Our personal data is worth nothing.
Around the world, many efforts are now being made to ensure the security of personal data. Russia is also not lagging behind, enthusiastically introducing dozens of laws, hundreds of by-laws and regulations. Is there a result?
The investigation I carried out will show that in Russia and throughout the entire space of the former USSR the laws of this field written on paper are in vain. The results are terrible: access to personal data of individuals and legal entities, banking secrets, trade secrets, have not only companies and government departments, but also any fraudsters. Everything is bought and sold for the price level from a couple of cups of coffee to a couple of average smartphones.
')
Disappointing details under the cut.
In the nineties and zero all the markets of Moscow were filled with disks with databases. Base residents, base cars and car owners, and then the base of cellular operators.
I do not know how the situation with the criminal sale of such bases in Moscow (I have not lived in Russia for a long time) is today, but I can say with a great degree of confidence that these will be either very old bases or only fragmentary dumps of modern ones. Now the volume of departmental and corporate information reaches petabyte and is in the cloud, so it is quite difficult to fit anything on a regular household medium suitable for sale.
Today, personal data is actively sold in a number of forums, where there are sellers, buyers, and even entire systems of arbitration, designed to resolve possible disputes between them. The fraudsters managed to build a very powerful criminal infrastructure: the forums live life, the topics have a lot of comments and feedback, there are bans for the "kids" and a rating system for the "proven".
“In darknet?” - you thought. That is not guessed. These sites are publicly available and may not even be listed in the long-suffering Roskomnadzor registry (who would doubt). Of course, some of them do have darknet mirrors, but these are just mirrors.
The article will focus on these sites and on those “services” that are crushing absolutely all of the turbulent government window-dressing around the protection of personal data in recent years.
I ask the habravchan to refrain from publishing links to these resources, although they may be well known to many. He who seeks will find it himself. First, I do not want to do even indirect advertising to scammers. Secondly, it could jeopardize the existence of this article. Thirdly, it is not the very existence of these resources, but the fact that there are such state conditions within which the listed “services” exist in general.
Look at this picture, a typical forum, typical services:
I have hidden the names of "sellers" and the names of operators. You will know about the operators yourself, there are not so many of them in Russia. They make their way without exception.
The most basic is the breaking of the data of the owner of the number: full name, passport data, address. How this data will be used depends only on the fantasy of the fraudster, to whom they fall into the hands.
Further, already interesting. “Services” of a higher level: tracking a person’s location by cell phone towers, location history, call detail, sms detailing. Fortunately, although there are no sound recordings of calls (maybe I didn’t look good).
It is very impressive to observe that any scammer can access such information. It remains to be guessed whether this is implemented by means of the cellular operators themselves, or through external interfaces that may be located in public services (I do not even doubt the existence of such).
Think again, making out a SIM card on your passport data when buying. Maybe the truth is better to take a sim card, issued on a noname-visitor from Central Asia? From the famous points of sale, they did not disappear anywhere. Passing passport data, you identify yourself not only in front of the cellular operator and government agencies, but also in front of any criminal who is not sorry to spend the cost of a couple cups of coffee on you, and even more.
Perhaps nothing compares to the amount of data that various government agencies know about us. Thousands of employees have access to them, the results of which are plentifully viewed on the forums:
On the one hand, there is a clear picture of what information these departments have about us and how easily employees can collect a complete file on any person. On the other hand, an even more picturesque oil painting: any scammer can collect exactly the same dossier.
Typical road transport service:
Standard question-answer example:
Another standard for different departments:
The most popular is the unloading service from the Magistral, Siren, Border, Migrant, Kronos, Spark, Potok, and IBDR-IBDF integrated bases. I did not even know such names before. It breaks through everything that fantasy reaches, even the FIU.
A separate category of “services” is devoted to the specification of bank accounts and the movement of funds for them. Part specializes in the accounts of individuals.
But even more - for legal entities. Here fraud turns into sophisticated forms of industrial espionage and outright crime. I will not post screenshots, since the criminal “service package” goes far beyond data breaches.
Where do these monstrous facts of mass violation come from, not so much the laws on personal data, but on bank secrecy? Honestly, I'm really surprised that corruption is so rampant. It seems that it is enough just to look at all the positions where the employee has access to at least some customer data - a fraudster can be in any position. The only question is where the security services are looking.
I would very much like to list the names of the most penalized banks openly, but I will not do it, because first on the list will be those that have corporate blogs in Habré, which is fraught with blocking the article. Branded colors of these banks, too, everyone knows. According to my observations, the smaller the bank, the less likely it is that the forums will have fraudulent services related to it.
