Security

Editors' note: This is a guest column. See Ari Juels' bio below.

Internet denizens and urban dwellers alike need to recognize that an era of anonymity is ending.

The population of the world stands at about 7 billion. So it takes only 10 digits to label each human being on the planet uniquely.

This simple arithmetic observation offers powerful insight into the limits of privacy. It dictates something we might call the 10-Digit Rule: just 10 digits or so of distinctive personal information are enough to identify you uniquely. They're enough to strip away your anonymity on the Internet or call out your name as you walk down the street. The 10-Digit Rule means that as our electronic gadgets grow chattier, and databases swell, we must accept that in most walks of life, we'll soon be wearing our names on our foreheads.

A study of 1990 U.S. Census data revealed that 87 percent of the people in the United States were uniquely identifiable with just three pieces of information (PDF): five-digit ZIP code, gender, and date of birth. Internet surfers today spew considerably more information than that. Web sites can pinpoint our geographical locations, computer models, and browser types, and they can silently track us using cookies. Banking sites even confirm our identities by verifying that our log-ins take place at consistent times of day.

Database dossiers, too, carry surprising amounts of identifying information, even when specifically anonymized for privacy. Researchers at the University of Texas at Austin last year studied a set of movie-rating profiles from about 500,000 unnamed Netflix subscribers (PDF).

Knowing just a little about a subscriber--say, six to eight movie preferences, the type of thing you might post on a social-networking site--the researchers found that they could pick out your anonymous Netflix profile, if you had one in the set. The Netflix study shows that those 10 deanonymizing digits can hide in surprising places.

Our physical belongings also betray our anonymity by silently calling out identity-betraying digits. Small wireless microchips--often called radio frequency identification, or RFID, tags--reside in car keys, credit cards, passports, building entrance badges, and transit passes. They emit unique serial numbers.

Once linked to our names--when we make credit card purchases, for instance--these microchips enable us to be tracked without our realizing it. One popular book inflames imaginations with the lurid title, "Spychips: How Major Corporations and Government Plan to Track your Every Move with RFID."

But wireless microchips also highlight the futility of anonymity protections. To begin with, concerns about RFID tracking miss the forest for the trees. After all, mobile phones are ubiquitous and can be tracked at much longer ranges than standalone chips. Many people have GPS receivers in their phones and are signing up for location-based services, voluntarily (if selectively) disclosing their movements. There's little point in hiding the serial numbers of chips when your mobile phone squeals on you.

Many scientists (including me) have developed antitracking techniques for mobile phones and microchips. Instead of fixed serial numbers, wireless devices can call out changing pseudonyms, such as the rotating license plate numbers on spies' cars in the movies. The problem is that the plates may change, but the car always looks the same. In this regard, chips are like cars.

Correction 2:19 p.m. PDT: An earlier version of this story and its headline significantly mischaracterized a key metric used in the IC3 report. The overall finding of the report was that complaints regarding Internet-related crimes rose 33 percent in 2008.

Complaints of Internet-related crimes soared 33 percent last year, countering two years of consecutive declines, according to a report released Monday by the Internet Crime Complaint Center (IC3).

The IC3 Web site received 275,284 complaints last year, up from 206,884 the previous year. The organization referred 72,940 of those 2008 complaints to federal, state, and local law enforcement agencies. The IC3 is a partnership among the Federal Bureau of Investigation, the National White Collar Crime Center, and the Bureau of Justice Assistance.

Referred complaints, which ranged from online auction fraud to identity theft to non-delivery of goods purchased online, cost consumers about $264.6 million last year, with the median dollar loss reaching $931 per complaint, according to the report. In 2007, the losses were less: $239.1 million.

(Credit: Internet Crime Complaint Center)

(Credit: Internet Crime Complaint Center)

As far as complaint categories of Internet crimes, non-delivered merchandise after sending a payment or delivering the goods but never receiving a payment, were at the top of the list, according to the report. Of all complaints received, 32.9 percent were related to this offense.

Internet auction fraud accounted for 25.5 percent of the complaints, while credit card and debit card fraud made up 9 percent, according to the report.

(Credit: Internet Crime Complaint Center)

Even though complaints of crimes involving non-delivered goods occurred the most, that category didn't hit consumers in the pocketbook like check fraud, which carried a median loss of $3,000.

