For sale on the dark web: thousands of Portsmouth people's identities

Hayley Barnett from Hilsea was targeted by online scammers

And across the UK that number has spiked over the past four months, with an extra 1.4 million so-called ‘identities’ being added to hidden ‘crypto’ marketplaces since March.

Dark web marketplaces are now even offering money-back guarantees for bulk purchases of people’s account passwords, which can come coupled with one or a mix of email addresses, credit card numbers, usernames and even personal details such as first cars and mothers’ maiden names.

The News parent company Johnston Press’ investigations unit has teamed up with London data firm C6 to reveal the true extent of the booming identity trade among the criminal underworld.

The study revealed that in Portsmouth at least 116,000 people are almost certainly unaware that, at the very least, their email address and password is on sale with the hardest hit postcode being PO1.

At least 45,902 in the area – Fratton, Old Portsmouth, Portsea, Landport – have fallen victim to passwords being sold online over a number of years.

The second-worst hit area was PO3, covering Hilsea, Copnor, and Anchorage Park, with 29,907 passwords and parts of identities stolen and sold online.

In PO3, covering Hilsea and North End, this dropped to at least 25,943, while identities of 14,370 people living in Cosham, Drayton, Farlington, in PO6, were least hit.

The worrying numbers have been collated over a series of years by a team of cyber moles embedded in the murkiest reaches of the dark web, observing wholesale transactions through encrypted chat rooms.

Chief operating officer of C6, which runs the hasmyidentitybeenstolen.com website, Emma Mills, said the rapidly growing number of people at risk of being defrauded needs to act as a wake up call.

She said: ‘As consumers we have never really paid the price for fraud we’re used to the banks picking up the credit and debit card losses, we don’t see the downside to ourselves of being careless with our personal information.

‘We don’t clearly understand the impact of having our identities compromised and how long and painful it is to rebuild that genuinely, it causes problems with applying for credit or any other form of account.’

Hayley Barnett, 46, of South Down View, Hilsea, was deluged with phone calls from car insurance companies after nine policies were taken out in her name.

She received letters from the firms – detailing the vehicles, drivers names and addresses – despite having no licence.

Such was the extent of the problem she has since changed her mobile phone number to avoid insurers wrongly chasing her for payment.

Responding to the findings, mum-of-one Hayley said: ‘I’m absolutely gobsmacked.

‘They’re just scum, it’s disgusting, it should’ve be allowed how are these people not being traced?

‘I’ve had to change my bank account and my phone number.’

As reported in The News, Hayley received nine letters, purporting to insure people she had never heard of on cars she does not own.

‘I’m not getting anymore calls, they kept trying to call me on the phone,’ she said.

She reported the scam to Action Fraud, which took a report but no-one has been arrested.

Hayley added: ‘How are these people getting away with it?

‘If the police know about the dark web shouldn’t the police stop it?

‘It’s caused problems with my family as I was so het up, I was just so angry no-one was talking to me.’

Action Fraud earlier said it had ‘not found any ‘leads that would result in a successful criminal investigation’.

Her bank details were also used to take out the insurance policies, but her bank  stopped the £1,170 leaving her account.

It’s not clear how her details were obtained and used, but Hayley has been shocked by the number of identities for sale on the dark web.

Often the online marketplaces sell only partial information about an individual that can be fledged out over a period of time.

One site visited by the investigations team allowed users to bulk purchase PayPal accounts for one US dollar per account, with a minimum purchase of 100 at a time.

The store, which also purported to sell eBay accounts, offered an 80 per cent working guarantee.

On its own, a person’s streaming service account details – a username and password – could be seen as innocuous. But profiles can then be ‘enriched’, often over a series of months, or even years.

If, like half of all internet users, a person uses the same password for multiple accounts those Netflix login details could be crucial to gaining access to a person’s email address - and with it a host of other accounts simply by pressing the ‘forgotten password’ button.

Once the identity is rich enough, fraudsters can open credit card accounts in a person’s name, buy goods and transfer money.

They can also sell on the so called -’full person profile’ in bulk.

Modern day gangs have a sophisticated hierarchy, Ms Mills said, operating in similar ways to a credit bureau, working from postcode area to postcode area, gathering details from a range of sources.

‘They will have a group of people searching the electoral role, for example,’ she added.

‘They will start on a postcode and start working through it.

‘If someone knows your email, where you live and your date of birth it becomes quite a rich record.

‘Once that information is gathered they can then sell it to a gang to ‘phish’ for your banking details.

‘They will sit between you and the genuine site watching your keystrokes on the computer, they will know when you are logged on to your internet banking account.

‘When you enter the 4th, 5th and 6th digit of your password they will know that.

‘Then they will be patient.

‘They will watch you log in on multiple occasions until they have built up a full picture of you.’

And while early dark web sites were largely text-only, many are ditching their functional aesthetics in favour of more user-friendly interfaces.

‘These sites are just like any online shopping site now,’ said Ms Mills.

‘You can find which bank you want to buy details from, you can select what bank of card you want to buy. You could choose to buy gold cards for example.

‘Depending on what that brand indicates, that gives them an idea of the credit worthiness of its owner.

‘They will even issue you with a money back guarantee if you cannot make the transaction work within 24 hours.

‘Some of them offer good customer service – some have a helpdesk. The idea is they want you to continue to go back.’

The ability to steal details en masse represents a far cry from the fraudsters of the 1990s seen hanging outside call centres in the hope of convincing employees to give confidential information.

And the number of stolen identities being traded online is rising at an alarming rate.

In March, 9.3 million UK identities were circulating in the hidden web to C6’s knowledge. As of July that total had risen to 10.8 million.

Ms Mills said that the amount of personal data for sale spikes whenever a major company’s data has been breached.

But a company spokeswoman added that a spike has been in progress for the last three months, leading to the possibility that the recent Wannacry attack and other large scale breaches, such as that on AA customers, could be a contributing factor.

But, perhaps more concerning, is the theory that the recent rise could be down to a number of unreported hacks that companies are unwilling to disclose through fear of reputational damage.

‘Things like the Ashley Maddison breach – a massive spike, the Talk Talk breach, a massive spike,’ Ms Mills said.

‘It comes in a big bulk and gets divided out for criminal gangs to do things with.’

Ms Mills said C6 Intelligence sees spikes of data entering the dark web long before companies have told their customers, though she praised Talk Talk as one of the few exceptions.

In 2014, C6’s online moles saw a massive rise in customer details from a range of telecommunications companies on the dark web, not just Talk Talk. ‘Either the same consumers were hacked because they were using the same username, e-mail password combinations,’ said Ms Mills. ‘Or other organisations were similarly hit and did not disclose it.’

C6, owned by Acuris, has been researching this type of data since 2002 and works by updating a database of known records being traded in the far reaches of the dark web.

Its website, hasmyidentitybeenstolen.com, allows  users to see whether their address or data has been compromised.