Online “people finder” sites are a blessing for identity thieves

A “Do’s and Don’ts” page on the website for BeenVerified, an online public records aggregator that provides background checks and “people finder” services for a fee, says stealing someone’s identity is a “Don’t.”

But that’s exactly what the FBI believes a Michigan man used it for, according to federal court documents obtained by Quartz. Investigators say he bought large amounts of personal information on the site, using the data as a foundation to open bank accounts in as many as 51 people’s names. The scheme allowed the alleged fraudster to collect nearly $200,000 in fraudulent loans from six different US financial institutions, prosecutors said.

• The FBI’s Nigerian email scam ring bust shows how the billion-dollar global fraud has evolved

Getting enough personal information to assume a target’s identity doesn’t necessarily require sophisticated hacking skills or the ability to access the so-called Dark Web. Online identity thieves use services that provide personal information for sales leads, real estate transactions, and credit reports to steal millions, gathering details about their victims’ lives from federal, state, and local records sold by brokers like BeenVerified, Instant Checkmate, and TruthFinder. And although these sites don’t supply Social Security numbers, they offer plenty of clues to the prompts that protect most bank accounts—mother’s maiden name, childhood address, and so forth—to anyone with a few dollars and an internet connection.

Remaining gaps can be filled in by “phishing” additional information from a victim. This might be accomplished by sending a phony-but-convincing-looking email, for example.

• After three weeks of lockdown, this is what Kashmir looks like

While it once took extensive legwork to track down all of these disparate data points, it is now all consolidated online and perfectly legal for anyone to access. The only way to protect yourself from this is to go one-by-one and opt out of the dozens of background sites our there, or pay a service to do it for you.

“It used to be a lot harder to get this kind of information,” retired FBI agent Dennis Franks told Quartz. “At some point, Congress will need to consider enacting laws to restrict the amount of information that’s available out there.”

Digital breadcrumbs

In 2014, managers from Huntington National Bank contacted Ally Bank, headquartered outside of Philadelphia. A number of Huntington National’s customers were complaining about “fraudulent charges and withdrawals” on accounts in their names that they hadn’t opened, according to court filings.

The funds in the Huntington National accounts had been transferred into accounts at Ally, which were registered to the same names.

The FBI traced the IP addresses used to open the Ally accounts. This led investigators to an apartment complex in a suburb of Detroit. One of the tenants in the building, Sean Christopher Williams, had an account at Ally shut down in 2012 after it was used to “conduct unauthorized business transactions.” According to public records, a state court previously found Williams guilty for possession of counterfeit coins and unauthorized computer intrusion.

An FBI analysis of Williams’s credit card transactions revealed he had made numerous payments to BeenVerified. According to case filings, for 49 of the 51 fraud victims, Williams researched their identities on the background site immediately before opening bank accounts in their names.

The filing goes on to detail one of the 49 incidents:

• On April 18, 2014, the BeenVerified account linked to Williams’s credit card ordered a “person report” on someone identified in court documents by the initials “J.S.” The report provided “information about J.S.’s existence and identity, including the month and year of J.S.’s date of birth.” Williams then created two fraudulent bank accounts at Ally and Huntington National, from an IP address leading back to Williams’s apartment complex.

• That same day, a device associated with the apartment complex’s IP address transferred $18,351 from the Huntington National account to the Ally account.

• Five days later, $10,451 was debited from the Ally account and used to make a payment on an American Express card in Williams’s name.

• The next day, the Ally account was used to make three separate payments totaling nearly $7,000 toward Williams’s student loan debt.

• A day after that, two payments for about $1,000 were made from the Ally account to a Chase credit card in Williams’s name, as well as his American Express.

Less than two weeks later, Williams appeared to hit J.S. for a second time.

• On May 2, the BeenVerified account associated with Williams’s credit card bought another background report on J.S.

• Another Ally account was then fraudulently established in J.S.’s name, again from a device linked to an IP address within Williams’s apartment complex.

