Defense in Depth

One week after a breached corporate health care company refused to pay extortionists, the criminals now are seeking money from the corporate clients whose employee data might have been exposed.

St. Louis-based Express Scripts said on Tuesday that a limited number of its clients--which include government agencies, unions, and employers--have received letters threatening to expose the personal information of its members. The company said the letters sent to its clients were similar to the original extortion threat it received in October.

The company also said it was establishing a reward totaling $1 million to anyone providing information that results in the arrest and conviction of the criminals responsible.

"We are cooperating fully with the FBI to assist them in their investigation and doing what we can to protect our members," said George Paz, CEO and chairman of Express Scripts, in a statement on the company's site.

In a separate announcement, Express Scripts announced that Knoll, a New York-based risk-consulting firm, has been contracted to offer expert assistance to members who become victims of identity fraud as a result of this incident.

The customer database of Express Scripts, a company used by employer health care services to provide prescription medicine by mail, has been breached. In a twist, the company said it learned of the breach in "a letter from an unknown person or persons trying to extort money from the company."

The company posted details on its Web site Thursday. The letter, received in October, threatened to reveal millions of customer records--including Social Security numbers, addresses, dates of birth, and in some cases, prescription information--on the Internet if the extortion demands were not paid. The company did not disclose what those demands were.

Graham Cluley, of security software maker Sophos, told CNET News that Express Scripts did things right. "It appears they have not paid up." He noted that's important with data theft because the criminals have the data in their possession and can keep going back to the company to get more and more money. Second, Express Scripts went to the FBI and decided to go public about the breach.

"We have identified where the data involved in this situation was stored in our systems and have instituted enhanced controls," Express Scripts said on its site.

Cluley said: "I think it's going to be old-fashioned police work that gets to the bottom of this." For example, it's possible the sender of the extortion request and the attacker used the same servers.

Usually extortion is used in connection with denial-of-service of attacks, when the criminals have nothing of value except the sheer volume of data to spew at a targeted site. A letter is sent asking for money in exchange for ending that attack.

This however is an old-school data theft. The criminals presumably have millions of customer details that can be sold on the Internet. But Cluley notes that "people's identities sell for a relatively small amount, and if you go to an auction site on the Web and try to barter on that, you might not get that much as you might potentially get by embarrassing a company."

A few weeks ago, Sophos noted a similar data breach/extortion attempt at a North American Maserati dealership. Still, Cluley said he does not think this was the beginning of a trend.

Cluley said the thieves in this case might not be connected with the established "carder" world, where personal identities are bought and sold online. "Maybe this is an accidental data leakage, something they stumbled across, maybe they're not part of the criminal community, and they're just taking their chances."

Express Scripts said it will notify affected customers in compliance with state regulations.

Researchers have found a method of cracking a key encryption feature used in securing wireless systems that doesn't require trying a large number of possibilities. Details will be discussed at the sixth annual PacSec conference in Tokyo next week.

According to PCWorld, researchers Erik Tews and Martin Beck have found a way to crack the Temporal Key Integrity Protocol (TKIP) key, used by Wi-Fi Protected Access (WPA). Moreover, they can do so in about 15 minutes. The crack apparently only works for data aimed at a Wi-Fi adapter; they have not cracked the encryption keys used to secure data that goes from the PC to the router

TKIP has been known to be vulnerable when using a high volume of educated guesses, or what's called a dictionary attack. The methods to be described by Tews and Beck do not use a dictionary attack. Apparently their attack uses a flood of data from the WPA router combined with a mathematical trick that cracks the encryption.

Some elements of the crack have already been added to Beck's Aircrack-ng Wi-Fi encryption hacking tool used by penetration testers and others.

Tews is no stranger to cracking Wi-Fi encryption. In 2007, he broke 104-bit WEP (Wired Equivalent Privacy) (PDF) in 2007. WEP was used by TJX Corp. to secure wireless cash register transmissions from its stores but criminals were able to exploit weaknesses in its encryption to commit the largest data breach in U.S. history.

