Gangs sell bank details and passwords on sites available via Google

Criminals are using websites available via Google to openly buy and sell the bank details, passwords and email addresses of British consumers, a major report has found.

Public chat forums – which can be found using a simple Google search – are being used to trade sensitive banking details that allow fraudsters to open fake accounts in someone’s name.

The fraud prevention service Cifas said the trade was fuelling an identity theft epidemic. 

Experts called on Google to take down the forums

The number of reported cases has soared by 125 per cent in the past decade, with almost 500 cases a day logged last year – a total of 175,000.

The Cifas report found a full set of online bank details can be bought for as little as £161, credit card details for £56.50, and passport information for £40. 

This information is then used by identity fraudsters to take out genuine loans, mobile phone contracts and credit cards in someone else’s name. The criminals take the money and leave the victim with huge debts.

Yesterday the Daily Mail found several forums littered with posts by fraudsters selling personal data.

By putting into Google slang terms commonly used by online criminals to advertise the sale of stolen financial information, we found dozens of message boards.

Many of them had been set up to discuss seemingly innocent topics such as handball, poker and Windsor Football Club. 

A post on the poker forum boasted the full personal details of a customer of the Co-operative Bank. It included the cardholder’s name, address and date of birth.

Card numbers, email addresses, sort codes and account numbers, telephone numbers, card expiry dates and national insurance numbers were also found on these posts.

On one website, we found a post by a hacker who claimed to have been stealing financial information for seven years. 

Last night, experts called on Google to take down the forums. Arun Chauhan, director of Tenet Compliance and Litigation, a law firm specialising in financial crime, said search engines such as Google had a ‘moral duty to step up and do something’.

He added: ‘In the daily global fight against financial crime, it is crucial that banks and non-financial entities such as search engine providers that facilitate the passing and gathering of information and money take steps to prevent criminals from using them to commit fraud.’

Angela Sasse, of the Research Institute in Science of Cyber Security, said: ‘If the details being shared are clearly only being used for criminal gain… the sensible thing would be to get the police involved to work with the search engines. 

‘It could be tempting for young people to get involved in this illegal activity. Once they know what they’re looking for, it’s easy to get drawn in.’

For years, cyber security experts have found stolen personal data being traded on the so-called dark web – a network of hidden websites where users can remain anonymous. 

But Cifas, which was set up by high street banks to combat fraud, and Forensic Pathways, which provides software for criminal investigations, say fraudsters are now regularly posting stolen information on forums.

Google has claimed that it is not responsible for the information found on its search engine

Google has claimed that it is not responsible for the information found on its search engine

Neil Hare-Brown, a cyber security expert, said fraudsters had moved their illegal activities to online forums because they had much more exposure to potential buyers.

He added: ‘The dark web puts a lot of buyers off. It’s really slow and difficult to navigate and fraudsters know they won’t get as many sales.’

Search engines such as Google could flag the slang terms and prevent the illegal activity, he added.

Google has come under fire for allowing jihadi videos on its YouTube website, for cashing in on fake ticket-selling websites and failing to delete racist material.

It has claimed that it is not responsible for the information found on its search engine.

A Google spokesman said: ‘When we receive reports of pages that distribute personal data to facilitate identity theft or fraud, we remove these from “search” – full stop.’