Associated Press
For consumers and banks wondering how sensitive information leaks out to identity thieves, the answer may be blowing in the digital wind. In two forthcoming studies, Eric Johnson, a professor at Dartmouth College s Tuck School of Business, warns that investors, bank employees and companies that do work for banks may be releasing more than just music files on peer-to-peer file-sharing networks. They may be sharing their financial information, too. Even harmless searches can turn up those sensitive documents in a phenomenon Johnson calls digital wind.
Johnson s studies, funded by grants from the U.S. Department of Homeland Security, looked at the results of searches for the top 30 U.S. banks and tracked sensitive financial documents as they moved through three popular peer-to-peer networks: Gnutella, FastTrack and eDonkey.
Among documents he found: loan applications, bank statements, dispute letters, wire transfer authorizations, credit reporting agency records, user ID and password lists, and tax returns. Many of those documents included information like Social Security numbers, credit card numbers or signatures – information that would make life easy for someone looking to commit identity theft.
Peer-to-peer networks – many of which sprouted after the demise of the original Napster file-sharing business – allow users to share music, videos, software and photos. Typically, users offer up their own files in exchange for access to other people s files. Although lawsuits have abounded about the legality of peer-to-peer file sharing, some are now operating legally.
The problem, Johnson said, is that the 10 million people using peer-to-peer networks do not necessarily know to limit what they re making available. So even though someone might want to share just his MP3 collection, he might be giving other users access to his My Documents folder.
Once a file is shared, it disseminates quickly, Johnson said, either by chance or by intent. Johnson has shared his findings with some of the banks either directly or at industry conferences.
Over the course of seven weeks, Johnson had Tiversa Inc., a company that works with financial institutions and government agencies to prevent inadvertent data breaches, conduct searches related to the country s largest banks. In just over a month, they found more than half a million searches that somehow incorporated bank names.
Some searches imply that people are scouring peer-to-peer networks specifically for financial documents: Searches for Citibank August statement, for example, or PIN Bank of America are not something you d expect in a music-sharing network, Johnson said, and therefore are suspicious.
But another trend, the one Johnson calls “digital wind, also poses a threat: Even legitimate searches turn up sensitive files. For example, someone searching for music by rapper PNC might turn up documents from the bank of the same name. Similarly, a search for the song Wells Fargo Wagon from the musical The Music Man could lead to someone s Wells Fargo bank statements.
The bad news for a bank is if (someone) is searching for Madonna s performance at the Wachovia Center…the search is going to bring up a lot of things that people have on their hard drives related to Wachovia, Johnson said.
Even if a person searching for concert recordings does not open a bank statement that mistakenly turns up, she might inadvertently share someone else s bank statement in the future.
Digital wind isn t harmless because it does turn up sensitive documents, Johnson said. People download it; they re not sure what it is. Often when they have it, they re-disclose it. As part of one of the studies, Johnson demonstrated the speed of the network by sharing a fake email designed to look like correspondence between a father and daughter: Sara, Grandma sent you a $25 prepaid Visa card and telephone calling card in the mail for Christmas. …Here s the info from the cards.
Within a week, the money card was empty, and it took another week for the phone card to be used up.