Given that WEP and WPA are not secure, experts recommend using WPA2 when securing wireless networks.

In Windows 7, the Windows Security Center will be replaced with the Windows Action Center

(Credit: Robert Vamosi/CNET Networks; Microsoft)

Since Monday, I have been running a prebeta copy of Windows 7, the next operating system from Microsoft.

At first glance, build 6801 of Windows 7 appears very much like Windows Vista; that's because enhancements to the look and feel part of the operating system typically come late in the development process. Right now, the core programming is being set, and there are already some changes in how Windows 7 will handle computer security.

Gone is the Security Center, introduced in Windows XP SP2. Instead, there will be an "Action Center" that incorporates alerts from 10 existing Windows features: Security Center; Problem, Reports, and Solutions; Windows Defender; Windows Update; Diagnostics; Network Access Protection; Backup and Restore; Recovery; and User Account Control.

Changes to the User Account Control (UAC) may raise an eyebrow or two. While vastly unpopular in Windows Vista, the dialog boxes that pop up whenever a user tries to install new software, among other reasons, served a purpose.

In Windows 7, users can adjust consent prompt behavior using a slider control, if they have administrative privileges. Microsoft says they'll still be protected against malicious software, even if they never see another alert. I'm wondering if that's actually a bad idea: if people never see an alert, they might think nothing bad ever happens to their computer. We lose an element of user education.

Windows 7, which Microsoft unveiled at its PDC 2008 event this week, also introduces something called the Windows Filtering Platform (WFP). The idea is that third parties can take advantage of aspects of the Microsoft Windows Firewall in their own products. Microsoft says "third-party products also can selectively turn parts of the Windows Firewall on or off, enabling you to choose which software firewall you want to use and have it coexist with Windows Firewall."

I mentioned this feature to one major security vendor, which responded by saying it couldn't imagine running its product side by side with Windows Firewall. Also, if Microsoft had a compelling component in its firewall, this vendor said it would just build its own version, not use Microsoft's.

Other security features have been tweaked in the current build of the next Windows operating system. Scrollbars were removed in the configuration settings screen, as has the Software Explorer feature, and real-time protection in Windows 7 has been improved to reduce the impact on overall system performance.

Windows 7 extends BitLocker drive encryption support to removable storage devices, such as flash memory drives and portable hard drives. This means that users can keep sensitive data on all of their USB storage devices.

Biometrics enhancements include easier reader configurations, allowing users to manage the fingerprint data stored on the computer and control how they log on to Windows 7.

And System Restore includes a list of programs that will be removed or added, providing users with more information before they choose which restore point to use. Restore points are also available in backups, providing a larger list to choose from, over a longer period of time.

Returning from Windows Vista are Kernel Patch Protection, Service Hardening, Data Execution Prevention, Address Space Layout Randomization, and Mandatory Integrity Levels.

This information could change, as Microsoft nears the final build. Microsoft still expects to ship Windows 7 "within three years of Windows Vista," which means that it could be available sometime before January 2010.

Click here for more news on Windows 7.

Window Snyder, Mozilla's chief security something-or-other (her official title), wants to bring open source practices to the security community.

"At a lot of companies," she told me recently, "there's fear around security: you don't want to talk about what you're doing around security because one might deem it not enough--or might want to criticize it." She said most companies have a lot of reasons to keep what you're doing in security quiet, but not Mozilla. "We benefit from being open; it's the model for us and it's been successful for us."

Snyder started her security work at @Stake (now a part of Symantec) then went to Microsoft and later Matasano Security. She describes her journey as moving toward open source with each environment. At Mozilla, makers of the popular Firefox browser, Thunderbird e-mail client, and other open software, she's pretty much at ground zero.

Snyder said the idea of opening up security came about by asking, "What are we doing internally that we can make publicly available to help somebody else in some other project."