In my investigation, I practically didn’t touch the information that is collected and merged about us by online electronics stores, clothing and footwear, food, fitness clubs. All this is also sold, so once again think about whether to leave the real address and phone number, making out the next discount or club card.
A curious fact: user bases of bookmakers-forex options, services of psychics, fortune-telling fortunetellers, buyers of dietary supplements, means for weight loss and increasing potency are being actively sold. Target audiences of these specific products have so crystallized that these bases pass from hand to hand, are constantly supplemented and kept up to date. Business is huge in scale.
Not so pitiable, when personal data are merged, which we leave voluntarily - just follow the measures of caution and do not leave them. It is much worse when those data merge, which we cannot leave. Buying SIM cards without a passport can not solve all the problems.
In 2017, I read the publications of Russian oppositionists (in particular, Leonid Volkov leonwolf ), who were faced with the pursuit of violent criminal elements who suddenly received information about all flights and movements. Some kind of waiting around the airport mordorov with bits and accompaniment in the form of a show presentation of generously paid pseudo-supporters of power with flags and chants. In Ukraine, all of them at one time were collectively called titushky.
Why is that? Where did the titushies learn about the flights of the opposition? It's simple: because access to the database of flights is bought and sold in the same way as access to all other bases.
(Leonid, I know that you are an IT person, if you suddenly read this article, I will be very happy if you share it - much is written under the impression of your “Clouds”)
A skeptical reader might think: you are talking about oppositionists, that is, people who represent a certain political position, their activities, by definition, involve risks. And it will be wrong: the criminal lawlessness can touch everyone . The scale of the data about us, which are lying on the road, you see with your own eyes.
Everyone has a smartphone, each has a bank account, many use cars, many often travel by air, many have business in the post-USSR. Regardless of your social status and political orientation: you are in danger because your data are not protected by anyone and nothing, and criminals have their hands completely free. What is scattered around the forums in the form of commercial ads, in fact, can actually be received "on call" by people who have connections. This concerns Russia first of all.
Many will recall the case of Anton Uralsky in 2008 and the Internet service provider Stream laid out a call: “there was not a single break!” Everyone then laughed without thinking that the staff had committed a crime by posting an audio recording of a conversation with a client on the Internet. They committed the second crime by laying out the personal data of Anton, who became the property of hundreds of prankers who spoiled a person’s life.
What do you think, why did I like this story? Because in the same 2008, my own personal data was without a twinge of conscience posted by employees of the Internet service provider Corbin.
The reason is worthy of a joke: the administrators of the Korbinovsky local forum did not like some of my publications, so some of them matched my ip-address with the internal database and laid out all the contract data, including passport data and the address of the provision of communication services. Here, look, that same person, go to him and talk, dear members of the forum. Fortunately, the audience of that forum was mostly schoolchildren and this did not promise anything bad to me. What a morale caricature: "never get angry admin".
The admin did everything in the form of a joke, just like that: such an attitude towards personal data and laws. Indeed, then, in 2008, there were also laws on personal data, although not as detailed as they are today. As you can see, over the course of 10 years nothing has changed for the better, although the amount of paper spent on laws is incomparably more. Still more criminalized and even fell into the commercial stream with the study of all the accompanying fraudulent "business processes". Where there used to be a “joke”, outright stupidity and petty criminal tendencies, today there is financial gain, cold calculation and a whole criminal infrastructure.
I have been living in Germany for 5 years and I constantly see the attention and care with which any German departments and commercial organizations relate to personal data. The first law in Germany in any work with people: to protect their privacy and confidentiality. Every time, feeling this care for myself, I remember those employees of Russian Internet operators and I want to count how many years they would have spent in Germany for their actions. Until now, would not come out. On the other hand, such a situation simply could not have occurred: the system would not allow an irresponsible, stupid and dishonest person to gain access to data protected by law. Calculating, clever, but still unfair - too.
I am sure that the corrupt employees of firms, banks, operators and departments, the owners and participants of the forums, about which I summarized today wrote, read Habr themselves and will surely read my article. Someone will think “you, scoundrel, shoot themes to the public”, to which I will answer immediately: you do very bad things, you commit a criminal offense, but I do not intend to sing odes to what I do not consider a blessing, nor will I keep silent about what I consider unacceptable.
