ID Thieves New Tricks: How to Defend Yourself-Wealth Building

上一PieceArticle： Maria Bartiromos Money Talks: Married, With Money

ID Thieves New Tricks: How to Defend Yourself

How to Defend Yourself

Not long after I began my reporting for this article, I was in Washington, D.C., taking a cab from the airport, when my wife called.

"There's a message from Visa on the machine," she said. "There's something going on with the card."

Weird, I thought, pulling out my wallet. The card was right there. I called the number she gave me, and hit the voice-mail prompts ("Please enter the nine-digit telephone number at which you were contacted") and finally reached a live customer-service representative. "Someone in the U.K. is trying to buy a money order for $3,400 using your card number," the woman said.

"Definitely not me," I said.

"We'll block that, cancel the card, and issue a new one," she said.

"Okay. Thanks for calling."

As we went through the back-and-forth about a replacement card, I explained how almost the only time I used the one I'd just canceled was to buy gas -- and only at a couple of stations. If it never left my possession, how could someone be trying to use it 3,000 miles away? "I couldn't say for sure," she said. "It could happen a lot of ways."

We're All Vulnerable
It's not news that identity theft -- described by the federal Fair Credit Reporting Act as "the use or attempted use of an account or identifying information without the owner's permission" -- is rampant in the United States. Federal and state authorities alike have labeled it the country's fastest-growing white-collar crime since the late 1990s. And why not? We live in an age where everything from tax records to Social Security numbers to credit card data resides in databases that can be hacked, phished or pharmed by anyone with sinister motives and enough know-how.

The number of people victimized annually was last estimated at about 10 million by the Federal Trade Commission. In April, the federal Bureau of Justice Statistics reported that at least one member of 3 percent of all U.S. households were identity-theft victims in the last half of 2004. Chances are you or someone you know has been hit. Yes, consumers have gotten savvier -- cyber streetwise, if you will. We shred financial documents and unsolicited, pre-approved credit card offers; check credit reports regularly; keep Social Security numbers as private as possible; delete e-mail from unknown senders as soon as it arrives; and frequently update antivirus, firewall and spam-blocking software. But for every scam we foil, the crooks are hard at work thinking up novel ways to rip us off.

Attackers Don't Stop

When it comes to high-tech fraud, one of the most common scams is "phishing." The bad guys who do it send out bogus e-mails in hopes of scaring, enticing or just tricking the naive into giving up personal information at fake websites that resemble those of legitimate financial institutions and other commercial outfits.

The volume of phishing e-mail has reached astounding levels. The software company Symantec (of Norton fame) pegged traffic last year at 1.5 billion messages a day; less than half were blocked before reaching their destinations. Gartner, a market-research firm, reports that in the 12 months ending in May 2005, phishers duped 2.4 million Americans into revealing personal info, costing victims, banks and credit card companies $929 million.

The good news: computer users are getting better at telling the difference between real and fake e-mail. The bad news: Phishermen are adapting.

"Attackers are not going to stop," says Dave Cole, a Symantec director. "They're going to go after other applications."

Maybe you've heard of "pharming," in which legitimate websites are hit with malicious computer code that steers those visiting them to lookalike sites. Data can then be harvested without a key being struck. In a twist, there's crimeware that instead attacks browsers (Internet Explorer, for one) and does its pharming from there.

Among the most insidious new cons: "keystroke-logging," in which software planted on a computer (perhaps via a virus) records everything a user types and passes it back to an identity thief. And don't forget "screen scrapers," which can snatch and send images of what's on-screen.

Spyware is another big problem. At its most innocuous, it's just an annoyance, spawning unwanted advertising, like pop-ups. In its more nefarious form, it can arrive as a "Trojan downloader," a program that lies dormant on a computer, only to perk up later to retrieve and install destructive code under a hacker's direction. "Once that gets into your system," says Cole, "you're in for a world of hurt."

