The service, dubbed StolenID Search, lets anyone with an Internet connection search a database of more than 2 million credit card and Social Security numbers found in the , Redwood City, Calif.-based TrustedID, said Tuesday.
"This is an opportunity for any consumer to find out whether or not their credit card number or Social Security number has been compromised," said Scott Mitic, TrustedID's chief executive. "In many cases, absent this service, there is no way for consumers to find out if their data has been compromised until it is too late."
Using StolenID Search is counterintuitive. Running a search requires the that is to be checked against the database. This requires trust in TrustedID, a 2-year-old company backed by venture capitalists that is building a business out of identity protection services.
Mitic asserts that without additional information, a credit card or Social Security number is useless. "Just the number has no value unless it comes with your name, billing address, expiration data and security code," he said. "This is probably the only case where I would counsel someone to enter a Social Security number into a Web form."
Playing into the hands of criminals
Done right, experts see value in the new service. However, the way StolenID Search is set up now, it could play into the hands of criminals, they said.
"There is a significant amount of personal information traded in the dark corners of the online world, and companies such as TrustedID could allow the consumer to take appropriate prevention or detection action in response to knowing about this," said James Van Dyke, president of Javelin Strategy & Research, which.
Assuming TrustedID can be trusted and its database is comprehensive, it can be valuable, agreed Avivah Litan, an analyst with Gartner. "It fills an important gap consumers have in the tools available to them for fighting identity-theft related fraud," she said.
But, both Van Dyke and Litan said, TrustedID made a mistake in making the database accessible to anyone.
"They can make a terrible problem worse if they freely disseminate information to anyone who asks for it without properly vetting the requestor's identity," Litan said. This could "enable criminal activity," Van Dyke added.
StolenID Search could become a resource for criminals. For example, if a credit card number pops up as compromised on the Stolen ID Search Web site, it will be of lesser value than when it doesn't. TrustedID recognizes this risk.
"It is a scenario that could happen," Mitic said. "We're all best served by our database getting as big as possible so that as many cards are showing as compromised as possible."
To build up its database, TrustedID is asking anyone who stumbles upon identity data online to submit it to the company, Mitic said. One antispyware specialist, Sunbelt Software, is already providing information on potential identity theft victims to TrustedID, Sunbelt's CEO Alex Eckelberry said in a posting on the company's blog.
Ultimately, TrustedID hopes StolenID Search will bring people to its paid services. The company charges $90 a year to put a fraud alert or a freeze on an individual's credit with the three main credit reporting agencies. Placing a fraud alert can be done at no cost by the individual. The cost of placing a freeze on an individual's credit report with the different agencies varies, but is less than TrustedID's fee for performing the same task.