… wMan with starting pistol over a background of ready racersell, not quite that fast.  But nine minutes is pretty quick, as FTC researchers recently confirmed.

The FTC’s Office of Technology Research & Investigation (OTech) ran an experiment in April and May, posting made-up personally identifiable information in plain text on two different Internet paste sites.  The phony PII was consumer account information for 100 fictitious people, including name, address, phone number, email address, password, and payment means (credit card number, online payment account, or Bitcoin wallet).  Then, OTech waited to see what would happen, monitoring for access attempts on email and payment accounts, attempted credit card charges, and calls and texts received.

The results, and the speed of those results, were a surprise to all but the most jaded.  Here’s what OTech’s monitoring revealed:

  • The first paste site posting yielded modest attention, with about 100 views during the two week monitoring period.  The second posting a week later was picked up by a Twitter bot and generated more traffic, with over 550 views in the remaining one week of OTech’s monitoring.
  •  The first posting yielded its first unauthorized access attempt within one and a half hours.  The second posting had its first attempted fraud within just nine minutes.
  • While the IP addresses utilized (some suspicious) by identity thieves were predominantly U.S. based, IPs from 27 other countries of origin were also used.
  • There were 119 total access attempts in the first week of monitoring, and 1,108 in week two.
  • The email accounts had 47 access attempts in week one and 466 in week two.
  • Nearly $13,000 in credit card charges were attempted in the two weeks.  The single largest was $2,697.75 at a clothing e-retailer, and there were 163 other attempted retail charges.  But identity thieves demonstrated a wide range of interests, from gaming and entertainment, to pizza, and insurance payments and investments.  Bizarrely, there were eight attempted charitable contributions, and at least one attempted payment to an online dating service.

What to make of this?  OTech recommends that email and payment service providers should monitor paste sites, merchants should be more wary of serial purchase attempts, and all should consider two-factor authentication as better protection against stolen credentials.

But the more fundamental point is this – once PII is out in the open, identity theft happens fast – crazy fast.  The time to invest in a better security posture is before a breach happens, because once stolen data surfaces, it will be fraudulently used … perhaps in just nine minutes.