• A short time later, $15,634 was transferred from the fraudulent Huntington National account in J.S.’s name to the second fraudulent Ally account in J.S.’s name, again using a device that resolved to the IP address at Williams’s apartment complex.

• A week after buying the second BeenVerified account, a $15,634 payment was made from the second Ally account to Williams’s American Express card.

Ross Cohen, BeenVerified’s COO, told Quartz that the company employs a “host of credit card fraud detection mechanisms as well as a compliance team and an automated compliance system.” He said Williams would not have been able to open accounts solely using BeenVerified, due to limitations on what the service provides. Specifically, Cohen said, BeenVerified’s reports “never provide the essential items that would be required to open an account with a financial institution,” specifically a person’s Social Security number and their complete date of birth.

The Ally Bank signup form requires both of those to open an account, Cohen pointed out, and said Williams must have obtained them from another service. Williams’s court-appointed attorney, Maranna Meehan, did not respond to a request for comment. Williams was indicted Aug. 15. If convicted, he faces up to 30 years in prison and $1 million in fines.

A paper trail

In February of last year, a soon-to-be-homeowner in Olive Branch, Mississippi got an email that seemed to be from an attorney involved with the sale. It included instructions to wire $122,663.69 to an account at Bank of America, which they did in plenty of time for the closing scheduled a few days later.

But when the buyer showed up to finalize the sale, their broker and loan officer said the money never arrived. As it turned out, the email with the wire transfer instructions had been sent by a con artist impersonating the attorney, according to an FBI affidavit filed Aug. 15 in Texas federal court.

The incident was partially responsible for touching off an FBI investigation that is tracking what the bureau believes to be a multimillion-dollar identity theft ring operating out of at least two US states. Like the Sean Williams case, this one also involves the exploitation of commercially available data to take over people’s financial lives.

The syndicate allegedly used “fee-based web databases” to identify people with large home equity lines of credit. This gave them access to sensitive data like Social Security numbers and birth dates, which the alleged thieves augmented with information from “other online databases to obtain information commonly used in security questions.” Prosecutors believe the crew then posed as the homeowners themselves, taking out large, fraudulent cash advances on the unsuspecting homeowners’ lines of credit, hundreds of thousands of dollars at a time.

The money was deposited into the accounts of several phony companies the ring set up using the names of people whose identities had been stolen. They then laundered the money further, by transferring it into accounts at other banks, also established using stolen identities.

Investigators dug through bank records associated with the fraudulent accounts, looking for clues. In what was presumably a sea of fake names and dead ends, they discovered a check drawn on one of the accounts that was then deposited into an account at JPMorganChase. The account was linked to a company called Kelz Interior Design, and had been registered with the State of Texas by someone named Brittany Cavaness Barrett.

The FBI interviewed Barrett at a Waffle House in Houston. She said she was running a fitness business near the airport, and denied having anything to do with identity theft. When the FBI asked where all the money in her bank account came from, Barrett said she “was uncomfortable discussing this topic.”

What Barrett didn’t know at the time was that agents with the US Postal Inspection Service had recently arrested someone else for identity theft and extracted all the data from that person’s phone. They shared the forensic report with the FBI, which found 176 calls between Barrett and the phone’s owner. In one text message, the two discuss picking up a fraudulent check for $120,000. Another included a screenshot of an incriminating deposit slip. In a third, Barrett asks about depositing $68,000 in stolen funds.

Sealing the deal for investigators, Barrett at one point texted her home address. It matched the address used to set up the Kelz Interior Design account at JPMorganChase. A magistrate judge authorized a warrant for Barrett’s arrest last Thursday.

“People try to see how much they can get away with and hope they don’t get detected,” said Franks, the retired FBI agent. “But it’s really hard to fly under the radar today. Even Russian bots are detectable—and were detected.”

Sign up for the Quartz Daily Brief, our free daily newsletter with the world’s most important and interesting news.

More stories from Quartz:

• The fires in the Amazon were likely set intentionally

• The US Supreme Court is faced with the podcast-popular case of Adnan Syed