A new program being spearheaded by Microsoft Corp. is designed to provide a trusted way for researchers to report stolen credit card numbers and other data they've found in the dark corners of the Internet.
Establishing that link is important because when a researcher finds stolen data, it can be hard to convince a bank or another affected institution that the data is legitimate. The lost time can mean the difference between someone's identity being used for fraud, and stopping a fraud before it occurs.
The program Microsoft is spearheading could greatly help researchers deal with data they've found online and submitted to affected companies, said Dan Clements, former president of CardCops, which specializes in tracking down stolen payment card numbers online. (Mnsbc.com is a Microsoft-NBC Universal joint venture.)
When researchers find card numbers being sold or hawked online, "We send it to everybody immediately. We send it to companies, the government, the consumer — it's a blitzkrieg. That way they have all the intel and can act accordingly," he said. "You could call it scattershot. It's the only way you can assure that we've done our job. But we have no way of knowing it's effective."
Clements said the speed of the new program — how quickly it leads to notifications for affected institutions and consumers — will be key to whether it is successful.
Some merchants and gambling websites have tried similar programs in the past. They created databases of stolen cards against which they'd check transactions, Clements said. But the programs fell apart, partly because the companies didn't work well together without a middleman, he said.
The new program is being managed by the National Cyber-Forensics & Training Alliance, a nonprofit organization focused on cybercrime. Other participating organizations include the American Bankers Association and eBay Inc.
More banks, retailers and Internet security firms will be added as they sign up and are vetted by a third party.
Nancy Anderson, Microsoft's deputy general counsel, said in an interview that the idea for the program came from problems Microsoft security researchers encountered in their attempts to alert banks and online retailers to fraud they've discovered.
"When these kinds of credentials are stolen, they may not get used immediately, so the goal here is to get the information to the institutions quickly, quickly, quickly, so the appropriate action can be taken before the damage is done," she said.
Clements said that one weakness of Microsoft's program is that it won't allow people to anonymously submit what they've found, which could discourage whistleblowers from coming forward.
He cited an example from CardCops that involved an insider at an e-commerce company who discovered his company was hacked and lost 50,000 credit card numbers. The employee said management threatened to fire him if he disclosed the breach. Clements said CardCops allowed the employee to disclose the breach anonymously and sent the information to the banks and the government.