Many efforts are now being made around the world to ensure the security of personal data. Russia, too, is not lagging behind, with enthusiasm introducing dozens of laws, hundreds of bylaws and regulations. Is there a result?
My investigation will show that in Russia and throughout the entire territory of the former USSR, the laws of this area written on paper are in vain. The results are terrible: not only companies and government departments, but also any fraudsters have access to personal data of individuals and legal entities, bank secrets, trade secrets. Everything is bought and sold for a price level from a couple of cups of coffee to a couple of mid-range smartphones.
Disappointing details
In the 1990s and 2000s, all Moscow markets were crammed with database disks. Bases of residents, bases of cars and car owners, and then bases of mobile operators.
I don’t know how the situation with the criminal sale of such bases in Moscow is today (I haven’t lived in Russia for a long time), but I can say with a high degree of confidence that these will be either very old bases, or only fragmentary dumps of modern ones. Now the volume of departmental and corporate information reaches petabytes and is in the cloud, so it is quite difficult to fit something on a regular consumer medium suitable for sale.
Today, personal data is actively sold on a number of forums where there are sellers, buyers and even entire arbitration systems designed to resolve possible disputes between them. Fraudsters have managed to build a very powerful criminal infrastructure: forums live life, topics have a lot of comments and reviews, there are bans for "scams" and rating systems for "verified".
Promotional video:
"On the darknet?" - you thought. That's not guessing. These sites are in the public domain and may not even be included in the long-suffering Roskomnadzor register (who would doubt it). Of course, some of them do have mirrors on the darknet, but these are just mirrors.
The article will focus specifically on these sites and on those "services" that cancel out absolutely all the stormy state movement-window dressing around the protection of personal data in recent years.
I will ask the Khabrav residents to refrain from publishing links to these resources, although they may be known to many. He who seeks will find himself. Firstly, I do not want to do even indirect advertising to scammers. Secondly, it can jeopardize the existence of this article. Thirdly, the point is not in the very existence of these resources, but in the fact that there are state conditions under which the listed "services" generally exist.
Cellular operators
Look at this picture, typical forum, typical services:
The names of the "sellers" and the names of the operators were hidden by me. You can guess about the operators yourself, there are not so many of them in Russia. They all make their way without exception.
The most basic is breaking through the data of the owner of the number: full name, passport data, address. How this data will be used depends only on the imagination of the fraudster to whom they will fall into the hands.
Next is the interesting part. “Services” of a higher level: tracking a person's location on cell towers, location history, call detail, sms detail. Fortunately, at least there are no sound recordings of the calls (maybe I didn't watch well).
It is very impressive to see that any scammer can access such information. It remains to be seen whether this is realized by the means of the cellular operators themselves, or through external interfaces that may be located at government services (I do not even doubt the existence of such).
Think once again when issuing a SIM card for your passport data upon purchase. Maybe it's really better to take a SIM card issued for a noname-visitor from Central Asia? They did not disappear from well-known places of sale. By transferring your passport data, you identify yourself not only in front of the cellular operator and government agencies, but also in front of any criminal who does not mind spending the cost of a couple of cups of coffee on you, or even more.
State bodies
Perhaps nothing beats the amount of data that various government departments know about us. Thousands of employees have access to them, the results of which are abundantly viewed on the forums:
On the one hand, a clear picture emerges of what information these departments have about us and with what ease employees can collect a complete dossier on any person. On the other hand, an even more picturesque oil painting: any fraudster can collect exactly the same dossier.
Typical road service:
Standard example question-answer:
It is also standard for different departments:
The most popular is the service of unloading from the Magistral, Sirena, Granitsa, Migrant, Kronos, Spark, Potok bases, and complex IBDR-IBDF bases. I didn't even know such names before. Everything that fantasy reaches, even the FIU, breaks through.
Banks
A separate category of "services" is devoted to the detailing of bank accounts and the movement of funds to them. Part of them specializes in individual accounts.
But even more - for legal entities. Here, fraud turns into sophisticated forms of industrial espionage and outright crime. I will not post screenshots, since the criminal "complex of services" goes far beyond data leaks.
Where do these monstrous facts of massive violation of not only personal data laws, but bank secrecy come from? Honestly, I'm really surprised that corruption is so widespread. It seems that it is enough just to look at all positions where the employee has access to at least some customer data - the fraudster can be on anyone. The only question is where the security services are looking.
I would very much like to list the names of the most at fault banks openly, but I will not do this, since the first on the list will be those that have corporate blogs on the hub, which is fraught with blocking the article. Everyone knows the corporate colors of these banks. According to my observations, the smaller the bank, the less likely it is that there will be fraudulent services on the forums.
Everything is bought and sold
In my investigation, I practically did not touch on information that is collected and merged about us by chain stores of electronics, clothing and footwear, food, and fitness clubs. All this is also for sale, so once again think about whether it is worth leaving your real address and phone number when issuing another discount or club card.
An interesting fact: the bases of users of bookmakers-forex-options, services of psychics-fortune-tellers-sorcerers, buyers of dietary supplements, means for losing weight and increasing potency are actively sold. The target audiences of these specific products have crystallized so much that these databases change hands, are constantly supplemented and kept up to date. The business is just huge in scale.
It's not so bad when personal data that we leave voluntarily is merged - just be careful and do not leave it. It is much worse when the data merges, which we, in principle, cannot not leave. Buying SIM cards without a passport will not solve all problems.
In 2017, I read publications of Russian oppositionists (in particular, Leonid Volkov's leonwolf), who faced the persecution of aggressively-minded criminals, who suddenly received information about all flights and movements. A sort of mordovorotas waiting near the airport with beats and accompaniment in the form of a show presentation of lavishly paid pseudo-supporters of the authorities with flags and chants. In Ukraine, all of them at one time were collectively called titushki.
