Phishing and spyware threaten e-commerce

ChoicePoint Inc and LexisNexis may face withering criticism for not keeping identity thieves out of their massive databases, but information brokers are far from the only sources of the Social Security numbers, addresses and other data that fuel the fast-growing brand of fraud.

Just ask Brielle LaCosta, whose personal data was stolen when she responded to a seemingly official e-mail purportedly from online auctioneer eBay Inc.

Within a few days of filling out the online forms, a car she had put up for auction had been sold out from under her and someone had run up $12,000 (Dh44,087) in charges on her credit card.

"I was stupid," said the 20-year-old college sophomore from Connecticut. "I put it all on there."

She is not the only one. Despite high-profile security breaches at big data aggregators such as ChoicePoint and LexisNexis, online attacks, inside jobs and old-fashioned burglaries provide crooks the bulk of the personal data they need to open fake credit-card and other accounts.

The rise of online commerce, in particular, has been a boon to thieves. Obtaining sensitive identifying information has become so easy, according to investigators, that the wholesale rate for valid credit-card numbers has fallen to as a little as a dollar apiece.

"Consumers are not equipped to defend themselves properly," said Gartner Inc data security analyst Avivah Litan.

Among thieves' weapons of choice are so-called phishing attacks such as the one that snared LaCosta, in which e-mailers pretend to be from a bank or other commerce site and refer people to sites that look official, and the use of spyware that surreptitiously logs account passwords as victims type.

As those tools become more effective, "There's no lack of supply of stolen credit-card information," said former Assistant US Attorney Scott Christie, who prosecuted members of Shadowcrew, an accused identity-theft ring.

Some thieves try to obtain card numbers issued by banks in specific parts of the country, making fraudulent purchases less likely to stick out on consumers' bills because they look local.

So worried are people about attacks that the percentage of online shoppers willing to enter a credit-card number has flattened out after several years of sharp growth, sparking concern that electronic commerce might start to slow down.

"It took several years for e-commerce to take off," said Shawn Eldridge, chairman of the Trusted Electronic Communications Forum. "Now the same problem is creeping up. The underlying trust people have in the internet is being eroded again."

To be sure, identity theft is nothing new and plenty of information is swiped through tried-and-true methods that originated long before the rise of the Internet or data miners such as ChoicePoint and LexisNexis.

In many cases, the original leak of sensitive data comes from an employee inside a merchant or other company.

A forthcoming study of 1,037 identity theft arrests found that more than 50 per cent involved corporate insiders, said study co-author Judith Collins, a criminal justice professor at Michigan State University.

"The biggest problem is the workplace, and the biggest problem in the workplace is there's a lack of personnel security," Collins said. In one instance, a contract employee at General Motors Corp took information on thousands of company executives home from her last day of work.

She was caught and convicted, but while still on probation, she was hired elsewhere and did the same thing, Collins said.

Robberies and burglaries trigger some identity thefts, giving criminals enough information to take out a loan in the victim's name or charge purchases to an existing credit card.

Some restaurant and gasoline station workers run credit cards through unauthorised, special machines in order to copy the encoded information that can be used to make counterfeit cards. Big scores come from corporate databases or volume operations such as spyware and phishing.

The ChoicePoint and LexisNexis thieves gained regular access to much broader files on ordinary citizens maintained by the two data giants. As is far more common, Shadowcrew got hold of card numbers and other information from hacked databases, prosecutor Christie said.

Biggest breach

"Many online merchants have credit-card databases that are accessible online, which makes it very tempting for hackers who can get hundreds of thousands or even millions of numbers at one fell swoop," he said.

Thieves have rifled through the databases of companies including BJ's Wholesale Club, CD Universe and Data Processors International, a credit-card handler with files on 8 million MasterCards and Visas.

In California, the biggest possible breach so far reported under the state's unique disclosure law came at the University of California, Berkeley, where a researcher had the Social Security numbers, names and dates of birth of more than 1 million people stored on a computer that was hacked.

Trade-group leaders and industry analysts say penalties are slight and enforcement has been weak, in part because many of the crooks are members of organised crime rings based overseas.

The problem has been compounded, they say, because no single US agency is in charge of investigating ID theft and related fraud.

Cases are divided among local and state authorities, the Secret Service, the FBI and the many multi-agency task forces set up by geographic area.

The Trusted Electronic Communications Forum was founded last year by IBM Corp, Best Buy Co and other companies to develop standards for combating phishing attacks with technology. Since then, the number of malicious e-mails has soared, more than doubling in the three months through January.

Even longtime internet users have been fooled by phishing pitches. Mark Nichols, a consignment store owner in Crosby, had been planning to update his credit-card information on his eBay account when an e-mail told him his account had been suspended.

"I believed it because I knew the credit-card number I used needed to be updated. It took me to a site that looked OK," Nichols said.

After he entered his user name and password, Nichols wondered why his account page did not appear.

Returning to the original e-mail message, Nichols studied the link and realised it had not taken him to an official eBay site after all. Nichols quickly changed his password and avoided serious consequences.

As for Brielle LaCosta, she got the same bogus account suspended message as Nichols. She thought the information she was entering including a bank card and code number and the password for her e-mail account seemed excessive.

But she really wanted to sell the Volkswagen Jetta she had just put up for bidding on eBay.

Two days later, she could not sign in to her eBay account. A friend checked and told her the Jetta had been sold.

LaCosta figured out that her incoming e-mail was being forwarded to an America Online account, and she struck up an instant-message conversation with the man who had bilked her.

Method

The man said he was working in Italy for a group that paid for his and others' tuition in exchange for phishing financial information. That information, he said, went into a database that helped get false identities for illegal immigrants in the United States.

The thief took $200 (Dh734.78) out of LaCosta's bank account and ran up $12,000 in credit-card charges.

Merchants covered those, leaving as her biggest loss so far the mor