

Ask HN: Why Not Spam Identity Thieves? - eliyak

How about pre-loading user databases on commercial websites with lots of fake data? There are plenty of username generators out there, also password generators, and I even found a valid credit card number generator (without the security data, of course). Identity thieves would suddenly have to deal with a major noise&#x2F;signal problem.<p>I don&#x27;t have the energy&#x2F;time&#x2F;skills to make this work, but I&#x27;m sure someone out there does.
======
Pyramids
This would only work against _very_ low level / amature phishing operations.

Most of these systems not only validate user login information (often in real
time) but also place live authorizations on cards to make sure they are valid.

For example, the "credit card generator" you found probably just uses
MOD10/Luhn to generate 'random' numbers, starting with 3/4/5 depending on the
card type you select.

If you're looking to simply add friction to low level identitiy thieves, it'd
probably work, but the real question is what is your motiviation?

Your time would be better spent contributing to existing phishing prevention
projects, or attempting to coordinate with network providers to get these
sites taken down more quickly, the majority of victimization occurs from large
scale data theft or professional phishing / malware operations like
IceIX/Citadel, not Joe Blow's Wells Fargo phishing page.

------
sillysaurus
Interesting idea, but if you pre-loaded a database with a bunch of fake
profiles, then the hackers would simply use all profiles after id N. So you'd
have to continually be generating new "fake" profiles during production, which
would cause extra load for the servers. That translates into higher cost.

~~~
eliyak
Maybe the application could generate a randomized number of _empty_ fakes
whenever a new user signs up, and then fill them up overnight or during
another low-load period. But this would obviously not help as much if the
system was already compromised.

Also, to make things really convincing, there would also need to be fake
transactions which the application could somehow recognize as such. The
solution to that might be with fake products, these being in fake product
categories that are in a fake category root. Complicated, yes.