Why is that? How did the titushki know about the flights of the opposition? It's simple: because access to the base of flights is bought and sold in the same way as access to all other bases.
Leonid, I know that you are an IT guy, if you suddenly read this article, I will be very glad if you share it - much has been written under the impression of your "Cloud".
A skeptical reader might think: you are talking about oppositionists, that is, people who represent a certain political position, their activities are, by definition, fraught with risks. And it will be wrong: criminal lawlessness can affect everyone. You can see the scale of the data about us lying on the road with your own eyes.
Everyone has a smartphone, everyone has a bank account, many use cars, many often travel by air, many have businesses in the post-USSR. Regardless of your social status and political orientation: you are in danger because your data is not protected by anyone or anything, and criminals have absolutely free hands. What is scattered around forums in the form of commercial announcements can in fact be received "on call" by connected people. This concerns Russia in the first place.
Many will remember the case with Anton Uralsky in 2008 and the posted call to the Internet provider Stream: "there was not a single gap!" Everyone then laughed, not thinking that the employees had committed a crime by posting an audio recording of a conversation with a client on the Internet. They committed the second crime by publishing Anton's personal data, which became the property of hundreds of prankers who ruined a person's life.
Why do you think I was inspired by this story? Because in the same 2008 my own personal data was unashamedly laid out by employees of the Internet provider Corbin.
The reason is worthy of an anecdote: the administrators of the Korbinovsky local forum did not like some of my publications, so one of them matched my ip-address with the internal database and posted all the data of the contract, including passport data and the address of the communication service. Here, look, the same person, go to him and talk, dear forum users. Fortunately, the audience of that forum was mainly schoolchildren and this did not promise me anything bad. What a caricature of morality: "never anger the administrator."
The admin did everything as a joke, just like that: such an attitude to personal data and laws. After all, then, in 2008, there were also laws on personal data, although not as detailed as today. As you can see, nothing has changed for the better in 10 years, although incomparably more paper has been spent on laws. Everything became even more criminalized and even entered the commercial flow with the study of all the accompanying fraudulent "business processes". Where there used to be a "joke", outright stupidity and petty criminal inclinations, today there is financial benefit, cold calculation and a whole criminal infrastructure.
I have been living in Germany for 5 years and I constantly see the attention and care with which any German authorities and commercial organizations treat personal data. The first law in Germany in any work with people: to protect their privacy and confidentiality. Each time, feeling this concern on myself, I remember those employees of Russian Internet operators and I want to calculate how many years they would have served in Germany for their actions. Until now, they would not have come out. On the other hand, such a situation simply could not arise: the system would not allow an irresponsible, stupid and dishonest person to gain access to data protected by law. Prudent, smart, but still dishonest - too.
Afterword
I am sure that the corrupt employees of firms, banks, operators and departments, the owners and participants of the forums, about which I generally wrote today, read the Habr themselves and will definitely read my article. Someone will think "you, you scoundrel, blast topics on the public," to which I will answer right away: you are doing very bad things, you are committing a criminal offense, and I do not intend to sing odes to what I do not consider to be good, nor will I keep silent about what I consider unacceptable.
In my article, I only touched on the top of the pyramid, no more than 2% of the whole truth. Digging thematic resources further, you can find such things as criminal "services" for remote blocking of SIM cards, interception of sms, blocking bank accounts, all-round paralysis of the work of companies, any criminal whim for your money. Everywhere, either employees of departments or employees of various levels in commercial companies are involved.
By the way, there are a number of interesting "services" with mobile operators: fraudsters use the vulnerabilities of cellular networks to geo-location all users who have entered the site from the mobile Internet, to connect paid subscriptions, and especially for themselves - to completely bypass the mobile traffic accounting (this is not nonsense like distribution of the Internet with closed tethering, and complete disabling of accounting downloaded at limited tariffs). Surprisingly, the roots here do not grow from the black near-darknet forums, but from the well-known w3bsit3-dns.com forum in Runet.
I didn't go deep into the black market, it's too slippery and disgusting. I was only interested in the situation with personal data, which is catastrophic and not even buried in the depths of the black market, but is within walking distance.
Most of the article was devoted to Russia, Russian organizations and departments. Readers from Ukraine are probably already used to the fact that on the Russian-language Internet, most of the bad news usually concerns their northern neighbor. Unfortunately, this time I cannot share your optimism: the offer of the “services” described in the article in Ukraine is at no less a level than in Russia. Even the price level is the same.
According to my observations, there are much fewer proposals for Belarus and Kazakhstan. Maybe he was looking badly (to be honest, it is morally difficult to be on these resources for a long time), but the point is clearly not a lower crime rate. In my opinion, everything is much more prosaic: the supply is proportional to the number of inhabitants, because there are much fewer people living in Belarus and Kazakhstan than in Russia and Ukraine.
Nowhere else have I seen offers of such "services" in Europe, the United States and other developed countries of the world. The maximum is breaking through the common databases (like Interpol), to which there is access from Russia. Obviously, because the laws in these countries are not only written on paper, but implemented in practice. Laws are not for decoration, showmanship and "plan fulfillment."
Meanwhile, to ordinary Russian, Ukrainian, Belarusian and Kazakh small business owners, supervisory agencies will be happy to issue a fine for an incorrect form of consent form for the processing of personal data, and they themselves will merge with no less pleasure the entire database in which you, your personal data, the data of your business, your customers, and even your fine will be perfectly reflected.
Author: Drebin89