May 25, 2006

"ID Thieves New Tricks"

Welcome to Flo's Home Biz & Fun Blog...

Today's article was past on at AdlandPro Community, this is to inform everyone of "thieves new tricks"! Be aware of the next targets that "The Department of Homeland Security" warns that are "becoming increasingly vulnerable to hackers and viruses." and how.

"ID Thieves New Tricks"
How To Defend Yourself
By - Ed Shanahan

Cybercriminals Are Getting Smarter, YOU Can Too!

Not long after I began my reporting for this article, I was in Washington, D.C., taking a cab from the airport, when my wife called.

"There's a message from Visa on the machine," she said. "There's something going on with the card."

Weird, I thought, pulling out my wallet. The card was right there. I called the number she gave me, and hit the voice-mail prompts ("Please enter the nine-digit telephone number at which you were contacted") and finally reached a live customer service representative. "Someone in the U.K. is trying to buy a money order for $3,400 using your card number," the woman said.

"Definitely not me," I said.

"We'll block that, cancel the card, and issue a new one," she said.

"Okay. Thanks for calling."

As we went through the back-and-forth about a replacement card, I explained how almost the only time I used the one I'd just canceled was to buy gas-and only at a couple of stations. If it never left my possession, how could someone be trying to use it 3,000 miles away? "I couldn't say for sure," she said. "It could happen a lot of ways."

It's not news that identity theft-described by the federal Fair Credit Reporting Act as "the use or attempted use of an account or identifying information without the owner's permission"-is rampant in the United States. Federal and state authorities alike have labeled it the country's fastest-growing white-collar crime since the late 1990s.

And why not? We live in an age where everything from tax records to Social Security numbers to credit card data resides in databases that can be hacked, phished or pharmed by anyone with sinister motives and enough know-how.

The number of people victimized annually was last estimated at about 10 million by the Federal Trade Commission. In April, the federal Bureau of Justice Statistics reported that at least one member of 3 percent of all U.S. households were identity-theft victims in the last half of 2004. Chances are you or someone you know has been hit.

Yes, consumers have gotten savier-cyber streetwise, if you will. We shred financial documents and unsolicited, pre-approved credit card offers; check credit reports regularly; keep Social Security numbers as private as possible; delete e-mail from unknown senders as soon as it arrives; and frequently update antivirus, firewall and spam-blocking software. But for every scam we foil, the crooks are hard at work thinking up novel ways to rip us off.

When it comes to high-tech fraud, one of the most common scams is "phishing." The bad guys who do it send out bogus e-mails in hopes of scaring, enticing or just tricking the naive into giving up personal information at fake websites that resemble those of legitimate financial institutions and other commercial outfits.

The volume of phishing e-mail has reached astounding levels. The software company Symantec (of Norton fame) pegged traffic last year at 1.5 billion messages a day; less than half were blocked before reaching their destinations. Gartner, a market-research firm, reports that in the 12 months ending in May 2005, phishers duped 2.4 million Americans into revealing personal info, costing victims, banks and credit card companies $929 million.

The good news:
Computer users are getting better at telling the difference between real and fake e-mail.

The bad news: Phishermen are adapting.

"Attackers are not going to stop," says Dave Cole, a Symantec director. "They're going to go after other applications."

Maybe you've heard of "pharming," in which legitimate websites are hit with malicious computer code that steers those visiting them to look-a-like sites. Data can then be harvested without a key being struck. In a twist, there's crimeware that instead attacks browsers (Internet Explorer, for one) and does its pharming from there.

Among the most insidious new cons: "keystroke-logging," in which software planted on a computer (perhaps via a virus) records everything a user types and passes it back to an identity thief. And don't forget "screen scrapers," which can snatch and send images of what's on-screen.

Spyware is another big problem. At its most innocuous, it's just an annoyance, spawning unwanted advertising, like pop-ups. In its more nefarious form, it can arrive as a "Trojan downloader," a program that lies dormant on a computer, only to perk up later to retrieve and install destructive code under a hacker's direction. "Once that gets into your system," says Cole, "you're in for a world of hurt."

In a University of Washington study released in February of 2006, researchers found that more than 1 in 20 "executable" (.exe) files they encountered during a massive Web crawl contained "piggybacked" spyware. And, on average, 1 in 62 websites launched what are called "drive-by download attacks," trying to force spyware on users who merely visited the sites.

Adding a disturbing wrinkle to all this shady activity is the fact that your own computer can be infected by hackers so that-unknown to you-it becomes one "zombie" among thousands in a robot network ("botnet") created to attack other computers. A recent federal case against one "botmaster," 20-year-old Jeanson James Ancheta, provides a glimpse into the scope of the threat.

