INDIANAPOLIS — Users of peer-to-peer platforms, also known as P2P networks, may be under attack from entertainment lawyers policing copyright violations, but they can also be an easy target for identity thieves. And they may never know about it if it’s their kids who load the software.
Take the Olsons, a typical Indiana family: Christopher and Tami have three daughters, as well as a family dog.
The dog’s name can’t yet be found online, but everyone else’s can, thanks to security holes in popular P2P music downloading software. So can their birthdates and the family’s income and banking information.
“Unbelievable ... how did it get out there?” asked Tami Olson, who pays bills and does her taxes online.
The Olsons’ private data were found through LimeWire, a software program used to download music and videos. Within a matter of minutes, two of the Olsons’ tax returns were available.
“Well, this is our entire tax history. It’s going to have, I imagine, the Social Security number of my husband, myself and our three children right there,” Tami Olson said.
She was right. In addition to the family’s income, the data included banking and routing numbers.
With the expansion of broadband service making it easier to share large media files, more than 60 million Americans have downloaded and used P2P services like LimeWire and Kazaa, according to the Federal Trade Commission and the Electronic Frontier Foundation, a digital-rights group.
The Olsons’ oldest daughter unknowingly exposed the family’s personal and financial records after downloading LimeWire. “She didn’t really think there was anything wrong with that,” her mother said. “I told them to get it off immediately because I have a lot of personal info out there.”
Many users don’t realize that when they use file-sharing software, they are putting their hard drives on the network, to be shared with anyone else using the network.
Users can specify what files are private, but many don’t, said Eugene Spafford, a computer science professor at Purdue University and executive director of the Center for Education and Research in Information Assurance and Security.
“One problem with peer-to-peer is getting the settings wrong and sharing your entire disk or your entire personal file system, rather than simply the files you think you’re sharing,” Spafford said.
“We’ve created a culture and an expectation that you just install the software and you never bother to read that license that comes up or the warnings that come up,” he said.
Spafford said the Olsons’ story was not unique.
“Parents don’t understand the technology well enough to talk to their kids,” he said.
Security experts say it’s easy to exploit such vulnerabilities because data can be found through simple search strings, like “[bank name] July statement” or “[bank name] routing information.”
‘Giving criminals the keys to your computer’
Just this month, a Seattle man was charged with identity theft in a case that illustrates just how glaring such vulnerabilities are.
The man, Gregory Kopiloff, used LimeWire, the same software used by the Olsons, to dig into hundreds of hard drives, prosecutors said. He was accused of harvesting tax returns and student aid forms from at least 83 people and buying $73,000 in merchandise through fake credit card accounts he set up using the data.
Investigators said most of the victims had teenage children and did not know the software was even on their computers.
“If you are running file-sharing software, you are giving criminals the keys to your computer,” Assistant U.S. Attorney Kathryn Warma said. “Criminals are getting access to incredibly valuable information.”
Not fully understanding the P2P risks can also open the door for others to use your hard drive to hide evidence of their own crimes.
“If you’ve got a machine, do you know what’s in every directory on your machine?” Spafford asked. “Probably not.
“These criminals will take those machines and store the contraband material on them, because they know if a warrant is served on their home and they’re found with that on their disk, they can be prosecuted.”
Getting hit with the news that you’re a victim of identity theft is becoming more common. The Federal Trade Commission says as many as 9 million Americans’ identities are stolen every year.
So how do you protect your computer files from P2P identity theft? Know what’s installed on your computer, and take the time to look at the security settings.
Tami Olson said she had learned the lesson.
“Obviously, I’m going to be more careful about what I store in my computer,” she said. “If my kids are going to download in the future, I want to be there. I want to read what they’re downloading.”
Jeremy Brilliant and Holly Stephen are investigative reporters for NBC affiliate WTHR-TV in Indianapolis. Alex Johnson of msnbc.com contributed to this report.