Feds Pinch Alleged Peer-to-Peer Identity Thief

A federal grand jury on Thursday indicted a man who allegedly used peer-to-peer (P2P) file-sharing networks to obtain individuals' tax returns, credit reports and bank statements in order to commit identity theft and fraud.

Gregory Kopiloff, 35, of Seattle allegedly used file-sharing software including LimeWire to steal a variety of sensitive information, and then used that data to create bogus credit card and bank accounts and illegally purchase thousands of dollars' worth of products. He allegedly even filed for a victim's 2007 tax refund, which he used to fund online credit accounts.

Kopiloff was indicted by a federal grand jury in the Western District of Washington for mail fraud, two counts of aggravated identity theft, and accessing a protected computer without authorization to further fraud. Law enforcement has so far linked Kopiloff's efforts to about 80 victims and more than US$70,000 in fraud.

Fines and Prison Terms

"Law enforcement has known for some time that criminals are exploiting peer-to-peer file-sharing to secretly gain remote access to victims' computers to search for personal information," said Jeffrey C. Sullivan, U.S. attorney for the Western District of Washington. "This case highlights the diligent work of our Computer Hacking and Intellectual Property (CHIP) unit to identify and prosecute those who use technology against innocent consumers."

Mail fraud is punishable by up to 20 years in prison and a US$250,000 fine. Accessing a protected computer without authorization to further fraud is punishable by up to five years in prison and a $250,000 fine. A conviction for aggravated identity theft mandates a two-year prison sentence to run consecutive to the prison time imposed on the underlying conviction.

The case was investigated by the Electronic Crimes Task Forces of the U.S. Secret Service, the U.S. Postal Inspection Service, the Seattle Police Department and Poulsbo, Wash., Police Department. It is being prosecuted by Assistant U.S. Attorney Kathryn Warma of the CHIP unit.

A Common Occurrence

The use of file-sharing networks for identity theft and fraud is an emerging class of crime that has only recently been recognized.

"This arrest is just the tip of the iceberg," said Robert Boback, CEO of security firm Tiversa. "Millions of consumers expose their sensitive information when they use P2P file-sharing networks and thousands of potential criminals a day search and find this information to commit ID theft and fraud."

Indeed, in its monitoring of global file-sharing networks over a two-week period, Tiversa found almost 56,000 requests for files involving "credit card"; over 75,000 requests for specific credit card statements by brand; 50,000 requests for "tax returns"; and over 317,000 requests for files involving "pin" and "user id."

"Most individual consumers don't even know that they have exposed their sensitive personal, financial and health information -- just think about all that you store on your home or your work computer," Boback said. "This arrest demonstrates what a ring of focused ID thieves could do if they obtain your information."

Industry Efforts

Makers of file-sharing software recognize the serious nature of the problem and plan to step up their efforts to make file-sharing safer, Marty C. Lafferty, CEO of the Distributed Computing Industry Association (DCIA), told TechNewsWorld.

"The industry has done quite a bit in terms of taking steps to help protect users from inadvertent sharing of personal data," he noted, including providing consumers with disclosures and recommendations for using the technology safely.

"It's probably time to take another look to make it even more intuitive and easier for consumers to keep data safe," he added. "In the meantime, we take this very seriously, and believe it's very important to provide the greatest value and safety to consumers. We'll be working with the appropriate government agencies this fall to look into this."

Possible Solutions

One of the simplest solutions concerned file-sharing users can employ is to simply keep sensitive data on a separate computer from the one the file-sharing software is used on, Lafferty noted.

To reduce the problem of identity theft in general, the most necessary step should be for businesses and other groups to stop relying solely on Social Security Numbers for identification, Jim Stickley, CTO with TraceSecurity, told TechNewsWorld. Stickley is a paid bank "robber" who has been hired to break into more than a thousand financial institutions to identify security vulnerabilities.

Even a password-protected Social Security number system would go a long way toward protecting consumers better, he explained. Short of that, if consumers contact consumer credit agencies such as TransUnion and tell them they are concerned about identity theft, the companies will generally provide a password for their credit records, Stickley added.

An Ever-Present Risk

Those same agencies also allow consumers to opt out of credit preapproval offers, which can help if a consumer's mail is stolen, he said.

Ultimately, though, while some packages are safer than others, using file-sharing software has been generally risky ever since Napster launched the technology, Stickley said.

"Either the software is buggy, in which case you're hosed, or it's malicious to begin with," Stickley concluded. "Most packages are generally designed for theft, and I'd say 95 percent of the time users install them in the first place is to steal something. It comes back to bite you in the end."