In my article I touched only the top of the pyramid, no more than 2% of the whole truth. By digging up thematic resources further, you can find such things as criminal “services” for remotely blocking SIM cards, intercepting sms, blocking bank accounts, comprehensively paralyzing the work of companies, any criminal whim for your money. Everywhere implicated either employees of departments, or employees of various levels in commercial companies.
By the way, there are a number of the most interesting “services” with mobile operators: fraudsters exploit the vulnerabilities of cellular networks to target all users who have come to the site from the mobile Internet, to connect paid subscriptions, and especially for themselves - a complete bypass of mobile traffic accounting (it's not about distribution of the Internet with closed tethering, and complete disconnection of accounting downloaded on limited tariffs). Surprisingly, the roots here are growing not from the black near-darknet forums, but from the well-known in the Internet forum w3bsit3-dns.com.
I did not go into the black market, it is too slippery and disgusting. I was only interested in the situation with personal data, which is catastrophic and not even buried in the depths of the black market, but is within walking distance.
Most of the article was devoted to Russia, Russian organizations and departments. Readers from Ukraine are probably already used to the fact that on the Russian-language Internet, most of the bad news usually refers to their northern neighbor. Unfortunately, this time I will not be able to share your optimism: the proposal of the “services” described in the article in Ukraine is at no less a level than in Russia. Even the price level is the same.
According to my observations, there are much fewer offers for Belarus and Kazakhstan. Maybe I was looking badly (honestly, it’s morally difficult to stay on these resources for a long time), but the point is clearly not in a lower crime rate. In my opinion, everything is much more prosaic: the proposal is proportional to the number of inhabitants, because in Belarus and Kazakhstan there are much less people living than in Russia and Ukraine.
Nowhere have I seen offers of similar "services" in Europe, the USA and other developed countries of the world. Maximum - breaking through the common bases (such as Interpol), which are accessible from Russia. Obviously, because the laws in these countries are not only written on paper, but implemented in practice. Laws are not for decoration, window dressing and “plan fulfillment”.
In the meantime, the oversight agencies will be happy to write out a fine for the wrong form of consent for the processing of personal data to simple Russian, Ukrainian, Belarusian and Kazakhstan small business owners, and they themselves will merge with no less pleasure the entire base in which you, your personal data, your business data , your customers, and even your fine will be perfectly reflected.
The article for Habr was prepared by Chris The Rebel (Vladimir Adoshev)
The investigation I carried out will show that in Russia and throughout the entire space of the former USSR the laws of this field written on paper are in vain. The results are terrible: access to personal data of individuals and legal entities, banking secrets, trade secrets, have not only companies and government departments, but also any fraudsters. Everything is bought and sold for the price level from a couple of cups of coffee to a couple of average smartphones.
')
Disappointing details under the cut.
In the nineties and zero all the markets of Moscow were filled with disks with databases. Base residents, base cars and car owners, and then the base of cellular operators.
I do not know how the situation with the criminal sale of such bases in Moscow (I have not lived in Russia for a long time) is today, but I can say with a great degree of confidence that these will be either very old bases or only fragmentary dumps of modern ones. Now the volume of departmental and corporate information reaches petabyte and is in the cloud, so it is quite difficult to fit anything on a regular household medium suitable for sale.
Today, personal data is actively sold in a number of forums, where there are sellers, buyers, and even entire systems of arbitration, designed to resolve possible disputes between them. The fraudsters managed to build a very powerful criminal infrastructure: the forums live life, the topics have a lot of comments and feedback, there are bans for the "kids" and a rating system for the "proven".
“In darknet?” - you thought. That is not guessed. These sites are publicly available and may not even be listed in the long-suffering Roskomnadzor registry (who would doubt). Of course, some of them do have darknet mirrors, but these are just mirrors.
The article will focus on these sites and on those “services” that are crushing absolutely all of the turbulent government window-dressing around the protection of personal data in recent years.
I ask the habravchan to refrain from publishing links to these resources, although they may be well known to many. He who seeks will find it himself. First, I do not want to do even indirect advertising to scammers. Secondly, it could jeopardize the existence of this article. Thirdly, it is not the very existence of these resources, but the fact that there are such state conditions within which the listed “services” exist in general.
Cell phone operators
Look at this picture, a typical forum, typical services:
I have hidden the names of "sellers" and the names of operators. You will know about the operators yourself, there are not so many of them in Russia. They make their way without exception.
The most basic is the breaking of the data of the owner of the number: full name, passport data, address. How this data will be used depends only on the fantasy of the fraudster, to whom they fall into the hands.
