Comments on: FAQ: Demystifying ID fraud

The trail of online fraud leads through malicious Web sites, hacked databases, underground criminal forums, and across country borders. We'll guide you through it.

[Harrison912]

As a web site owner of safety and security products, this topic is extremely important to me. I actually sell keyloggers for parents and corporations to use for legitimate reasons but definitely don't want one hiding on my computer. Thanks, Elinor, for sharing this important information.

[Michichael]

Bank accounts aren't even the only threat now adays - game accounts, such as WoW or other serial keys often fetch high prices as well. I've found that most (95%+) malicious websites/scripts target internet explorer 6 or 7, and by just using pure, virgin Firefox the odds of an attack being successful drop dramatically - but it can still happen. Vulnerable plugins, such as Flash or PDF often are the culperit but even firefox has it's holes. The best thing I've found to date is Firefox and the plugin "NoScript" which lets you define your own white list. After a week of using it, you rarely even think about it any more - it strips every script, flash, or other app from the web page until you allow it specifically [temporarily, or permanently]. And it's completely free - I haven't had any spyware on my system, viruses, or anything, even going to known bad sites in a sandbox, since I started using it. I highly recommend it.

Other than that, once your data is stolen, this article is spot on what the underground does.

[0ri0n]

Why does no one see the connection between the pervasive sharing of personal information for the sake of marketing products or targeted advertising, and identity theft??

Who ever thought this "share-first", "opt-out" later philosophy wasn't going to lead to more problems for the general public?

Personal information is an asset, no matter how you look at it. It is valuable, and people need to recognize to be proactive to protect it. This means, you should have to 'opt-in', not opt-out of having your personal information share. You should have a choice on whether your medical records become part of some national database, and what parts of your personal information any agency (except government) is allowed to keep.

Why should we have to hunt down every warehouse able to gather and store our information and, if it gets breached, the people whose records just got compromised get to be the victim TWICE over as the criminals conduct their abuse, and then the credit companies flag thier record as 'suspect'. If you have had your identity stolen, through no fault of your own, you still end up doing all the work to repair it.
Thank you for "Opt-Out".

Your information should be safeguarded, and UN-SHARED, by default. Security breaches should involve punitive damages and compensation to be paid to the records of victims compromised - even if no damages can be ascertained. After all, your data would be better protected if every company knew even a breach could cost them heavily.

Why people can even wonder "how can we stop all this", when this kind of crime has only become more prevalent with the corporate sharing of personal information...is simply beyond me.

[setjeff15081947]

Firstly, OriOn, let me say the three stars that make up your belt in the sky is my favorite constellation. On a more serious note, your analysis and posting are absolutely correct; "Opt-Out" serves no one interested in Privacy ... only those bombarding everyone with Scam-E-Mails. Although it can be reduced, I think we've opened Pandora's Box on this one, and we'll never completely stop this crooked activity. It's too profitable ... and much too easy to avoid punishment to skirt an "Opt-In" law. I'm on every known "Do Not Call" and "Do Not Solicit" list I know about ... yet I still average a couple of calls per week from these pests, and at least one Solicit-Mail a week from the scum.
I believe I'm not going to be fond of the rest of my life in the 21st Century.

[wrightj62]

Great ariticle, I'm will be sending this to my mom, maybe she will stop sending me those jokes from her friends!

[mikefxlee]

go to youtube, search for mikefxlee, look at the video ID theft proven. I'll need a new SSN but what's more blatant than that video. I called my credit card company and they said my SSN was wrong?!? but I have proof I used my SSN with the card on 3/23/09. A receipt.

[tgtmx]

Consumers and businesses are at a huge disadvantage when it comes to online fraudsters who have a lot going in their favor including powerful tools that evolve quickly, no geographical boundaries, determination, and the annonymity afforded them on the web.

One thing definitely NOT in their favor is "device fingerprinting" technologies that enable online businesses to profile computers instead of the person connecting to their web site in order to assess the risk associated with person at the computer.

And it isn't just banks or etailers that benefit from device fingerprinting -- anywhere online that someone logs in, creates a new account or buys something with a credit card is an opportunity for fraud such as online dating or travel sites.

Device identification takes away one of the online fraudster's most powerful weapons--anonymity--without relying on the consumer's personal data or disrupting their online experience.

Last week online fraud prevention made a showing at Finovate Startup 2009, a tech conference devoted to technology for financial institutions. Online fraud proved to be the top areas of interest the conference. Fraud is an old problem, but the stakes and risk are much higher thanks to the internet.

It isn't just about stopping fraud, device fingerprinting allows online businesses to recognize returning customers and provide a better online customer experience too. I've watched our product catch fraudsters pulling every stunt in the book to fool our customers and get stopped in their tracks.

