Josephine made about $37,000 in 2004, but thanks to itemized deductions, she only paid taxes on $26,000. The Midwestern bookkeeper ended up getting a $1,000 refund, which was deposited into her account at a local credit union.
She never intended for the whole world to know this.
But a brief foray onto the file sharing network Limewire exposed her tax return to millions of Web users, who could find it as easily as you can find movie times on Google.
Josephine’s tax return was apparently pilfered, stored by someone else, and shared anew on Limewire recently. With just a few seconds of searching, an MSNBC.com reporter found intimate details of Josephine’s life -- how much she paid in property taxes, her Social Security Number, even her bank account number.
Josephine (whose name has been changed to protect her privacy from further violation) didn't want to talk about it when contacted, saying only that she "may have used it (Limewire) in the past." She also said she was unaware her identity had been stolen.
She's hardly alone. In recent months, researchers, congressional aides, and journalists have pulled off the parlor trick of finding consumers' tax returns on file-swapping services.
The peer-to-peer services, descendants of Napster, have worked to attain a level of legitimacy in the face of music-industry lawsuits, but most remain active haunts of those looking to download free music and videos. But when swappers incorrectly install the software, they can share everything on their computers. Tax returns, generated by automated tax software, are an easy target. Credit card numbers, personnel files, and even sensitive military documents also have turned up.
Chris Gormley, chief operating officer of the Tiversa security firm, has a message of all P2P users: These are no longer mere parlor tricks. Criminals are now well aware that Limewire and its competitors are a treasure trove of personal information. They now actively exploit the services every day.
"These aren't for entertainment," Gormley said. "These are people who are actively looking for this stuff.”
Tiversa gets paid to search P2P networks for sensitive corporate information that might be left there by careless employees. Recently, the company began cataloging all search terms entered into the services by would-be downloaders. The presence of identity thieves was obvious. On Sept. 14, the first day of checking, Tiversa charted 2,314 searches for "credit card" and 8,303 searches for "passport." Criminals also ran searches for medical information (5,767), retirement-related documents (4,064), Quickbooks or Quicken files (about 6,000) and even audits (several hundred). Then there were vague searches for words like account, loan, confidential, log in, or proposal.
The most common search term also was the most obvious: "bank." Tiversa found 106,000 searches for that word alone.
Criminals have only piled on since then. By the end of September, there were twice many searches for "account" and "credit card." There were three times as many searches for “ATM.”
By the end of October, the cumulative effect of these searches had become enormous. Tiversa picked up about 300,000 searches for credit cards, 440,000 for medical information, 650,000 for retirement-related documents, and 7.5 million for bank documents.
The person behind many of those 7.5 million searches is most likely a criminal planning to turn that downloaded data into money.
Worse than phishing
Falling for faulty peer-to-peer software is a much more severe problem than falling for other traditional identity theft tricks like phishing e-mails, Gormley said. When a consumer fills out a fake Bank of America message, the criminal will probably only get account data and perhaps a PIN code. But when a criminal can root around a consumers' hard drive, the stolen data haul is much more valuable. Combine that exposure with the refined search capabilities of software-sharing tools like Limewire, and these networks become the perfect accomplice for identity thieves, Gormley said.
"This is just like someone looking at your computer (in your house)," he said. "They're getting a lot more information than a phishing attack."
With an estimated 10 million to 12 million people using file sharing networks at any given time, and perhaps 60 million users total in the U.S. according to the Federal Trade Commission, identity thieves are shooting fish in a barrel.
One man who apparently shot a few fish was Gregory Kopiloff of Seattle, who pleaded guilty earlier this month to just the kind of crime Gormley is warning about. Kopiloff, who faces up to 20 years in prison, admitted using Limewire to download tax returns, credit reports, student loan applications and other files with personal information. He also admitted to stealing $73,000 from 50 victims.
