Identity theft and fraud are, perhaps, the two most serious problems facing the Internet. Direct economic losses in the United States totaled over $574 million in 2004, according to the Federal Trade Commission. If not curbed, these crimes have the potential to make the Internet so untrustworthy that electronic commerce might slow considerably.
All the good things weve come to appreciate about the Internet are in danger of being taken away from us by international criminals. And technology is only a partial solution to protecting Internet users.
The “social engineering” nature of many of these attacks may be resisted by educated users who are unwilling to fall for scams perpetrated by criminals “phishing” for personal data. But the growing sophistication of the worlds criminals demands technology, banking, and law enforcement solutions as well.
It can be a perplexing problem. As Microsofts Jim Allchin told me recently at WinHEC about the phishing threat, “If someone wants to click on a link, can we stop them?”
Viruses, hackers and spyware can all be dealt with through mostly technological means. But how can technology help someone whos decided to click on a link that appears to be part of a message from his or her bank—but really isnt?
While e-mail and Web sites can be authenticated to help deal with the phishing problem, wide adoption of that technology—or even agreement as to what technology to use—has yet to be achieved. In the meantime, our best defense may be the educated user, who is also protected by the latest anti-virus, anti-spyware, firewall and privacy-protection software.
I am writing this column as an answer to the people who write me asking how to deal with phishing and identity theft issues. Some have asked for detailed advice, which I hope this column will provide. Please feel free to forward it to anyone who might benefit. You are welcome to print it, quote from it, link to it, anything that will help get the word out. All I ask is a credit for eWEEK.com.
Recently, I spoke with John Norman, who works for a company called the Advanced Systems Group, a Denver-based systems. He did an excellent presentation during an eSeminar I moderated last month that dealt with phishing and identity theft.
“Fraud and identity theft are not new,” Norman told the seminar attendees. “But the Internet is making it accessible to more criminals.”
He cited Federal Trade Commission statistics showing that 635,000 complaints were received from victims of ID theft and fraud during 2004. The average consumer spends 28 hours resolving an identity theft case, the FTC said.
How to Avoid Getting
For the eSeminar, Norman prepared the following list of things users should do to prevent becoming a victim of online crime. Ive added a few of my own items to Normans list, reproduced here:
- Be wary of e-mail! Never click on any link to a bank, eBay, or other merchants. Instead, open a browser (not just a new window) and type in the URL yourself. When in doubt, call the institution using the number listed in the phone book, not one provided in the e-mail or link.
- Nobody needs to verify your passwords. Ever.
- Practice good computer hygiene. Dont click on attachments. Run both anti-virus and anti-spyware applications. Firewall and privacy protection software are also a good idea. Update this software, as well as your operating system, on a regular basis.
- If asked to call someone, use the listed telephone number and ask for that persons extension. Criminals often give scam telephone numbers to intended victims.
- Consider the single-use credit cards available from Visa, American Express and other institutions.
- Only provide personal information when you initiate the transaction and never when someone requests it, whether online or over the telephone.
- If a resident of Texas or California, consider a credit freeze.
- Order credit reports yearly and review them carefully. (These are often available for free. Visit www.privacy.ca.gov for information.)
- Watch credit card and bank statements for small withdrawals. These are sometimes used to take small amounts of money that customers dont consider to be worth reporting. But 10 cents a month from 100,000 accounts really adds up.
- Encrypt it or shred it. Use a cross-cut shredder (makes confetti, not long strips which are too easily reassembled) or burn documents containing personal information. Do not store PINs on your computer; lock them up or encrypt them.
- Dont provide (or offer) unnecessary information. Ask yourself, “Why do these people need my information?”
- Lying is OK. At least, in some circumstances, such as questionnaires which require an answer. Make something up. (A friend of mine has both a real birthday and a fake one that she usually gives out.)
If you follow these tips, you will avoid many of the scams and traps that criminals create to gather personal information which they then turn into cash. You will also help protect yourself against the accidental release of information, as well as against unscrupulous marketers and other lower life forms.
In thinking about online crime, its useful to remember the Internets Cold War roots. Designed to survive a nuclear attack that took out portions of the network infrastructure, the Internet was not designed to prevent hacking and identity theft. When access to the Internet was limited, crime wasnt a problem. But when the network was opened to literally the entire world, it also took on the worlds problems, including criminal activities which the network was ill-prepared to thwart.
Meanwhile, the criminals are becoming ever more sophisticated. And this is where it may be that no amount of user education will help.
In a “worst nightmare” scenario, criminals hijack the Internets name servers or users desktops and redirect users to faked sites when they type in correct Internet addresses for banks or other institutions. Such attacks could be difficult or impossible for victims to recognize and will require technological solutions, both at the Internet-client and infrastructure level.
If this type of undetectable—until too late—attack were to become widespread, the potential damage to electronic commerce might mirror what the attacks of September 11 did to other parts of the world economy. This potential damage is whats driving the global search for Internet weaknesses that can be fixed before its too late.
Here are some links you may find useful:
- Federal Trade Commission Identity Theft Web site: www.consumer.gov/idtheft/index.html
- Credit freeze and ID theft information for California (most states have similar sites run by the state attorney general): www.privacy.ca.gov
- Our eSeminar on Phishing and Identity Theft can be found at http://www.eseminarslive.com/article2/0,2290,1788725,00.asp There are many other security-related Web seminars on our site as well. Visit www.eseminarslive.com to sign up or view previous eSeminars.
Contributing editor David Coursey has spent two decades writing about hardware, software and communications for business customers.