Payday loans are costly. High interest rates often leave customers worse off than they were before securing the loan. But one scam is costing loan applicants more than money—whether they're approved for a loan or not.
It appears that the website Usearching.info, a one-stop shop for ID fraudsters, stocks its virtual shelves with information from online payday lenders who have either been hacked or are in on the game themselves.
Usearching.info bills itself as the "most updated database about USA," and it's probably not lying. The site, which sells everything from Social Security numbers to mothers' maiden names, has 330,000 records from lenders, along with driver's license details for roughly 75 million Americans, with more data added every day.
Want to look up your boss's address or your neighbor's Social Security number ? It'll cost you less than $2.50.
Security expert and journalist Brian Krebs caught on to the scheme as he pored over records that a source purchased from Usearching.info for $20. As Krebs called the potentially defrauded individuals from the records, he learned that the victims had applied for a payday loan on or near the record-acquisition date. "All said, however, that they’d initially provided their information to one site, and then were redirected to a number of different payday-loan options," Krebs wrote.
One Virginia woman said that, soon after visiting one of these sites, she began receiving calls from people she described as having heavy Indian accents who claimed to be collectors or state officials, even though she was never approved for the loan. The harassment got so bad that she filed complaints with the Federal Trade Commission. Sometimes the callers would just threaten her outright.
Despite the frightening implications, selling this kind of information may not be against the law. According to legal experts Krebs spoke with, the information used to access an account (date-of-birth, Social Security number, mother’s maiden name, etc.) could be considered “access devices.” Under federal law, it is illegal to knowingly use or traffic such devices without the owner’s authorization. Parties that purchase or profit from selling this type of information would also be covered under the statute, experts said.
This story anecdotally illustrates the vulnerabilities that come with using "personal" information to verify account access. Krebs suggests that customers "insist" on being authenticated with information that is "truly private to you and to you alone."