They decided to start out small. "We're starting off with secure programs and practices for C and C++. There is a focus on how to make it useful for a browser, but there is of course a general aspect to this. It's training materials, it's syllabi, exercises, it's a workshop-style class. Hopefully we'll be able to do video as well." The idea is that one employee from a company can attend these workshops and then take the training back home to train even more people.

Johnathan Nightingale of Mozilla echoed this. "It's pretty brittle if there's only one person who is the security guy or gal that always solves a problem. It's better to get that knowledge out there--whether it's working on Mozilla or some other project. By working at understanding the good habits and the bad habits, you've made a huge step forward."

In addition to training sessions, Mozilla will be making a variety of tools available. Last year Mozilla released a protocol fuzzer created by Michael Eddington, and a Javascript fuzzer created by Jesse Ruderman. Further, Mozilla admitted that these tools had found vulnerabilities within Firefox. Accepting that openness, Opera reported that the tools had also discovered a flaw within its browser product. Microsoft, maker of Internet Explorer, and Apple, maker of Safari, haven't revealed whether they used the tool to detect any flaws in their products.

Snyder says often the security story isn't that a company created a tool that found 14 vulnerabilities in it own product, it's that there were 14 vulnerabilities in the product in the first place. "Why would they want to share this tool? Maybe they want to demonstrate how successful it was because it found a vulnerability. That's something that we can do that other companies cannot."

In addition to training and tools, Mozilla wants to talk more about security metrics and threat modeling.

In this video, Window Snyder talks about security metrics.

"Threat modeling is a methodology for identifying security vulnerabilities, for identifying the risks of a security vulnerability within that application," Snyder said. "Making a threat model available shows other development environments how a complex application like Firefox gets deconstructed into threats, along with the mitigations that we've implemented to address those specific threats.

"But it also gets us feedback on whether or mitigations are sufficient. It gets the research community engaged in another point in the development process. Instead of looking for vulnerabilities at the end of the lifecycle, they're able to get involved in the threat modeling process which is between design and implementation, ideally. You want to be able to do it early enough in the process so that you can actually change at the architectural level as the result of threat modeling."

The goal, she said, is to remove whole categories of vulnerabilities. "Here's a pattern, and if we implement one architectural change we can eliminate all these vulnerabilities."

Threat modeling is more theoretical; it's abstract. "So, instead of saying concretely if you do this that and the other thing, that will result in an actual vulnerability, threat modeling, says there is no input validation mechanism, for example. If you send a request this way, you end up bypassing the input validation mechanism and you're sending content, unvalidated to this audio decoder. That would be scary. So the threat would be unvalidated content is being passed directly to the audio decoder if it comes in this way. A vulnerability would be there's an overflow in the audio decoder that an attacker is able to trigger if they craft a URL this way, and because it bypasses the input validation mechanism, all these other mechanisms that would have protected from an exploit are bypassed as well."

She concludes that the training, the tools, and the threat modeling is "good for peer reviews, it's good for testers, it's good for developers." She sees it as delivering on a promise to "to make the Web more secure."

Mozilla has been steadily demonstrating how open source projects can make money without betraying their community goals. At Mozilla, she says "we absorb the costs in criticism and we tolerate that in security because the benefit for us far outweighs everything else."

Your ordinary bank robber can now steal hundreds of account numbers from ATMs without so much as lifting a finger. Instead, he skims.

Skimming is the physical use of secondary readers to capture the magnetic tracks on the backs of credit and debit cards. On ATMs, skimmers and secondary keypads are used to capture account numbers and PINs. Often, the ATM transaction goes through, and the customer doesn't realize that the account has been compromised until later.

Two risks these high-tech criminals face are being caught fitting a faux cover over an ordinary ATM card slot and keypad, then later retrieving the skimmers in order to get the account information.

With the arrest last week of "Chao," a Turkish ATM skimmer, comes new information on the lifestyles of modern bank robbers, including details on new devices that send captured account data via SMS to their smartphones.

