Seattle man accused of identity theft via P2P

In what federal prosecutors are calling the first case of its kind, a Seattle man on Thursday was arrested for allegedly using the popular Lime Wire peer-to-peer file-sharing software to get access to tax returns, credit reports, bank statements and student financial-aid applications housed on hundreds of computers across the United States.

The scheme allegedly undertaken by 35-year-old Gregory Kopiloff worked something like this, according to the U.S. Department of Justice: He'd use identity information gleaned from those documents to open credit accounts over the Internet, buy goods over the Internet, ship them to various mailboxes in the Puget Sound area and resell the merchandise for about half its retail price. Investigators said his scheme had nabbed 80 victims and racked up more than $70,000.

A screen shot of Lime Wire software

(Credit: download.com)

"Law enforcement has known for some time that criminals are exploiting peer-to-peer file sharing to secretly gain remote access to victims' computers to search for personal information," Jeffrey Sullivan, U.S. Attorney for the Western District of Washington, said in a statement.

If the charges of mail fraud and "accessing a protected computer without authorization to further fraud" hold up, Kopiloff could face up to 20 years in prison and a $250,000 fine. If convicted on an "aggravated identity theft" charge, his prison sentence would be increased by two years.

From the outside looking in, it seems likely that the alleged thefts occurred because the "victims" in question--or perhaps users who shared their computers--accidentally configured their software in a way that exposed directories containing the sensitive items.

CNET News.com readers may recall that Lime Wire's CEO caught an earful from Congress earlier this summer at a hearing in which politicians claimed peer-to-peer networks pose a threat to national security because of the possibility of such "inadvertent" file sharing. Lime Wire at the time vigorously defended itself, maintaining that its product offers its users ample warnings designed to ensure they don't select vulnerable folders for sharing with others.

But one has to wonder if the criminal allegations revealed Thursday will inflame those earlier arguments that the peer-to-peer software maker hasn't made it clear enough how to close off certain directories to outside snooping. Lime Wire, for its part, has some tips on how to make sure the software is set up to your liking.

[unknown unknown]

It's hard to make technology completely fool proof

Even large business and government entities with security professionals on staff accidentally share sensitive information through various means, not just P2P.

If it's not clear to a user that sharing C:\ will share everything on your C drive, or sharing a folder will share EVERYTHING in that folder then using P2P becomes a dangerous proposition. Limewire fortunately has a "Library" that shows everything being shared.

[mandanglo]

I Don't Know

I have been in the computer industry for a while and the one thing I can say is users don't often read or care about warnings. I think that is the danger of these applications. I have been screaming at my clients for years to not install these applications but many don't listen and get virus outbreak after virus outbreak. I hope this story helps to bring the warnings of I.T. staff to something the user can understand his/her pocket book.

[glenbreakwater]

If I remember correctly......

Didn't CNET news post a story about this issue a couple years ago? The main focus was on soldiers who unintentionally shared sensitive documents and pictures via P2P. Hard to imagine the amount of data that has been leaking all this time........

[imacpwr]

This is NOT identity "theft"

quote: "accessing a protected computer without authorization to further fraud"

Considering the victims (the morons) knowingly set folders or directories of their choice to
"share" (authorizing access) the claim of accessing a protected computer and stealing
information is false. Surely any judge using common sense will see that and throw this
case out.

[microg]

Are you sure about that?

But just because you accidently leave your door unlocked does not make it right for someone to break in to your home.

Wrong #1: Leaving sensitive directories open to the internet.
Wrong #2: Someone using that information to commit identify theft.

Two wrongs don't make it right...

[Informed Citizen]

How about rape? That OK with you too?

Perhaps you and Ms. Broache would feel differently about a victim of violent rape who was "asking for it" by wearing provocative clothing and walking alone at night. Maybe Broache would put the word "victim" in quotes like she did in her article when referring to a woman who was raped and you would put the word "rape" in quotes to signal that it really wasn't a crime. I for one take both rape and ID theft very seriously and I trust that the W. WA USA does as well.

[Informed Citizen]

Wouldn't it be swell...

Boy, it would sure be great if someone in a position of authority was trying to bring public attention to this issue and make users aware of the danger of careless use of P2P programs. Maybe Congress could have held a hearing about this issue and invited industry, academic and government professionals to speak about solutions to this problem. I sure hope that if that were to happen, that news/blog/download webpages with a financial interest in the popularity of LimeWire would not criticize such hearings, calling Congress "Clueless." That sure would be a shame, by golly...

http://news.com.com/Week+in+review+Clueless+in+Congress/2100-1083_3-6199160.html?tag=item