A Suggestion for the FBI on Criminal Purchase of Credentials

I have a suggestion for the FBI. It’s related to credential theft by criminals trying to make money through email and calls. This contrasts with nation states nabbing credentials to support their military, as we saw with those PLA members indicted by William Barr.

Now, if you are wondering why I would post my suggestion here versus running over to Federal Plaza – well, it’s this: My proposed prevention method works best if everyone knows it’s happening. By the way, that’s a nice (but rare) security property if you can get it.

Oh, and this: Many of you will hate my suggestion, perhaps intimating that it will be intrusive of privacy, and that the FBI will overstep its bounds. That may be true, but we all know that credential theft is growing. I’m merely suggesting a way to reverse the trend.

Here’s the concept: When credentials are stolen and popped up on the Dark Web, certain nefarious companies buy the lists for cheap Bitcoin, and then contact the entries to sell them something. You’d buy stolen T-Mobile credentials, for example, to hawk phone cases.

Some recent prices: In November 2015, 590,000 Comcast customer records could be bought for $1,000.00. In March 2016, you could buy 1.5 million Verizon customer records for $100,000. In November 2017, 45 million Uber records were also on sale for $100,000.

Unless you're under a rock, you know it's easy to spot which companies are mass emailing or call-marketing. And I take no issue with the mailers or other tools they use. What I would like to know instead – and what the FBI should probe, is where they obtained their lists.

Businesses thrive on contact lists. And the correct way to build lists is to do the leg-work, or presumably to buy them legally. But when you can nab those Uber riders or T-Mobile users for a fraction of a cent per record – well, the temptation to break the law might be too much.

Here’s where my suggestion comes in (and now I’m taking to the FBI): First, you will need an automated means to identify mass senders and robocallers. ISPs could provide the data in real-time. The marketing platform companies would be better – so you also could try there.

The other option is to just build the list of mass emailers and robocallers through your own investigative means. I’m going to go out on a limb here a bit, and guess that you already have this information. It’s not terribly hard to obtain through simple automated methods.

For you FBI lawyers, I know you’re thinking that legal basis must be established for demanding or grabbing this information. Given the negative impact that stolen credentials and mass marketing have on society, I think this will be a straightforward case.

Now, once you (the FBI) have access to your targets, you can auto-issue these mass senders a request (er, demand) for proof-of-purchase of the contact list they are using. If they respond that their contacts were built organically, then randomly audit that process.

Again – the tool being used is irrelevant. The seller might be using a mass emailer, or a customer relationship management platform. You don’t want the receipt for that. You want the receipt for the customer contacts. Pipedrive or Salesforce don’t come pre-populated.

In the beginning, you will experience some turbulence. You’ll send your notifications to the wrong companies, perhaps out of your jurisdiction. You’ll get bounce backs. And you will probably scare the wits out of some church group sending notes to their parishioners.

But after a fashion, I think you will like the effects of this process. Nefarious companies who are considering using Tor to purchase a million stolen credentials might just think twice before pulling the trigger if they know you are coming. It's not perfect, but no security is.

I hope you take my advice, and I’d share my contact information if you want to discuss this further, but we all know this is not necessary: I’ll wait to hear from you. For the rest of you on social media who’ve trudged this far into the article, let me know what you think.

But please, please remember to be extra careful before you post any nasty criticisms or mean-spirited comments on this article: The FBI might be listening.

Have a nice day.