Secret government files
Earlier this year, Tiversa CEO Robert Boback testified before a House committee that the stakes with file-sharing software data theft are even higher. He said company researchers had found nearly 200 secret government files on Limewire.
The company would not divulge the contents of the files, citing national security reasons. Boback would say only that they were "highly classified – clearly marked ‘secret’ or above -- government documents from the U.S. and others."
Careless music-seeking teenagers are usually blamed for Limewire file exposures. They install file-swapping software and steal their music, not giving a thought to their parents' Quicken files and tax returns.
But this stereotype isn't necessarily accurate. Josephine is an adult who installed the software herself. A second tax return found on the service belonged to couple in their early 20s living near Baltimore. The husband served in the U.S. military. With no kids to blame, it's likely they installed Limewire on their own. Attempts to reach the couple were unsuccessful.
Much as embarrassing MySpace and Facebook photos now haunt job-seeking young adults, the appearance of the Baltimore couple’s tax return suggests there may be a new class of P2P identity theft victims: recent teens who have graduated from illegal file-swapping to adulthood, but who haven't counted on the privacy implications of their downloads.
RED TAPE WRESTLING TIPS
It's critical to understand exactly how every file-swapping program works. Here's the simple, broad view. It you can download files from someone else's computer, they can download from yours. Behave accordingly.
• TOXIC: Every file-sharing program should be treated as toxic, and in fact, many antivirus programs do just that. Make sure your antivirus software detects and disables unwanted file sharing programs. You’re better off not using them.
• FIREWALLS: Some P2P software won't work, or won't work well, when your firewall is turned on. So a user might turn the firewall off to download files. This is playing with fire. What are the odds you'll start watching that stolen movie and forget to turn the firewall back on?
• USER ACCOUNTS FOR KIDS: Symantec's Jody Gibney offers this tip to parents who are worried about their technically proficient children: The Windows operating system allows separate user accounts for children and parents. Use them. That way, if your child accidentally shares his "My Documents" folder (the most common P2P pitfall), he or she won’t be sharing your documents. Remember, Windows creates separate My Documents folders for each account. Of course, this isn't foolproof. If your child chooses to share your entire hard drive, you'll still have a big problem. But user accounts will help.
• PASSWORD-PROTECTION: It will also help to separately password-protect your security software so your kids don't disable your firewall or antivirus protection, Gibney said.
• IF YOU MUST: Those who are using file-swapping software need to pay special attention during installation to understand what part of their computer is being shared with the universe. Limewire and other software makers are making strides at changing the default settings so the software is less promiscuous. Limewire users now, by default, expose only a "shared" folder if they accept all default choices. That generally means you’ll only share files you’ve downloaded from Limewire. Still, it's easy to change that setting and land in a heap of trouble.
• REALLY SHUT IT DOWN: Limewire also has a tricky feature that confuses many users into thinking they're turned the software off when they haven't. Clicking the "X" in the software's upper right-hand corner doesn’t shut down the software, it merely minimizes it. That’s foreign behavior to most software users, who click the X to close every other program they use. To really turn Limewire off, you've got to right-click the icon at the bottom of the computer and select "exit." This no doubt leads to a lot of users sharing more files than they intended.
• DO YOU NEED THOSE FILES? It's also important for consumers to realize how many sensitive documents they store on their computer and act accordingly. Software like TurboTax and Quicken creates many files that would be a gold mine to ID thieves. These must be carefully stored, ideally with additional password protection. You never know who might glance at your computer some day through some new Internet theft technique, or when you'll have to call a service technician for help. Destroying files that are no longer needed is also a good habit. Why take the risk? And you probably have to expand your idea of what's a sensitive file, too. In addition to the kind of items consumers generally think of secret, such as tax returns, Gormley said, criminals now regularly look for spreadsheets from work, retirement information, health records, and so on. He's seen some horror stories.
"Consumers' hard drives are full of things like psychiatric records, things you really wouldn't want anyone to see," he said.