Web sites in their thousands selling on customer data

Subscribers conned by smallprint conditions.

More than 4,000 so-called legitimate sites worldwide could be selling on subscriber or user data without the knowledge of their users, according to identity theft prevention firm SentryBay.

The UK-based firm's chief operating officer Marcus Whittington explained that the figures come from a comprehensive database run by partner organisation, Lucid Intelligence.

The Lucid database offers a unique snapshot into the activity of identity fraudsters by comprising a list of user data which is being bought and sold on the black market.

The firm states on its web site that it contains the details of over forty million people worldwide "who have had their personal information compromised by criminals in this way".

Whittington argued that on numerous occasions data which has ended up in the Lucid database can be traced exclusively back to a legitimate site, for example, it may have been entered by a user into a big name subscription news site.

"We're finding that in the small print they have the rights to sell on the data – it may not be sold on directly but it eventually gets to the criminals," said Whittington. "There are 4,111 sites worldwide where data entered on them has ended up in the public domain."

Whittington explained that the Lucid database highlights another new trend among identity fraudsters, brought about because many anti-fraud tools now used by banks are so sophisticated they are negating traditional methods of attack.

"A lot of the major criminals have moved to committing 'card not necessary' fraud," he argued. "This is when they collect the information gathered from keyloggers, phishing attacks and other means and then create new identities. The focus is on stealing complete identities and using them for gain."