The latest dark web cyber-criminal trend: Selling children's personal data

Fraudsters are looking for a clean credit history, and are using stolen identities to create them.
Written by Danny Palmer, Senior Writer

Imagine you're a teenager, applying for credit to buy your first car or maybe a loan to go to university. You don't remember taking out a credit card when you were six years old, but the bank is adamant, and now you have a poor credit rating and in their eyes, you're persona non grata. That future suddenly isn't so bright. How could this be?

Cyber criminals are hacking into sensitive networks to steal the identities of children and are selling it on in underground market places

Personal information is leaked in data breaches all the time, but what makes the data on children so useful to cyber criminals is how they don't have any credit history – so they offer a free pass for fraudulent purchases, loans and other transactions without the barriers that might be associated with data belonging to adults.

"On the dark web in this criminal data trade, freshness is the name of the game. Vendors pride themselves on having fresh data that their buyers are able to exploit effectively," Emily Wilson, VP of research at cybersecurity and intelligence firm Terbium Labs told ZDNet.

"Child data by design is fresh, in most cases it's not going to have been exploited before, this is the first time these children are being caught up in a data breach – especially for very young children."

Advertisements in cyber-criminal markets offer what the illicit sellers describe as 'child fullz' – full identity kits of information about victims, including name, date of birth, address, and social security numbers. Essentially, everything a criminal needs to commit fraud.

SEE: Cybercrime and cyberwar: A spotter's guide to the groups that are out to get you

Demand for this data appears to be growing in dark markets, with a small group of sellers repeatedly emerging to offer data to customers at a cost of just $25 for data about a child.

One seller who regularly deals in this information re-emerged in January this year. They claim to have hacked into a paediatrician in the US, offering buyers information on children as young as four years old.

Cyber criminals will often take this information and use it to make fraudulent claims for child tax credit – especially if they also have data on the parents and can paint an accurate picture of a whole family.

But others go further, exploiting the information to take out large loans or make big purchases – all while nobody is aware that a child's credit rating is being destroyed.

"It's a really scary thing," said Wilson. "They know that in most cases this crime won't be found out for 10, 15, even 20 years in some cases, because why would you monitor your child's credit? They rely on that expectation," she added.

The fraudsters create a synthetic ID around the stolen child's data, sometimes creating whole new identities, but tied to the identifying social security number.

With this and a blank credit history, the criminals can approach banks to apply for loans and other means of finance.

"There aren't really checks in place to stop them using data from a six-month-old to take out a credit card or a loan. Once fraudsters start with these low-level credit applications, over time they can build up a profile and they can amass all different lines of credit," said Wilson.

In the US, there are only limited checks which are made in order to determine the authenticity of an application and in many cases, a social security number with some personal information – even if it's a synthetic ID – can be enough.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

That makes using children's data highly appealing to criminals, because they're likely to be the first to exploit it – and the lack of credit history means they don't have to gamble like they would with the data of an adult victim, who could turn out to already have an actual poor credit history.

"If someone is trying to set up a credit profile for the first time, you kind of have to beat someone to it, so it's a first come, first served approach," Wilson explained.

"So getting these children before they begin to transact in the online economy, it's the best way these fraudsters can ensure they can start from scratch, that no one has beaten them to it," she added.

Wilson believes that this can be stopped, especially if banks and retailers tighten up how they provide credit with the need for more forms of ID and more information.

"Now we know this is an issue, now we recognise that there need to be checks in place to not only to keep consumers safe, but protect financial institutions, retailers. But unfortunately, but it's probably going to be too little too late and how many children will be harmed in the meantime?" she said.

The best means of countering that, Wilson argued, is to know that children might be targeted and to protect their credit, either by freezing it or conducting regular checks.

"It's hard, because we don't expect children will be exploited. We want to assume they are safe and protected, but they make easy targets," said Wilson.


Editorial standards