For about $8,000, skimmers can have their own ATM overlay capable of transmitting 1,856 cards via SMS. Bulk pricing is available. And if they don't want the information sent card by card, they can dial into the device and download the data at their convenience.

You're probably saying, "wait, I'd notice the compromise." Not so fast. These guys are good. Very good. See the photos of a compromised ATM machine on Snopes.com. Or watch this video to see how ATM skimming with SMS was accomplished last year in Pennsylvania.

Skimming got its start in South Africa, and since 2004, there have been a handful of noteworthy cases in the United States, affecting ATMs in Seattle, San Francisco, Los Angeles, and Austin, Texas. Late last year, Citibank replaced debit cards for its Manhattan customers because of a skimming operation there.

Last February, during a presentation by Billy Rios and Nitesh Dhanjani at the Black Hat conference in Washington, I saw a photograph of a warehouse full of ATM card input overlays from one of the criminal enterprises they stumbled upon. You want black? They got black. You want beige? They have that. What about white or gray? Covered.

Industry standardization of ATM readers makes it easier for criminals to copy, so a bank robber needs only to match the look and style. A second photo showed boxes of keypad overlays. Large. Small. Again, you need only to match the look and style.

Once the account information is captured, the criminals tend to burn it onto blank magnetic stripe cards (ISO standard 7810), then use it at ATMs worldwide.

How are they able to fool so many people? In a blog on ZDNet, Dancho Danchev speculates that there might be some collusion with individuals working with ATM manufacturers. His blog is full of details from a site offering these overlays.

There is a downside to having the SMS service. As with a cell phone, the devices need batteries, which wear out. And some SMS transmissions simply fail. Still, if a criminal gets 1,500 bank account numbers, I don't think they're going to mind.

LAS VEGAS--On the second day of the Black Hat security conference, a trio of journalists turned on other journalists within the press room.

This was my ninth Black Hat in nine years, and I have lived in dread year after year that such a headline would affect me. On Thursday, CNET News was named as one of the two organizations "hacked," but I disagree that any such hack occurred.

Just before noon on Thursday, a trio of reporters from Global Security Mag sat in one of the two press rooms at Black Hat. Both rooms have a wired LAN that is a separate part of the wireless network open to all attending the security conference. What happened on Thursday was not a wireless attack--it is important to stress that. Most of the reporters in the press room are veterans of security conferences and take precautions against such attacks. Even so, the press room is separate from the conference and often a safe harbor for posting our stories to the Internet. Conference speakers and members of the Black Hat staff also use this network.

Mauro Israel, one of the Global Security Mag reporters, is alleged to have used a USB on his laptop to turn it into a gateway for all Internet packets going through the wired network switch located at each table in the room. In other words, he routed all the signals going through the LAN through his computer and used a program called Cain to view the packet information. It is unclear how long this was done. Log files seen by CNET News suggest it might have only been a short period before lunch on Thursday.

Cain, the tool used to view the packet information, can be a helpful network administrator tool. But in the wrong hands, it can also be used to gain access to a network in violation of federal wiretapping laws.

After lunch, Isreal, Dominique Jouniot, and Marc Brami from Global Security Mag moved to the table where I was sitting with my colleague Elinor Mills. I use a commercial encrypted VPN service to connect to my office remotely; Mills uses the corporate VPN we have at CNET. We suspect that when I left the table, the trio turned their attention to CNET. Mills, also a veteran of many security conferences, offers a first-person account of being targeted here.

The reporters' badges sit on a chair after they were confiscated.

(Credit: Declan McCullagh/CNET News)

Ironically, I left the table to go and interview Aries Security, the guys running the Wall of Sheep, a project that passively monitors the wireless open network traffic at Black Hat and Defcon for the purposes of educating users on safe practices. What I didn't realize was that Brami, Jounio, and Isreal had been talking with the Wall of Sheep guys just prior to my arrival. One member of Aries Security, Riverside, even made a comment about "journalists hacking journalists."

I didn't get the reference at the time.