Further, already interesting. “Services” of a higher level: tracking a person’s location by cell phone towers, location history, call detail, sms detailing. Fortunately, although there are no sound recordings of calls (maybe I didn’t look good).
It is very impressive to observe that any scammer can access such information. It remains to be guessed whether this is implemented by means of the cellular operators themselves, or through external interfaces that may be located in public services (I do not even doubt the existence of such).
Think again, making out a SIM card on your passport data when buying. Maybe the truth is better to take a sim card, issued on a noname-visitor from Central Asia? From the famous points of sale, they did not disappear anywhere. Passing passport data, you identify yourself not only in front of the cellular operator and government agencies, but also in front of any criminal who is not sorry to spend the cost of a couple cups of coffee on you, and even more.
Government agencies
Perhaps nothing compares to the amount of data that various government agencies know about us. Thousands of employees have access to them, the results of which are plentifully viewed on the forums:
On the one hand, there is a clear picture of what information these departments have about us and how easily employees can collect a complete file on any person. On the other hand, an even more picturesque oil painting: any scammer can collect exactly the same dossier.
Typical road transport service:
Standard question-answer example:
Another standard for different departments:
The most popular is the unloading service from the Magistral, Siren, Border, Migrant, Kronos, Spark, Potok, and IBDR-IBDF integrated bases. I did not even know such names before. It breaks through everything that fantasy reaches, even the FIU.
Banks
A separate category of “services” is devoted to the specification of bank accounts and the movement of funds for them. Part specializes in the accounts of individuals.
But even more - for legal entities. Here fraud turns into sophisticated forms of industrial espionage and outright crime. I will not post screenshots, since the criminal “service package” goes far beyond data breaches.
Where do these monstrous facts of mass violation come from, not so much the laws on personal data, but on bank secrecy? Honestly, I'm really surprised that corruption is so rampant. It seems that it is enough just to look at all the positions where the employee has access to at least some customer data - a fraudster can be in any position. The only question is where the security services are looking.
I would very much like to list the names of the most penalized banks openly, but I will not do it, because first on the list will be those that have corporate blogs in Habré, which is fraught with blocking the article. Branded colors of these banks, too, everyone knows. According to my observations, the smaller the bank, the less likely it is that the forums will have fraudulent services related to it.
Everything is sold and bought
In my investigation, I practically didn’t touch the information that is collected and merged about us by online electronics stores, clothing and footwear, food, fitness clubs. All this is also sold, so once again think about whether to leave the real address and phone number, making out the next discount or club card.
A curious fact: user bases of bookmakers-forex options, services of psychics, fortune-telling fortunetellers, buyers of dietary supplements, means for weight loss and increasing potency are being actively sold. Target audiences of these specific products have so crystallized that these bases pass from hand to hand, are constantly supplemented and kept up to date. Business is huge in scale.
Not so pitiable, when personal data are merged, which we leave voluntarily - just follow the measures of caution and do not leave them. It is much worse when those data merge, which we cannot leave. Buying SIM cards without a passport can not solve all the problems.
In 2017, I read the publications of Russian oppositionists (in particular, Leonid Volkov leonwolf ), who were faced with the pursuit of violent criminal elements who suddenly received information about all flights and movements. Some kind of waiting around the airport mordorov with bits and accompaniment in the form of a show presentation of generously paid pseudo-supporters of power with flags and chants. In Ukraine, all of them at one time were collectively called titushky.
Why is that? Where did the titushies learn about the flights of the opposition? It's simple: because access to the database of flights is bought and sold in the same way as access to all other bases.
(Leonid, I know that you are an IT person, if you suddenly read this article, I will be very happy if you share it - much is written under the impression of your “Clouds”)
A skeptical reader might think: you are talking about oppositionists, that is, people who represent a certain political position, their activities, by definition, involve risks. And it will be wrong: the criminal lawlessness can touch everyone . The scale of the data about us, which are lying on the road, you see with your own eyes.
Everyone has a smartphone, each has a bank account, many use cars, many often travel by air, many have business in the post-USSR. Regardless of your social status and political orientation: you are in danger because your data are not protected by anyone and nothing, and criminals have their hands completely free. What is scattered around the forums in the form of commercial ads, in fact, can actually be received "on call" by people who have connections. This concerns Russia first of all.
Many will recall the case of Anton Uralsky in 2008 and the Internet service provider Stream laid out a call: “there was not a single break!” Everyone then laughed without thinking that the staff had committed a crime by posting an audio recording of a conversation with a client on the Internet. They committed the second crime by laying out the personal data of Anton, who became the property of hundreds of prankers who spoiled a person’s life.
