspirators with allegedly stealing $400 million in cryptocurrency by targeting over 50 victims in more than a dozen states, including one company.

A recent indictment alleged that Robert Powell—using online monikers “R,” “R$,” and “ElSwapo1″—was the “head of a SIM swapping group” called the “Powell SIM Swapping Crew.” He allegedly conspired with Indiana man Carter Rohn (aka “Carti” and “Punslayer”) and Colorado woman Emily Hernandez (allegedly aka “Em”) to gain access to victims’ devices and “carry out fraudulent SIM swap attacks” between March 2021 and April 2023.

SIM-swap attacks occur when someone fraudulently induces a wireless carrier to “reassign a cell phone number from the legitimate subscriber or user’s SIM card to a SIM card controlled by a criminal actor,” the indictment said. Once the swap occurs, the bad actor can defeat multi-factor authentication protections and access online accounts to steal data or money.

Powell’s accused crew allegedly used identification card printers to forge documents, then posed as victims visiting Apple, AT&T, Verizon, and T-Mobile retail stores in Minnesota, Illinois, Indiana, Utah, Nebraska, Colorado, Florida, Maryland, Massachusetts, Texas, New Mexico, Tennessee, Virginia, and the District of Columbia.

According to the indictment, many of the alleged victims did not suffer financial losses, but those that did were allegedly hit hard. The hardest hit appears to be an employee of a company whose AT&T device was allegedly commandeered at a Texas retail store, resulting in over $400 million being allegedly transferred from the employee’s company to co-conspirators’ financial accounts. Other individual victims allegedly lost cryptocurrency valued between $15,000 and more than $1 million.

Co-conspirators are accused of masking stolen funds, sometimes by allegedly hiding transfers in unhosted or self-hosted virtual currency wallets. If convicted, all stolen funds must be forfeited, the indictment said.

Powell has been charged with conspiracy to commit wire fraud and conspiracy to commit aggravated identity theft and access device fraud, Special Agent Brent Bledsoe said in the indictment. This Friday, Powell faces a detention hearing, where he has been ordered by the US Marshals Service to appear in person.

Powell’s attorney, Gal Pissetzky, told Ars that Powell has no comment on the indictment at this time.

SIM swaps escalating in US?

When Powell’s alleged scheme began in 2021, the FBI issued a warning, noting that criminals were increasingly using SIM-swap attacks, fueling total losses that year of $68 million.

Since then, US law enforcement has made several arrests, but none of the uncovered schemes come close to the alleged losses from the thefts Powell’s crew are being accused of.

In 2022, a Florida man, Nicholas Truglia, was sentenced to 18 months for stealing more than $20 million from a single victim. On top of forfeiting the stolen funds, Truglia was also ordered to forfeit more than $900,000 as a criminal penalty. According to security blogger Brian Krebs, Truglia was connected to a group that allegedly stole $100 million using SIM-swap attacks.

Last year, there were a few notable arrests. In October, the Department of Justice sentenced a hacker, Jordan Dave Persad, to 30 months for stealing nearly $1 million from “dozens of victims.” And in December, four Florida men received sentences between eight and 27 months for stealing more than $509,475 in SIM-swap attacks.

Ars could not find any FBI warnings since 2021 raising awareness that losses from SIM-swap attacks may be further increasing to amounts as eye-popping as the alleged losses in Powell’s case.

A DOJ official was unable to confirm if this is the biggest SIM-swapping scheme alleged in the US, directing Ars to another office. Ars will update this report with any new information the DOJ provides.

US officials seem aware that some bad actors attempting SIM-swap attacks appear to be getting bolder. Earlier this year, the Securities and Exchange Commission was targeted in an attack that commandeered the agency’s account on X, formerly known as Twitter. That attack led to a misleading X post falsely announcing the approval of bitcoin exchange-traded funds, causing a brief spike in bitcoin’s price.

To protect consumers from SIM-swap attacks, the Federal Communications Commission announced new rules last year to “require wireless providers to adopt secure methods of authenticating a customer before redirecting a customer’s phone number to a new device or provider. The new rules require wireless providers to immediately notify customers whenever a SIM change or port-out request is made on customers’ accounts and take additional steps to protect customers from SIM swap and port-out fraud.” But an Ars review found these new rules may be too vague to be effective.

In 2021, when Europe an authorities busted a SIM-swapping ring allegedly targeting high-profile individuals worldwide, Europol advised consumers to avoid becoming targets. Tips included using multifactor authentication, resisting associating sensitive accounts with mobile phone numbers, keeping devices updated, avoiding replying to suspicious emails or callers requesting sensitive information, and limiting personal data shared online. Consumers can also request the highest security settings possible from mobile carriers and are encouraged to always use stronger, longer security PINs or passwords to protect devices.

SIM-swapping ring stole $400M in crypto from a US company, officials allege Read More »