Apparently, Israel and his colleague tried moments before I arrived to get the usernames and passwords for reporters from eWeek and CNET added to the Wall of Sheep, a display of partially obscured usernames and passwords that is sometimes referred to as the "Wall of Shame." Riverside and others at Aries Security told them they would not post journalists' names to the Wall of Sheep because the press room was on a network separate from the one they were monitoring.

Another reporter that had been sitting in the Wall of Sheep room, Humphrey Cheung of TGDaily, overhead the conversation with Brami, became curious, and was allowed to take a photo of Israel's laptop screen. Those photos are important. The images that appear on the TGDaily site are redacted, of course. I later saw the originals.

What the trio of French reporters offered the Wall of Sheep was a Cain log with columns for timestamps, HTTP, client, username, and other information. From the log screen, it is apparent that on Thursday, beginning at 10:55 a.m., there were packets captured that were going out to eWeek.com. The IP address in the log resolved to a log-in page, presumably for a publishing tool used at that publication. The Wall of Sheep asks that submissions be done via Notepad file, so Israel pasted the username, password, and destination IP address into a file.

One eWeek reporter, Brian Prince, later confirmed his username and password were collected and displayed. eWeek immediately changed his password. Prince was not using a VPN for reasons he explained here.

But here's where it gets curious. A second line was added to the Notepad file, this one purportedly showing log-in information from news.cnet.com. When I saw the un-redacted photo, I knew instantly that the reference to CNET was a fake. My colleague Declan McCullagh resolved the IP address given as the destination to the CNET News home page--not a tool page, but our standard home page. That could be explained as anyone in the press room could have surfed to that page.

What tipped me off that the reference to CNET was truly bogus is that the username was a word within the code of the home page, a word anyone might find by right clicking and viewing the page source. Second, the password "control" wasn't strong enough, nor did it belong to Declan, Elinor, or myself. It was a fake.

I went back to the Wall of Sheep. Riverside was incredibly helpful, confirming that reporters from Global Security Mag had been there offering some log data. He even had the business card for Marc Brami, director of the publication. Moments later, a spokesperson for Black Hat confirmed that conference officials were looking for Brami and his colleagues as well. The three were later required to leave the conference and are banned for life from Black Hat and its sister conference, Defcon.

What I don't understand is if this was a prank--as Brami has suggested to Mills--then why didn't they simply say to Prince or anyone else in the press room that they could see their network communications? And, if they simply wanted to send a message to U.S. journalists about laptop security--as they reportedly suggested to the Black Hat officials--why did they apparently lie about CNET also being exposed?

A strange thing happened on Thursday. As the story unfolded, reporters from competing publications gathered in the press room. It was a bonding moment. The protected network in any press room is a circle of trust, and when that trust is violated, bad things can happen. Potentially everyone in the room had been a victim. And as such, we rallied around each other for support.

As a result of Thursday night's events, I think I know my security colleagues a little better, and that's a good thing. They're good, hard-working reporters. But in the future, if anyone I don't know joins me at a press table, I'm going to interrogate them, and a few others have told me they will as well, and that's a bad thing.

Like the biblical story, this instance of Cain has also brought evil into a world that was previously safe and welcoming.

Kurt Opsahl, left, a senior staff attorney at the Electronic Frontier Foundation, discusses the ejection of the three French journalists over networking snooping allegations.

(Credit: Declan McCullagh/CNET News)

Click here for full coverage of Black Hat 2008.

LAS VEGAS--This year marks my ninth year of attending Black Hat in Las Vegas. From a small gathering of security professionals in 2000 to an uberconference in 2008, Black Hat has scaled well. And the transition from private company to corporate-owned also appears smooth. But hardly anyone's here yet.

On Tuesday, there are only a thousand or so attendees of the 30-some training sessions. Already I've noticed a few minor changes from last year.

The press room is now on the third floor, away from the maddening crowds. This may or may not work since almost all the sessions are on the fourth floor. So far the escalators have been jammed during breaks and it will only get worse as Black Hat ramps up.