What do you think, why did I like this story? Because in the same 2008, my own personal data was without a twinge of conscience posted by employees of the Internet service provider Corbin.
The reason is worthy of a joke: the administrators of the Korbinovsky local forum did not like some of my publications, so some of them matched my ip-address with the internal database and laid out all the contract data, including passport data and the address of the provision of communication services. Here, look, that same person, go to him and talk, dear members of the forum. Fortunately, the audience of that forum was mostly schoolchildren and this did not promise anything bad to me. What a morale caricature: "never get angry admin".
The admin did everything in the form of a joke, just like that: such an attitude towards personal data and laws. Indeed, then, in 2008, there were also laws on personal data, although not as detailed as they are today. As you can see, over the course of 10 years nothing has changed for the better, although the amount of paper spent on laws is incomparably more. Still more criminalized and even fell into the commercial stream with the study of all the accompanying fraudulent "business processes". Where there used to be a “joke”, outright stupidity and petty criminal tendencies, today there is financial gain, cold calculation and a whole criminal infrastructure.
I have been living in Germany for 5 years and I constantly see the attention and care with which any German departments and commercial organizations relate to personal data. The first law in Germany in any work with people: to protect their privacy and confidentiality. Every time, feeling this care for myself, I remember those employees of Russian Internet operators and I want to count how many years they would have spent in Germany for their actions. Until now, would not come out. On the other hand, such a situation simply could not have occurred: the system would not allow an irresponsible, stupid and dishonest person to gain access to data protected by law. Calculating, clever, but still unfair - too.
Afterword
I am sure that the corrupt employees of firms, banks, operators and departments, the owners and participants of the forums, about which I summarized today wrote, read Habr themselves and will surely read my article. Someone will think “you, scoundrel, shoot themes to the public”, to which I will answer immediately: you do very bad things, you commit a criminal offense, but I do not intend to sing odes to what I do not consider a blessing, nor will I keep silent about what I consider unacceptable.
In my article I touched only the top of the pyramid, no more than 2% of the whole truth. By digging up thematic resources further, you can find such things as criminal “services” for remotely blocking SIM cards, intercepting sms, blocking bank accounts, comprehensively paralyzing the work of companies, any criminal whim for your money. Everywhere implicated either employees of departments, or employees of various levels in commercial companies.
By the way, there are a number of the most interesting “services” with mobile operators: fraudsters exploit the vulnerabilities of cellular networks to target all users who have come to the site from the mobile Internet, to connect paid subscriptions, and especially for themselves - a complete bypass of mobile traffic accounting (it's not about distribution of the Internet with closed tethering, and complete disconnection of accounting downloaded on limited tariffs). Surprisingly, the roots here are growing not from the black near-darknet forums, but from the well-known in the Internet forum w3bsit3-dns.com.
I did not go into the black market, it is too slippery and disgusting. I was only interested in the situation with personal data, which is catastrophic and not even buried in the depths of the black market, but is within walking distance.
Most of the article was devoted to Russia, Russian organizations and departments. Readers from Ukraine are probably already used to the fact that on the Russian-language Internet, most of the bad news usually refers to their northern neighbor. Unfortunately, this time I will not be able to share your optimism: the proposal of the “services” described in the article in Ukraine is at no less a level than in Russia. Even the price level is the same.
According to my observations, there are much fewer offers for Belarus and Kazakhstan. Maybe I was looking badly (honestly, it’s morally difficult to stay on these resources for a long time), but the point is clearly not in a lower crime rate. In my opinion, everything is much more prosaic: the proposal is proportional to the number of inhabitants, because in Belarus and Kazakhstan there are much less people living than in Russia and Ukraine.
Nowhere have I seen offers of similar "services" in Europe, the USA and other developed countries of the world. Maximum - breaking through the common bases (such as Interpol), which are accessible from Russia. Obviously, because the laws in these countries are not only written on paper, but implemented in practice. Laws are not for decoration, window dressing and “plan fulfillment”.
In the meantime, the oversight agencies will be happy to write out a fine for the wrong form of consent for the processing of personal data to simple Russian, Ukrainian, Belarusian and Kazakhstan small business owners, and they themselves will merge with no less pleasure the entire base in which you, your personal data, your business data , your customers, and even your fine will be perfectly reflected.
The article for Habr was prepared by Chris The Rebel (Vladimir Adoshev)
Source: https://habr.com/ru/post/423947/
All Articles