ID theft targeted by web search service

A US web start-up has launched a service for people to check if their personal data is being traded online by criminals but critics say it could be a boon for those same crooks.

The service, dubbed "StolenID Search", lets anyone with an internet connection search a database of more than two million credit card and Social Security numbers found in the dark alleys of the internet, according to the start-up TrustedID.

Scott Mitic, TrustedID's chief executive, said in an interview: "This is an opportunity for any consumer to find out whether or not their credit card number or Social Security number has been compromised. In many cases, absent this service, there is no way for consumers to find out if their data has been compromised until it is too late."

Using StolenID Search is counterintuitive. Running a search requires the entry of the credit card or Social Security number that is to be checked against the database. This requires trust in TrustedID, a two-year-old company backed by venture capitalists that is building a business out of identity protection services.

Mitic argues that without additional information, a credit card or Social Security number is useless. "Just the number has no value unless it comes with your name, billing address, expiration data and security code," he said. "This is probably the only case where I would counsel someone to enter a Social Security number into a web form."

Done right, experts see value in the new service. However, the way StolenID Search is set up now, it could play into the hands of criminals, they said.

James Van Dyke, president of Javelin Strategy & Research, which studies fraud, said: "There is a significant amount of personal information traded in the dark corners of the online world, and companies such as TrustedID could allow the consumer to take appropriate prevention or detection action in response to knowing about this."

Assuming TrustedID can be trusted and its database is comprehensive, it can be valuable, agreed Avivah Litan, an analyst with Gartner. "It fills an important gap consumers have in the tools available to them for fighting identity-theft related fraud," she said.

But, TrustedID made a mistake in making the database accessible to anyone, according to both Litan and Van Dyke. Litan said: "They can make a terrible problem worse if they freely disseminate information to anyone who asks for it without properly vetting the requestor's identity." This could "enable criminal activity", Van Dyke added.

StolenID Search could become a resource for criminals. For example, if a credit card number pops up as compromised on the Stolen ID Search Web site, it will be of lesser value than when it doesn't, for example. TrustedID recognises this risk.

Mitic said: "It is a scenario that could happen. We're all best served by our database getting as big as possible so that as many cards are showing as compromised as possible."

To build out its database, TrustedID is asking anyone who stumbles upon identity data online to submit it to the company, Mitic said. One anti-spyware specialist, Sunbelt Software, is already providing information on potential identity theft victims to TrustedID, Sunbelt's CEO Alex Eckelberry said in a post on the company's blog.

Ultimately, TrustedID hopes StolenID Search will bring people to its paid services. The company charges $90 per year to put a fraud alert or a freeze on an individual's credit with the three main credit reporting agencies. Placing a fraud alert can be done at no cost by the individual. The cost of placing a freeze on an individual's credit report with the various agencies varies but is less than TrustedID's fee for performing the same task.

Joris Evers writes for CNET News.com