Lunch, served in a tent located in the front of Caesar's Palace, is now buffet as opposed to being a serviced meal. This gives quicker access to the food (no more waiting until everyone at your table had finished a course before the next course was served). However the buffet itself (at least four different food stations) also removed a good chunk of tables and seats. By my count only one thousand people can eat at one time.

To accommodate the rest of us, Black Hat is also serving boxed lunches on the third floor. My lunch ticket is for a boxed lunches. I suspect that vendors and press will be shunted into the cold box-lunch room.

There are about 30 vendors set up across from the Augustus ballrooms. Last year it was impossible to move from session to session without bumping into the vendor tables. While this year's location is better, it's still not ideal. Perhaps next year Black Hat will simply shunt the vendors into a separate room. Those who want to chit-chat with the vendors can do so, while the rest of us get to our sessions unimpeded.

The hall for Dan Kaminsky's DNS talk seems too small. Maybe they'll simulcast it on jumbo screens in the hallway. We'll see on Wednesday.

Click here for full coverage of Black Hat 2008.

Jay Foley, co-founder of the Identity Theft Resource Center, told me recently that 57 percent of all identity fraud involves opening new accounts "for short-term gain." The ITRC should know: it has been surveying ID fraud victims for several years and has amassed some impressive real-world statistics.

Foley also said 13 percent of the identity theft victims found out about the attacks only after criminals had established utility or cable service in their names. "So your credit record is more theirs than yours, making it harder to fight them in court," he said.

Clearly the best solution is to stop credit fraud at the moment it starts, when the account is first applied for, but for years credit histories and scores lay shrouded in mystery.

Fortunately, there's greater transparency with regard to credit reports these days. Since 2003, the Fair and Accurate Credit Transactions Act, or Facta, makes it possible for individuals to request one free annual credit report from each of the three major credit reporting agencies. (Go to AnnualCreditReport.com.) Initially, it was to correct any errors in the credit report; many people, however, use this process to monitor their reports for credit fraud.

While you can request all three credit reports at once, experts recommend staggering these, requesting one from a different reporting agency every 90 days or so. That way you'll see a comprehensive view. In addition to requesting your credit report, Congress, through laws such as the Fair Credit Reporting Act (FCRA), has provided other tools for monitoring your credit activity.

A fraud alert placed on your credit history requires an issuing entity to contact you first before opening a new account. Fraud alerts need to be renewed every 90 days unless you are a documented victim of identity fraud, in which case you are entitled to additional protection for up to seven years.

Another option is to place a credit freeze on your credit history. As of November 1, 2007, all three major credit reporting agencies offer this option. Lenders looking to issue credit in the name of someone with a credit freeze will be unable to access the credit history without your explicit permission. In most states there is no termination date, however there is a $10 fee to institute a freeze, and a $12 fee to lift it whenever you want to allow a credit check. These fees are waived if there is proof the individual is an identity fraud victim. The main advantage of a credit freeze over a fraud alert is that the credit freeze does not expire. Credit freezes, however, do not apply to entities with whom the consumer has an existing account. Nor do they apply to law enforcement agencies and certain governmental agencies.

The plans from Experian, Trans Union, and Equifax are similar, each providing a complementary credit report from all three reporting agencies, continuous monitoring of credit activity and any online use of your personal information, and some insurance against identity fraud abuse. The plans range from $11 to $14 per month, with annual and family plans available for less. They do not, however, place alerts or a freeze on your credit history.

This creates a market for private identity protection companies. One of the first was TrustedID, which costs $10 per month per adult (with annual and family plans available) and places both a fraud alert and a credit freeze on your credit history (requiring you to be contacted in both cases), opts you out of credit offers, $1 million in loss insurance, scans for personal data on the Internet, and monitors change of address. TrustedID also scans for medical fraud and protects against spyware.