In a University of Washington study released in February, researchers found that more than 1 in 20 "executable" (.exe) files they encountered during a massive Web crawl contained "piggybacked" spyware. And, on average, 1 in 62 websites launched what are called "drive-by download attacks," trying to force spyware on users who merely visited the sites.

Adding a disturbing wrinkle to all this shady activity is the fact that your own computer can be infected by hackers so that -- unknown to you -- it becomes one "zombie" among thousands in a robot network ("botnet") created to attack other computers. A recent federal case against one "botmaster," 20-year-old Jeanson James Ancheta, provides a glimpse into the scope of the threat.

Ancheta, of Downey, California, pleaded guilty in January to four felony counts. In doing so, he admitted taking control of hundreds of thousands of Internet-connected computers, using the zombie machines to send adware, and also selling spammers access to his botnet. In a just over a year, Ancheta earned $58,000 for providing these services.

"He's a little genius," says James Aquilina, the assistant U.S. attorney in Los Angeles who prosecuted Ancheta. "He just decided to do bad things instead of good."

While Ancheta wasn't an identity thief, Aquilina says his ability to create and command a corrupt computer network and his willingness to make it available on the black market underscore how much harm botnets could do if employed to steal identities.

"They are by far one of the most significant threats we face," he says.

Crime in the Cards

As my experience shows, PCs aren't always involved in digital identity theft. The Bureau of Justice Statistics' April report found that three-quarters of the 2004 incidents involved existing credit cards or other accounts.

How does it happen? Thieves target account information embedded in ATM, debit and credit cards by breaking into or otherwise compromising the equipment and systems used for processing payments.

In March, for example, Citibank announced it was reissuing an unspecified number of ATM cards in Canada and overseas. The cards had stopped working for withdrawals.

Avivah Litan, a Gartner analyst, says the culprit was most likely "PIN block" card fraud, which she expects to see a lot of in the near future. In a PIN block theft, hackers break into computer servers used by retailers to store and process debit-card PIN codes collected when purchases are made. At the same time, and off the same servers, thieves swipe the key codes necessary to unlock the encrypted PIN data. With that information, they can easily create counterfeit debit cards, which they use to clean out bank accounts. The reason Litan sees debit- and ATM-card theft rising? It's simple: Compared to credit cards, "they're better for getting cash."

That doesn't mean credit card data isn't at risk. It is -- often via similarly porous processing systems. FBI cybercrime unit chief Dan Larkin says that's one possible explanation for my Visa problem. Or it could be that my account information was skimmed with a handheld device that can pull data straight from a gas pump. However it happened, it's likely multiple crooks formed the chain that broke with that call from Visa. The person who stole the data could have sold it to someone on one of the online forums where thieves meet. Yet another person might have created a counterfeit card using my info, and sold it to the person who tried to buy the money order.

But that's just one scenario: Larkin notes that with ID theft, "the trail is becoming more and more complex."

Unwanted Guests
Another ripe target for identity thieves: the wireless networks that more and more computer users are setting up at Home. A failure to block access to these networks can allow prying eyes into your hard drive, where you may store financial information in programs like Quicken. Even people who are diligent about regularly updating their firewall and spyware software don't always enable encryption of their Wi-Fi devices.

Last November, Symantec personnel conducted an exercise in New York City. With a laptop running free software and a simple antenna affixed to their car, they drove through six different residential neighborhoods. Of the 5,700 wireless access points they found, 52 percent had no encryption whatsoever, making them available to anyone who wanted to hop on.

An unsecure wireless access point can open the door to more than just data theft. Last April, a St. Petersburg, Florida, man grew wary after spotting someone parked near his house using a laptop. Worried this person might be tapping into his wireless network for unsavory reasons, he called the cops. On arriving, they found that the man in the parked car, Benjamin Smith III, was using the Homeowner's Wi-Fi service. A search of his laptop, police say, indicated he'd downloaded child pornography. (Smith has pleaded not guilty and is awaiting trial.)

上一PieceArticle： Maria Bartiromos Money Talks: Married, With Money