Around the world, a lot of efforts are now being made to ensure the security of personal data. Russia is also not lagging behind, with enthusiasm introducing dozens of laws, hundreds of bylaws and regulations. Is there a result?
My investigation will show that in Russia and throughout the entire territory of the former USSR, the laws of this area written on paper are in vain. The results are terrible: not only companies and government departments, but also any fraudsters have access to personal data of individuals and legal entities, bank secrets, trade secrets. Everything is bought and sold for a price level from a couple of cups of coffee to a couple of mid-range smartphones.
Disappointing details under the cut.
In the 1990s and 2000s, all Moscow markets were crammed with database disks. Bases of residents, bases of cars and car owners, and then bases of mobile operators.
I don't know how the situation with the criminal sale of such bases in Moscow today (I haven't lived in Russia for a long time), but I can say with a high degree of confidence that these will be either very old bases , or only fragmentary dumps of modern ones. Now the volume of departmental and corporate information reaches petabytes and is in the cloud, so it is quite difficult to fit something on a regular consumer medium suitable for sale.
Today, personal data is actively sold on a number of forums, where there are sellers, buyers and even entire arbitration systems designed to resolve possible disputes between them. Fraudsters have managed to build a very powerful criminal infrastructure: forums live life, topics have a lot of comments and reviews, there are bans for “scammers” and rating systems for “verified” ones.
"On the darknet?" - you thought. That's not guessing. These sites are publicly available and may not even be included in the long-suffering Roskomnadzor register (who would doubt it). Of course, some of them do have mirrors on the darknet, but these are just mirrors.
The article will focus specifically on these sites and those "services" that cancel out absolutely all the stormy state movement-window dressing around the protection of personal data in recent years.
I will ask the Khabrav residents to refrain from publishing links to these resources, although they may be known to many. He who seeks will find himself. Firstly, I do not want to do even indirect advertising to fraudsters. Secondly, it could jeopardize the existence of this article. Thirdly, the point is not in the very existence of these resources, but in the fact that there are state conditions under which the listed "services" generally exist.
Cellular operators
Look at this picture, typical forum, typical services:I have hidden the names of the "sellers" and the names of the operators. You can guess about the operators yourself, there are not so many of them in Russia. All are making their way without exception.
The most basic is breaking through the data of the owner of the number: full name, passport data, address. How this data will be used depends only on the imagination of the fraudster to whom they will fall into the hands.
Further, it is already interesting. "Services" of a higher level: tracking a person's location on cell towers, location history, call detail, sms detail. Fortunately, at least there are no sound recordings of the calls (maybe I didn't look well).
It is very impressive to see that any scammer can gain access to such information. One can only guess whether this is implemented by the means of the cellular operators themselves, or through external interfaces that may be located at government services (I do not even doubt the existence of such).
Think once again when issuing a SIM card for your passport data upon purchase. Maybe it's really better to take a SIM card issued for a noname-visitor from Central Asia? They did not disappear from well-known places of sale. By transferring your passport data, you identify yourself not only to the mobile operator and government agencies, but also to any criminal who does not mind spending the cost of a couple of cups of coffee on you, or even more.
State bodies
Perhaps nothing beats the amount of data that various government departments know about us. Thousands of employees have access to them, the results of which are abundantly viewed on the forums:On the one hand, a clear picture emerges of what information these departments have about us and with what ease employees can collect a complete dossier on any person. On the other hand, an even more picturesque oil painting: any fraudster can collect exactly the same dossier.
The most popular is the service of unloading from the Magistral, Sirena, Granitsa, Migrant, Kronos, Spark, Potok bases, and complex IBDR-IBDF bases. I didn't even know such names before. Everything that fantasy reaches, even the FIU, breaks through.
Banks
A separate category of "services" is devoted to the detailing of bank accounts and the movement of funds to them. Some of them specialize in individual accounts.But even more - for legal entities. Here, fraud turns into sophisticated forms of industrial espionage and outright crime. I will not post screenshots, since the criminal "complex of services" goes far beyond the scope of data leaks.
Where do these monstrous facts of massive violation of not only personal data laws, but bank secrecy come from? Honestly, I'm really surprised that corruption is so rampant. It seems that it is enough just to look at all the positions where the employee has access to at least some customer data - the scammer can be on anyone. The only question is where the security services are looking.
I would very much like to list the names of the most at fault banks openly, but I will not do this, since the first in the list will be those that have corporate blogs on Habré, which is fraught with blocking the article. The corporate colors of these banks are also known to everyone. According to my observations, the smaller the bank, the less likely it is that there will be fraudulent services on the forums.
Absolutely everything is bought and sold
In my investigation, I practically did not touch on the information that is collected and merged about us by chain stores of electronics, clothing and footwear, food, fitness clubs. All this is also for sale, so once again think about whether it is worth leaving your real address and phone number when issuing another discount or club card.An interesting fact: the bases of users of bookmakers-forex-options, services of psychics-fortune-tellers-sorcerers, buyers of dietary supplements, means for losing weight and increasing potency are actively sold. The target audiences of these specific products have crystallized so much that these databases change hands, are constantly supplemented and kept up to date. The business is just huge in scale.
It's not so bad when personal data that we leave voluntarily is merged - just be careful and do not leave it. It is much worse when the data merges, which we, in principle, cannot not leave. Buying SIM cards without a passport will not solve all problems.