Providing similar protection is LifeLock. This company is perhaps the best known because its CEO advertises his personal Social Security number as an example of how secure the company is. Bruce Schneier recently did an analysis of what's right and what's wrong with LifeLock as did the CNET Blogger Network's Chris Soghoian.

The Achilles' heel in all of these plans is that the financial institution does not have to make a reasonable attempt to contact you, so the fraudulent account may still get opened. Even with a credit freeze, some financial intuitions won't contact you. There's no way to prove or disprove an institution called you, said ITRC's Foley.

Until now.

Back in 2004 a guy named Bo Holland took a gamble. He bet that that identity fraud would only get worse, not better. And he was right. Having built a series of start-ups within the financial services industry, Holland had an insider's perspective on the problem; he knew how banks and other institutions handled credit requests; he also had worked at Critix Systems, so he had understanding about application delivery. With his latest start-up, Debix, an identity protection network, Holland pulled together all of his skills.

Not only does Debix put a credit freeze on your profile, but it uses its own phone number to log whether the credit institution tried to contact you. And if you're not available, Debix puts the pending account or loan on hold until you are able to return the call. And by using a Debix phone number, not your home number, on your credit report, that adds another layer of security to the product.

So how does Debix work in the real world? Say you are at a car dealership and you need to finance a new car. Shortly after the salesperson leaves the showroom floor, your mobile phone should ring. That's Debix; you know it because it's your voice saying a secret code. Then Debix asks if you indeed are seeking to establish a new account. If yes, you type in a secret personal identification number.

Say you are on vacation and Debix conveys a permission request for a new account. Since you didn't request a new account, you press star and you are instantly put in touch with a Debix investigator, who then contacts the party requesting the credit check. The advantage here, says Holland, is that the ID fraud case is still hot. In some cases, Debix has been able to identify a particular IP address and then turn that information over the local law enforcement. This saves local law enforcement time; they don't have to get a warrant for the bank's information--Debix has already provided the information.

Jerry Dixon, former director of the National Cyber Security Division of the U.S. Department of Homeland Security, told me that there are many reasons why ID fraud cases aren't investigated.

"An assistant U.S. attorney might ask 'What's the likelihood of this going overseas?' 'What is the likelihood of being able to nail down who this is without having to write 20 subpoenas first?'"

If the IP address goes out to Belarus, then Dixon says forget it; the U.S. no longer has a law enforcement attache in Belarus so it's hard to enlist sympathy from law enforcement in that country. But if a company like Debix can provide law enforcement with details from the financial institution and a party willing to press charges, your odds of getting someone arrested improve.

Sound too good to be true? In a study published by Julie Fergerson, vice president of Emerging Technologies, and Debix's Holland, the authors looked at 30,000 Debix-secured transactions during a two-month period at the end of 2007. Of those, 380 were identified as fraud and were stopped immediately. Overall, the rate of new account fraud among Debix customers was zero percent.

ITRC's Foley said he was impressed with the results within the survey. Holland told me that during the survey period there were four instances of new account fraud. In each case, however, the financial institution did not call the customer. With Debix, though, you have some recourse. Debix maintains a record and can prove the institution in question did not attempt to call the customer.

Since learning about Debix in June, I've been trying to knock the protection, but so far cannot. Holland, it turns out, is no stranger to the computer security community; since 2004 he's been showing his wares and soliciting opinions at Defcon in Las Vegas. He invited Phil Zimmerman, creator of Pretty Good Privacy (PGP) to fault it, and he could not. Holland has invited other computer hackers to pick apart his logic. Even Foley and Dixon are full of praise for Debix.

And it gets better.

As of Monday, Debix is lowering its prices "way down" says Holland. One adult can sign up for $24 a year; families with up to three adults and four children can sign up for $72; and families with up to five adults and four children can sign up for $144 a year. That's much less than similar plans being offered by Experian, Trans Union, Equifax, TrustedID, and LifeLock. And Debix has been protecting people since 2004, so it's not some untested entity.

If you can name a more secure ID protection service for less cost, I'd like to hear from you.