Download music, share bank account info on P2P networks

Consumers sharing music and other files on P2P systems are inadvertently exposing personal information

It's not just the Recording Industry Association of America that people need to worry about when downloading music from P2P networks.

A surprisingly high number of consumers sharing music and other files on peer-to-peer systems are inadvertently exposing all sorts of bank account and similar personal information on their computers to criminals lurking on the networks to harvest data. And its not just users at home that are exposing information about themselves; so are a large number of employees within banks, as well as their contractors and suppliers.

That's the conclusion of a study on the dangers of inadvertent data disclosure on file sharing networks that was conducted by Dartmouth University's Tuck School of Business.

The study examined data involving P2P searches and files related to the top 30 U.S. banks over a seven-week period between December 2006 and February 2007. The university used a search engine technology from Triversa Inc. to gather and analyze all P2P traffic that mentioned these banks by name or mapped to a specific digital footprint that Dartmouth created for each financial institution. Data was gathered from P2P networks such as Gnutella, FastTrack, e-donkey and Bittorrent.

The analysis showed that a large number of searches made on those networks were aimed at uncovering sensitive financial data from individuals, said study author Eric Johnson, a professor of operations management at the school's Center for Digital Strategies. "Our analysis clearly reveals a significant information risk firms and individuals face from P2P file sharing networks," he said.

When people use popular P2P clients such as KaZaa, Limewire, BearShare, Morpheus and FastTrack, they often are sharing far more than just media files, Johnson said. "In many cases they are sharing the contents of their entire hard drive with all sorts of information" with others on the file-sharing network, Johnson said.

That's because many of these client tools are designed specifically to quickly search for and share certain types of media files on a user's system. Johnson said, Normally, such P2P clients allow users to download files to and share items from a particular folder. But if proper care is not taken to control the access that these clients have on a system, it is very easy to expose far more data than intended, he said.

There are several ways this can happen, Johnson noted in his research paper. For instance, when a music file is accidentally dropped into a folder containing other data, the contents of the entire folder could end up being shared on a P2P network without a user's knowledge. Many P2P client software tools have confusing interfaces that could result in users sharing folders that they did not intend to. Similarly, some file-sharing apps feature wizards that scan an individual's computer and recommend folders containing media to share. If a sensitive file exists in one of those recommended folders, it could get exposed, Johnson wrote in his research.

The kind of information that can be exposed in this manner is astounding, Johnson said. "We found files containing all the information needed to commit identity theft. We found almost every kind of business documents from spreadsheets to performance reviews. In one instance, we found a bank spreadsheet with account information on 23.000 business accounts that was leaked. We even found a security evaluation done by a third party contractor" of a bank network.

Almost 80 percent of the leaked information analyzed in the Dartmouth study came from home PC users. The rest came from systems belonging to bank employees or their partners, Johnson said.

While some of the information was inadvertently leaked, there are growing signs that cybercriminals are using P2P networks to specifically search for and harvest such data, Johnson said. A significant portion of the search terms that were analyzed during the Dartmouth study appeared to be looking for databases, account and user information, passwords as well as routing and pin numbers, Johnson said, Sometimes, sensitive data was accidentally exposed by the coincidental association of a search term with sensitive information. For example, users searching for songs containing the terms "Golden" Or "West" in the title pulled up files containing account information belonging to Golden West bank, Johnson said in his report. Similarly users looking to download the song "State Street Residential" sometimes pulled in data belonging to State Street bank customers.

The Dartmouth study raises concerns similar to those contained in a report released in March by the U.S. Patent and Trademark Office (USPTO). That report was based on an analysis of five specific features included in file-sharing software from Kazaa, Limeware, Morpheus, BearShare and eDonkey. The report concluded that the distributors of the software deliberately included these features in their tools, despite knowing that the features could cause users to inadvertently share sensitive data with others on P2P networks.

The report was sent to the U.S. Department of Justice, the Federal Trade Commission and the National Association of Attorneys General.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Computerworld
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?