Ancheta, of Downey, California, pleaded guilty in January to four felony counts. In doing so, he admitted taking control of hundreds of thousands of Internet-connected computers, using the zombie machines to send adware, and also selling spammers access to his botnet. In a just over a year, Ancheta earned $58,000 for providing these services. "He's a little genius," says James Aquilina, the assistant U.S. attorney in Los Angeles who prosecuted Ancheta. "He just decided to do bad things instead of good."

While Ancheta wasn't an identity thief, Aquilina says his ability to create and command a corrupt computer network and his willingness to make it available on the black market underscore how much harm botnets could do if employed to steal identities. "They are by far one of the most significant threats we face," he says.

As my experience shows, PCs aren't always involved in digital identity theft. The Bureau of Justice Statistics' April report found that three-quarters of the 2004 incidents involved existing credit cards or other accounts. How does it happen? Thieves target account information embedded in ATM, debit and credit cards by breaking into or otherwise compromising the equipment and systems used for processing payments.

In March, for example, Citibank announced it was reissuing an unspecified number of ATM cards in Canada and overseas. The cards had stopped working for withdrawals.

Avivah Litan, a Gartner analyst, says the culprit was most likely "PIN block" card fraud, which she expects to see a lot of in the near future. In a PIN block theft, hackers break into computer servers used by retailers to store and process debit-card PIN codes collected when purchases are made.

At the same time, and off the same servers, thieves swipe the key codes necessary to unlock the encrypted PIN data. With that information, they can easily create counterfeit debit cards, which they use to clean out bank accounts. The reason Litan sees debit-and ATM-card theft rising? It's simple: Compared to credit cards, "they're better for getting cash."

That doesn't mean credit card data isn't at risk. It is-often via similarly porous processing systems. FBI cybercrime unit chief Dan Larkin says that's one possible explanation for my Visa problem. Or it could be that my account information was skimmed with a handheld device that can pull data straight from a gas pump. However it happened, it's likely multiple crooks formed the chain that broke with that call from Visa.

The person who stole the data could have sold it to someone on one of the online forums where thieves meet. Yet another person might have created a counterfeit card using my info, and sold it to the person who tried to buy the money order. But that's just one scenario: Larkin notes that with ID theft, "the trail is becoming more and more complex."

Another ripe target for identity thieves: the wireless network that more and more computer users are setting up at home. A failure to block access to these networks can allow prying eyes into your hard drive, where you may store financial information in programs like Quicken. Even people who are diligent about regularly updating their firewall and spyware software don't always enable encryption of their Wi-Fi devices.

Last November, Symantec personnel conducted an exercise in New York City. With a laptop running free software and a simple antenna affixed to their car, they drove through six different residential neighborhoods. Of the 5,700 wireless access points they found, 52 percent had no encryption whatsoever, making them available to anyone who wanted to hop on.

An unsecure wireless access point can open the door to more than just data theft. Last April, a St. Petersburg, Florida, man grew wary after spotting someone parked near his house using a laptop. Worried this person might be tapping into his wireless network for unsavory reasons, he called the cops. On arriving, they found that the man in the parked car, Benjamin Smith III, was using the homeowner's Wi-Fi service. A search of his laptop, police say, indicated he'd downloaded child pornography. (Smith has pleaded not guilty and is awaiting trial.)

Where will the bad guys turn next?
The Department of Homeland Security warns that cell phones and other handhelds (like BlackBerrys) are "becoming increasingly vulnerable to hackers and viruses."

Symantec's Cole sees instant messaging (IM) becoming a popular target. With its built-in "buddy lists," it has a cozy feel that cybercrooks find attractive. "The big thing about IM that has not been exploited yet," he says, "is that people trust it."

Cole also expects to see more attacks on browswers, and new efforts to embed crimeware on PCs. And he's already seeing phishers moving away from mimicking large institutions to posting instead as local credit unions and regional banks. Thieves, he says, are also eyeing popular blogs and networking sites like, again in an attempt to exploit users' trust.

It's possible, some experts say, that all this malicious activity is a good sign. Burt Kaliski, vice president for RSA Security, believes it shows that criminals are getting desperate.

"I think it may be the last attempt by the fraudsters to get people to fall for their tricks," he says. That doesn't mean it's time to become less vigilant, he adds. In fact, Kaliski encourages consumers to demand more protection-increased encryption and identification methods-from those they do business with online. Even more encouraging: Authorities are getting better at catching high-tech thieves. How much better? Says prosecutor Aquilina: "Better than our targets might think."

To learn more about protecting yourself... visit

Shared at AdlandPro Community by Shirley Ruth Caron.

Have yourself a Super Thursday!

1 comment:

Sarah said...

Identity theft can happen to anyone. Previously, criminals stole your wallet for your cash. Now they want your wallet to steal your good name. Protect yourself and your identity. visit for tips.