Privacy and Identity Theft

On May 29, 2005 the Kyoto police arrested a man suspected of phishing using fake Yahoo Japan auction sites. The cops busted the fellow through good old detective work – monitoring the financial institutions where stolen money had been wired, and seeing who showed up to pick up the cash.

This is a great example of how the world of traditional law enforcement need to come into the cyber age to defeat eCrime. Consumers need faster and easier ways to report online crime to the relevant police agencies. Cops need the tools to route complaints to the right departments and to gather information and launch online investigations *IN REAL TIME*.

To track down cybercriminals, you must be able to get the credentials (eg. bank account numbers, credit card numbers, ATM numbers) that have been phished or stolen by crimeware (eg. keystroke loggers). And you then need to monitor those accounts for fraudulent access, and then track where the money is actually coming out of the system and into the crooks’ hands. Then you put real live cops at the bank or ATM machine and catch the guys.

This is extremely difficult to do with today’s legacy law enforcement infrastructure.

Calls by the US Government for ISPs to monitor traffic so that the NSA can search for terrorist activity is all well and good. But who is looking into giving our law enforcement community the tools that they need to protect our citizens and financial institutions? You can be sure that some of the eCrime loot is ending up in terrorist hands already.

Reuters today reported on the arrests over 565 scammers over the last year, as reported by the U.S. Department of Justice.

The US Department of Justice claims that about 2.8 million people have fallen victim to Internet, telemarketing and mass mailing fraud schemes. Losses are estimated at over $1 billion. The scams include fake sweepstakes, fake pre-approved credit cards and loans.

That’s about $360 of loss per person. Not a huge number, but boy does the overall take add up!!

Here’s an example of how the distributed nature of the Internet can make many small crimes add up in a big way. The ‘Net allows a small band of organized e-criminals to launch thousands or millions of individual scams. Each one is hardly worth investigating or prosecuting, but when you look at the aggregate total, it is big money.

A helpful Veterans Affairs employee decided to be very diligent, and take his work home with him. Too bad his work was an unencrypted CD-ROM with 26 million veterans’ names, Social Security Numbers and birth dates. Even worse is that his house was broken into, and the thieves made off with the data.

Firstly, encryption of portable data, whether on CD-ROM, USB Flash Drive or on a laptop computer needs to be mandatory for all government employees, financial services employess and healthcare employees who have access to sensitive identity and personal information.

Secondly, lets think about what a sharp criminal mind would do with these 26 million records. Well, they are probably not worth much as they are. However, syndicate them into an identity data warehouse, and you’ve got the makings of a serious eCrime resource. The bad guys aren’t stupid (well, ok, not all of them). By taking the techniques that have long been used in direct marketing, loyalty schemes, internet marketing and credit scoring, the smart bad guys will have databases where they can slowly aggregate information about people until they have usable identity profiles.

Think about it…. get a Social Security number and DOB from a stolen CD-ROM. Patch it together with credit card details and home address from a credit card breach at a physical merchant. Perhaps cross-reference with a cellular phone call log database. Over time it’s pretty easy to build up increasingly detailed databases of identity information.

It’s exactly what traditional marketers have been doing for years.

An just as the marketing world has databases that you can rent, or bonded mailing houses that will send your promotional mail to thousands of targeted people, so the eCrime world will evolve.

On May 10, 2006, US President George Bush signed an executive order creating the nation’s first ever “Identity Theft Task Force”. The task force will marshal the resources of the Federal government to crack down on the criminals who traffic in stolen identities and endeavor to protect American families from this crime.

I’m happy to hear that such a task force has finally been convened. Many diverse efforts throughout the federal government, and in industry, have been trying to chip away at the problem. Perhaps this will be a way to share communication about the various efforts that are underway.

The first act of this task force appears to be sending educational literature to 4,500 victim advocacy groups across the country. That’s a great start, but to really make a dent in identity theft will require a real investment in IT systems for sharing attack and theft information, stronger data protection enforcement at credit bureaus and those who use the information that they provide, and even a possible re-engineering of the way that crucial bits of information like social security numbers are used.

Consumers need more control over their own identity information, and the security of that information. Having so much information and access to credit tied to simple information like a SSN, your Date of Birth and your address seems dangerous at best.

Fortune magazine has an article today, May 22 2006, about the fortunes of Nigerian online scam artists.

This is an example of organized online crime, and how the differing legal and enforcement environments in various countries can foster this type of behaviour. It also makes one wonder if some of these activites are state-sanctioned or even state-sponsored.