Nearly 20 million pieces of personal information were illegally traded by fraudsters in the first six months of 2012, according to the latest quarterly figures from Experian CreditExpert.

Released to mark the beginning of National Identity Fraud Prevention Week, the findings reveal that 19.7 million pieces of information were bought and sold illegally between January and June 2012 – more than in the whole of 2011, when 19.04 million records were traded. On current trends, this is set to be a fourfold increase on 2010 (when 9.46 million records were traded illegally).

The findings come as Experian concludes an unusual experiment into online security and the average Briton’s web habits – “Life in a Box”. The experiment saw a volunteer, Steve, placed in a London shop front for a week with just a laptop for company.

He was set a series of online challenges to determine where, when how often and, most importantly, how securely personally identifiable information like names, email addresses and dates of birth was submitted – particularly the combination of a login and password, which forms 90% of the market of illegally traded information online.

Steve was fully aware that this experiment would enable Experian to look for and identify any weaknesses in his online behaviour, expose them and see what a fraudster might potentially be able to discover.

The experiment revealed that although Steve showed himself to be a savvy web user, like many people he made basic security mistakes in his hurry to get things done. During the course of the week, he used the same password across multiple accounts, failed to update his web browser to a newer, more secure version, and didn’t check that websites were secure by looking for the padlock icon when making online purchases.

As part of the experiment, Experian called upon the expertise of a third party security consultant to measure how far data can spread when it gets into the wrong hands. He performed a test with eight fake account details to see how far they can spread if they get into the wrong hands.

The results showed what a serious issue it can be:

  • All of the eight temporary email addresses were taken over within five hours, with the majority of credentials hijacked within five minutes
  • The individuals who took over these accounts were located in a variety of countries, ranging from Albania to South Africa.
  • Password related emails were the first to be viewed, followed by correspondences with family or friends.

Peter Turner, Managing Director at Experian Consumer Services in the UK and Ireland, commented: “It’s a wonderful life online, and it is now second nature to many of us. We’re more confident and more comfortable than ever – but that also means that, like Steve, we can be complacent. Although fourteen per cent of Britons admit to being concerned about the risk of online ID theft, many more – 43 per cent – have no such worries.

“When managing multiple online accounts, users need to protect themselves with a service, such as CreditExpert’s Web Monitoring, which alerts members by text or email at the first signs that their details have been compromised.”

The risk of having details stolen is very real. Research from Experian CreditExpert finds that:

  • Three fifths of us never log out of websites
  • One in four people (26 per cent) never check for a website’s security padlock, even when making purchases

And, perhaps most surprisingly of all, many of us simply let curiosity get the better of us. Despite the well-known risks, one in six Brits (16 per cent) admit to sometimes opening spam to see what it says, while one in 50 (two per cent) even click on links in spam emails.

Since Experian CreditExpert’s web monitoring service was launched in May 2012, members have already been alerted to more than 400,000 instances of their information being exposed or misused. Web users can take the following steps to help protect themselves:

  • Use a strong password and make sure you don’t use the same password for all your important accounts: Avoid things like dictionary words, maiden names or favourite pets, as these can be easily cracked. And although there’s no need to have a different address for every single different online account, try to have separate passwords for your main email address, online bank account and different social media accounts, which you don’t use for anything else. That way, if one is compromised, the others will remain safe.
  • If in doubt, don’t click: Online is now second nature to many people. But don’t let that give you a false sense of security. If a website looks dubious, an online offer too good to be true, or an email with its subject line and content conflicting with what your bank would normally send you, don’t click. Check online to see if other people have encountered what might be a scam or virus, and contact your friend or bank to see if they the email is legitimate.
  • Know where your details go: If personal information falls into the wrong hands, within minutes, the data can be used to access your accounts, and can be bought and sold in underground forums around the world.

Findings from the Life in a Box Experiment:

  1.  Identification of re-use of passwords

Every new account that was registered by Steve during the project used the same password. Services signed up for included shopping websites, social media sites and communication sites. The compromise of any of these accounts could have led to a compromise of any other details or credentials, due to the reuse across multiple services.

  1.  Not checking for SSL Encryption when sending confidential information

SSL is used to protect confidential or secure information when it is being sent over the internet. Users should always check to see if the padlock icon is visible when interacting with any sites which are requesting personal or private data, including usernames and passwords.

Steve agreed to let a security consultant monitor his web traffic and see what details could be identified. On the fourth day of the experiment, the third-party security consultant used a number of tools to automatically strip SSL protection from websites. The goal of this was to identify if users automatically checked for the padlock icon every time when using a site, or if they only checked on the first occasion.

Throughout the whole day SSLStrip was used to remove SSL protection from a number of sites. Steve failed to identify the lack of SSL (signified by the lack of padlock icon) during this period, and it was possible to identify and extract various credentials belonging to him, including his password, address, credit card number and phone number.