Privacy and Identity Theft

The Privacy and Data Protection Legal Reporter spoke recently to professor Fred Cate, distinguished professor of law and adjunct professor of informatics at Indiana University.

Professor Cate highlights 3 emerging areas of real concern in ID fraud:

1. Insiders… people we know are the biggest source of ID theft.

2. Phishing. Companies cannot stop it, and it is a real danger for those who give out information.

3. Synthetic identities. Criminals are creating fake identities rather than stealing existing ones.

The SEC has filed a complaint against an alleged “pump and dump” scammer who used phished account logins of brokerage customers to buy penny stocks, inflating their value.

Evgeny Gashichev is accused of stealing the identities of 25 online brokerage customers, and using their accounts to buy penny stocks that Gashichev had earlier purchased in his own account. Gashichev supposedly turned a $30,000 investment into $353,000 in about six weeks with the scam.

He has been tracked down via several IP addresses of computers that he used to log into the online accounts and make the trades. He is hiding from authorities and believed to be in the St. Petersburg area.

A recent survey of taxi cab drivers in London, San Francisco and Washington found that commuters in London, UK, were the most forgetful. In the last six months, people left over 54,000 phones, 3,000 laptops and almost 1,000 USB flash drives in London taxi cabs.

Lets hope Santa brings a big bag of encrypted devices for Christmas!

A French court has ruled that music companies and other copyright holders cannot monitor Internet traffic without permission from the courts. The groundbreaking case could open record companies in France open to prosecution for invasion of privacy, due to their monitoring of the IP addresses of users of peer-to-peer file sharing.

What this effectively does is make copyright holders obtain the permission of the courts, similar to a search warrant, before conducting surveillance of IP addresses of end users.

Not that this will impact anyone outside of France. In the rest of the world, anyone can monitor your IP address and your web surfing for whatever purpose they desire.

In a bizarre twist, a number of technology companies, including Microsoft, Hewlett-Packard, Google, eBay, Intel and Oracle are going to launch a push to lobby for consistent privacy legislation in the USA.

Typically, high-tech companies hire lobbyists to fight new legislation.

The opinion of Marc Rotenberg of the Electronic Privacy Information Center is that the notices preferred by these companies are insufficient to protect online privacy, and that state legislation often protects the privacy of individuals more strongly than federal rules.

Bruce Schneir has written a nice article about how people seem to be choosing better passwords than they were 10 years ago. He studied 34,000 passwords, and analyzed them for strength (alphanumeric, upper and lower case, length).

So, where did he get 34,000 fresh passwords to test, you may ask?

Well, they were recovered from a phishing server that was hosting a MySpace phishing attack.

MySpace estimates that more than 100,000 people fell for the attack last month, before it was shut down.

Yes, people still do fall for phishing attacks…