In 2017, I read the publications of Russian oppositionists (in particular, Leonid Volkov's leonwolf), who faced the persecution of aggressive criminals who suddenly received information about all flights and movements. A sort of mordovorotas waiting near the airport with beats and accompaniment in the form of a show presentation of lavishly paid pseudo-supporters of the authorities with flags and chants. In Ukraine, all of them at one time were collectively called titushki.
Why is that? How did the titushki know about the flights of the opposition? It's simple: because access to the base of flights is bought and sold in the same way as access to all other bases.
A skeptical reader might think: you are talking about oppositionists, that is, people who represent a certain political position, their activities, by definition, are fraught with risks. And it will be wrong: criminal lawlessness can affect everyone. You can see the scale of data about us that is lying on the road with your own eyes.
Everyone has a smartphone, everyone has a bank account, many use cars, many often travel by air, many have businesses in the post-USSR. Regardless of your social status and political orientation: you are in danger because your data is not protected by anyone or anything, and criminals have absolutely free hands. What is scattered around forums in the form of commercial ads can in fact be received "on call" by connected people. This concerns Russia in the first place.
Many will remember the case with Anton Uralsky in 2008 and the posted call to the Internet provider Stream: "there was not a single gap!" Everyone then laughed, not thinking that the employees had committed a crime by posting an audio recording of a conversation with a client on the Internet. They committed the second crime by publishing Anton's personal data, which became the property of hundreds of prankers who ruined a person's life.
Why do you think I was imbued with this story? Because in the same 2008, my own personal data was shamelessly posted by employees of the Internet provider Corbin.
The reason is worthy of an anecdote: the administrators of the Korbinovsky local forum did not like some of my publications, so one of them matched my ip-address with the internal database and posted all the data of the contract, including passport data and the address of the provision of communication services. Here, look, the same person, go to him and talk, dear forum users. Fortunately, the audience of that forum was mainly schoolchildren and this did not promise me anything bad. What a caricature of morality: "never anger the administrator."
The admin did everything as a joke, just like that: such an attitude to personal data and laws. After all, then, in 2008, there were also laws on personal data, although not as detailed as they are today. As you can see, nothing has changed for the better in 10 years, although incomparably more paper has been spent on laws. Everything became even more criminalized and even entered the commercial flow with the study of all the accompanying fraudulent "business processes". Where there used to be a "joke", outright stupidity and petty criminal inclinations, today there is financial benefit, cold calculation and a whole criminal infrastructure.
I have been living in Germany for 5 years and I constantly see the attention and care with which any German authorities and commercial organizations treat personal data. The first law in Germany in any work with people: to protect their privacy and confidentiality. Each time, feeling this concern on myself, I remember those employees of Russian Internet operators and I want to calculate how many years they would have served in Germany for their actions. Until now, would not have come out. On the other hand, such a situation simply could not arise: the system would not allow an irresponsible, stupid and dishonest person to gain access to data protected by law. Prudent, smart, but still dishonest - too.
Afterword
I am sure that the corrupt employees of firms, banks, operators and departments, the owners and participants of the forums, about which I generally wrote today, read the Habr themselves and will definitely read my article. Someone will think “you, scoundrel, blast topics on the public,” to which I will answer right away: you are doing very bad things, you are committing a criminal offense, and I do not intend to sing odes to what I do not consider good, nor will I keep silent about what I consider unacceptable.In my article, I only touched on the top of the pyramid, no more than 2% of the whole truth. Digging thematic resources further, you can find such things as criminal "services" for remote blocking of SIM cards, interception of sms, blocking of bank accounts, all-round paralysis of the work of companies, any criminal whim for your money. Everywhere, either employees of departments or employees of various levels in commercial companies are involved.
By the way, there are a number of interesting "services" with mobile operators: fraudsters use the vulnerabilities of cellular networks to geo-locate all users who have entered the site from the mobile Internet, connect paid subscriptions, and, especially for themselves, completely bypass the mobile traffic accounting (this is not nonsense like distribution of the Internet with closed tethering, and complete disabling of accounting downloaded at limited tariffs). Surprisingly, the roots here do not grow from black near-darknet forums, but from the well-known w3bsit3-dns.com forum.
I didn't go deep into the black market, it's too slippery and disgusting. I was only interested in the situation with personal data, which is catastrophic and not even buried in the depths of the black market, but within walking distance.
Most of the article was devoted to Russia, Russian organizations and departments. Readers from Ukraine are probably already used to the fact that on the Russian-language Internet, most of the bad news usually concerns their northern neighbor. Unfortunately, this time I cannot share your optimism: the offer of the “services” described in the article in Ukraine is at no less a level than in Russia. Even the price level is the same.
According to my observations, there are much fewer proposals for Belarus and Kazakhstan. Maybe he was looking badly (to be honest, it is morally difficult to be on these resources for a long time), but the point is clearly not a lower crime rate. In my opinion, everything is much more prosaic: the supply is proportional to the number of inhabitants, because there are much fewer people living in Belarus and Kazakhstan than in Russia and Ukraine.
Nowhere else have I seen offers of such "services" in Europe, the USA and other developed countries of the world. The maximum is breaking through common databases (like Interpol), to which there is access from Russia. Obviously because the laws in these countries are not only written on paper, but implemented in practice. Laws are not for decoration, showmanship and "plan fulfillment."
Meanwhile, to ordinary Russian, Ukrainian, Belarusian and Kazakh small business owners, supervisory agencies will be happy to issue a fine for the incorrect form of consent form for the processing of personal data, and they themselves will merge the entire database in which you, your personal data, your business data are just as happy. , your customers, and even your fine will be perfectly reflected.