If you want to learn more, here's a recent article on the subject:
http://www.networkworld.com/newsletters/techexec/2009/042009bestpractices.html

[elinormills]

Device fingerprinting does seem to be effective, but some people have privacy concerns with it:
http://news.cnet.com/8301-1009_3-10226742-83.html?tag=mncol

[tgtmx]

Yes, I can see how some might be concerned about privacy issues. Any technology can be used for purposes other than what it's designed for and device fingerprinting is not immune. It?s up to the business using the technology to play by whatever rules are set ? whether their own or otherwise.
.
Not all device fingerprinting technologies are created equal. I should know, I work for a fraud prevention company -- ThreatMetrix -- that offers an on-demand fraud prevention solution. It should be noted that device fingerprinting is highly effective at the point in time when a computer connects to a web site...like logging into a bank account or at a shopping cart page.

It offers online businesses the means to build trust and protect consumers "at the front gate" of their website without having any prior knowledge of the person. The best place to identify a fraudster or a returning customer is before a transaction occurs. Banks encourage customers to bank from home -- shouldn't the bank know if the computer trying to log in is communicating with a botnet originating off-shore? Shouldn't E-tailers know when a computer making a CNP purchase is hiding behind a proxy to mask their true geo location? As long as they can define how they want to handle the exceptions (and they can with ThreatMetrix) -- they have the power to fulfill on their side of the deal to protect themselves and their customers in the way that suits their business.
I have seen first-hand how fraudsters (a nice word for cyber criminal) aggressively attempt to commit their crimes 24 hours a day, 7 days a week. I?ve seen how effective device fingerprinting is at stopping fraudsters at the gate.

I?d rather be known by my computer?s fingerprint when I check into a website than by my login credentials and personal data.

[tgtmx]

Consumers and businesses are at a huge disadvantage when it comes to online fraudsters who have a lot going in their favor including powerful tools that evolve quickly, no geographical boundaries, determination, and the annonymity afforded them on the web.

One thing definitely NOT in their favor is "device fingerprinting" technologies that enable online businesses to profile computers instead of the person connecting to their web site in order to assess the risk associated with person at the computer.

And it isn't just banks or etailers that benefit from device fingerprinting -- anywhere online that someone logs in, creates a new account or buys something with a credit card is an opportunity for fraud such as online dating or travel sites.

Device identification takes away one of the online fraudster's most powerful weapons--anonymity--without relying on the consumer's personal data or disrupting their online experience.

Last week online fraud prevention made a showing at Finovate Startup 2009, a tech conference devoted to technology for financial institutions. Online fraud proved to be the top areas of interest the conference. Fraud is an old problem, but the stakes and risk are much higher thanks to the internet.

It isn't just about stopping fraud, device fingerprinting allows online businesses to recognize returning customers and provide a better online customer experience too. I've watched our product catch fraudsters pulling every stunt in the book to fool our customers and get stopped in their tracks.

If you want to learn more, here's a recent article on the subject:
http://www.networkworld.com/newsletters/techexec/2009/042009bestpractices.html

[jim barin]

The credit card companies are the real cause of the exponential rise in credit card fraud, while charging Shylock rates of interest they have an apparent disregard for positive action except for a few cosmetic dabs around the edges.

Credit card transactions at ATM's can be made secure by an eye scan or fingerprint reader, but because this means spending real money those will always be non-starters unless the government steps in and demands such checks. A store near where i lived took a polaroid of everyone using a credit card, and these were held for three months in case of fraud, very few stolen credit cards were used there.

You and I are paying for the fraud, while the credit card companies can offload the losses they will sit back and rake in the profits. to stop the thieves in their tracks the credit card companies must be forced to pay losses due to fraud out of existing profits without being able to raise charges - and when that happens watch real effective measures implemented post haste.

[BOTNET]

jim, clearly you don't know much about ATM credit card fraud .... do you know how small this is in comparison to other fraud?

eye scan or fingerprint reader? Are you serious? Americans refuse to give this info to government, why would they give it to private companies?

[rteeples]

Good issue to raise.

[BOTNET]

Elinor, this is really 10 minutes research article, I would give you B- or C ...

1. The best protection you did not mention is simply not to share sensitive information online. Now you probably think I'm crazy, but .... almost every credit card company allows you to generate virtual card number which behaves like you normal CC number but can be used only once. Which mean that if you use it to buy XYZ online and somebody steals it from the merchant, it's useless for the second purchase.

2. The other important thing (what most people don't use) is virtual keyboard - because you don't use keyboard but click on pictures on the screen (e.g. HSBC uses it to login to their site), hackers cannot steal your password by monitoring your keyboard.

3. encrypt all sensitive data on your home PC, again not many people do this, but there are tons of very good tools like PGP which allows you to encrypt whole folders or drivers

4. I don't even have to mention that Firefox or Google Chrome are more safe than IE or SAFARI ...

[eswong]

Good points. Also, when I don't know if an email is a phising attempt, first I assume it is, and delete it. If it is legitimate, it will get resent. If I still question whether or not it is legitimate, I enter totally bogus information, made up name, SSN, account #, and if the information is not kicked back as incorrect, it's phishing!