And the most common means to engage in an Internet crime was e-mail, the report noted. In 74 percent of the reported crimes, e-mail was used, followed by Web pages in nearly 29 percent of the cases.

More than 10 million Internet users worldwide were hit with identity fraud-related malware last year, according to a new estimate from Panda Security.

The number of computers infected with active programs designed to steal personally identifiable or financial information that can be used for identity fraud, such as banker Trojans for stealing bank account information, rose by 800 percent from the first half of the year to the second half, the study found.

Of the 67 million computers that PandaLabs analyzed in 2008 for the study, 35 percent of those infected had up-to-date antivirus software installed. The number of users who have been actively exposed to identity fraud malware is about 1 percent of the worldwide population of Internet users, according to the study.

The researchers predict that the infection rate will increase by 336 percent per month throughout this year, based on the trend of the previous 14 months.

Researchers predict that the infection rate will increase by 336 percent per month throughout this year.

(Credit: Panda Security)

About 7.5 percent of U.S. adults lost money as a result of financial fraud last year, mostly due to data breaches, according to a new Gartner study to be released on Tuesday night.

In the survey of nearly 5,000 consumers, 70 percent said they had never been a victim of identity theft fraud. Meanwhile 14 percent said they had had their credit card information used to charge purchases or get money, 7 percent said their debit card was used, 6 percent said a new account had been opened in their name, 5 percent had money transferred out of their account, and 4 percent had had checks forged.

Recovering losses was easier for people victimized by brokerage, credit card, and debit card account fraud compared to victims of new loan account fraud, check forgery, and checking/savings account fraud, partly because victims didn't try to recover money.

Of those who had new accounts opened in their name, 35 percent suffered from a damaged credit rating and slightly more than half were able to restore their rating, usually in less than one month. For about 20 percent it took more than a year, and for 9 percent it took three to five years, the survey found.

Overall, less than one-third of the victims reported the crimes to law enforcement and about 5 percent reported it to the U.S. Federal Trade Commission.

Not only do many victims not report the crime, but many of the crimes go unprosecuted. There were only 564 convictions made for about 800 identity-theft-related fraud cases in 2007, according to the National Institute of Justice's Electronic Crime Program, a part of the U.S. Justice Department.

"The chances of a criminal getting arrested and convicted for identity theft-related fraud are much less than a half of 1 percent," the study said.

Not surprisingly, the survey found that financial fraud victims were twice as likely to change their behavior as a result of security incidents as the average consumer. Many of them opt to use PayPal because they believe it is more secure, the survey found.

The study also looked at why people switch banks and concluded that security and financial health of a bank were of about equal importance to consumers, said Gartner analyst Avivah Litan.

Six percent said they changed banks as a result of their security concerns, compared to 5 percent who cited concerns regarding the financial health of their banks. Twenty-eight percent said they switched banks after being victims of checking/savings account transfer fraud, and 21 percent cited excessive fees.

A recent FTC study found that identity theft was by far the biggest complaint to the agency, representing 26 percent of total problems reported.

Much financial fraud occurs from data breaches at merchants and other service sites.

(Credit: Gartner)

Update at 9:30 a.m. PST: A new chart has been added to the end of the article.

This was originally published in ZDNet's Between the Lines.

Identity theft cases surged in 2008, according to the Federal Trade Commission.

Last year, ID theft was by far the biggest complaint to the FTC, representing 26 percent of total problems reported. The next biggest one--third-party and creditor debt collection scams--represented only 9 percent of complaints.

The FTC's annual Consumer Sentinel Network report (PDF), released Thursday, details that ID theft complaints totaled nearly 314,000 in 2008, up from about 259,000 in 2007 and up substantially from about 31,000 in 2000.

The Consumer Sentinel Network is a secure online database that harvests complaints from law enforcement authorities, as well as other groups such as the Internet Crime Complaint Center and Better Business Bureau.

(Credit: FTC)

Here are the top 10 complaint categories, which often dovetail with the Internet.

(Credit: FTC)

E-mail is clearly the preferred means of propagating fraud. Scam artists are most likely going to nail you via e-mail. Phone scams have fallen from 11 percent to 7 percent from 2007 to 2008. My hunch: as more consumers use wireless as their primary phone, it's harder to track down victims.

(Credit: FTC)

What's also notable: the demographics. Twenty-somethings are most likely to get hit with ID theft.

(Credit: FTC)

Reports of data breaches in the United States increased 47 percent in 2008 from the year before, mostly as a result of lost or stolen equipment, and accidental exposure of data online, according to a new study from the nonprofit Identity Theft Resource Center.

There were 656 reports of breaches last year, compared with 446 for 2007, and an estimated 35.7 million records were potentially breached based on notification letters and information from breached companies, the study released this week found.

The breaches run the gamut, including: laptops stolen from Merrill Lynch and Starbucks; bank card information stolen from fake card readers at gas stations in Georgia; Ohio State University student Social Security numbers exposed on the Internet; a former Library of Congress employee using co-workers' data to open bogus credit card accounts; a Seattle school district inadvertently releasing teacher data to a union; financial information on mortgage files abandoned outside a Boise recycling center; and the World Bank Group's computer network being penetrated.

The reports of insider theft more than doubled to represent 15.7 percent of the breaches, while more than a third of the breaches were a result of data on the move, such as stolen laptops, and accidental exposure.

Breaches from data theft by employees doubled, to nearly 16 percent, while hacking and use of data-stealing software represented about 14 percent of the breaches. Only 2.4 percent of all breaches had encryption or other protection methods in use, and only 8.5 percent of victims using password protection.

More than 80 percent of the breaches were electronic in nature, with the rest involving paper documents.

The breaches are broken into five different data loss categories and industry areas.

(Credit: Identity Theft Resource Center)

CA announced Thursday plans to acquire Israel-based Eurekify, in a move to expand its identity and access management software portfolio.

IT management software company aims to use Eurekify's analytics engine to reduce the time and effort it takes for customers to shift through employee's duties and responsibilities and to monitor their access management settings.

The combined CA Identity Manager and Eurekify Enterprise Role Manager will aim to help customers clean up existing identity data and build a model that "serves as the foundation to automate the user provisioning process and enhances identity lifecycle management," according to Islandia, N.Y.- based CA.

The acquisition is expected to close by month's end. Terms were not disclosed. Last month, CA made another security-related acquisition with its purchase of IDFocus.

As the federal government makes efforts to protect citizens online, it is encouraging people to look out for themselves as well.

To kick off its fifth annual "National Cyber Security Month," the National Cyber Security Alliance, an organization of government, academic, and industry representatives, paired with Symantec to release the results of a national poll on Thursday showing Americans do not feel very safe online, yet they believe they are more protected than they actually are.

Just 26 percent of respondents said they felt their computers were "very safe" from viruses, and 21 percent felt their computers were "very safe" from hackers.

"We might be making it too difficult for people to feel safe," said Michael Kaiser, the director of the NCSA. "We need simple tips stripped of the jargon."

The report was released on the heels of a new law signed by President Bush last week that increases penalties for hacking and other cybercrime charges. Rolled in with an amendment to provide Secret Service protection to former vice presidents, the Identity Theft Enforcement and Restitution Act makes it a felony to damage 10 or more protected computers used by the federal government or a financial institution.

It also allows federal prosecutors to bring cybercrime charges against a person without having to meet any threshold for damages caused by the crime. In cases where an identity thief is ordered to pay restitution, the law calls for the victims to be compensated for the time they spent trying to remediate the damage.

The cybercrime provisions in the law "constitute some of the most significant laws so far" to protect people online, said Adam Rak, senior director for public awareness from Symantec. "Ultimately, though, the responsibility falls on all of us."

Rak said the three basic tools critical for keeping the average user safe are antivirus, antispyware, and firewall software.

Yet the NCSA study, which combined a survey of more than 3,000 Americans with an evaluation of 400 personal computers belonging to those surveyed, showed that most people do not have all three components.

"Just having anti-virus software is not enough," Rak said. "Picture a car with antilock brakes, airbags, and seat belts--I doubt any of us would buy a car without seat belts installed."

Just over 80 percent of respondents had antispyware protections enabled, and 95 percent had updated antivirus software. Yet just 50 percent had antiphishing protections.

Even though 81 percent of respondents said they had firewall protections on their computers, only 42 percent of those computers checked were actually equipped with them. As many as 75 percent of respondents thought they had antispam filters installed when, in fact, only 58 percent actually did.