j’s blog

Meet the real online pirates

3/15/2005 3:40:57 PM, by Hannibal

Baseline is running a fascinating series on organized cybercrime, i.e. groups of hackers, phishers, phreakers, and the like who trade in stole credit card numbers, SSNs, and other forms of stolen identity.

Crime is now organized on the Internet. Operating in the anonymity of cyberspace, Web mobs with names like Shadowcrew and stealthdivision are building networks that help crackers and phishers, money launderers and fences skim off some of the billions that travel through the Web every day.

The players and their games change so quickly it’s hard to piece together who they are and how they work together. But that picture’s becoming more clear, as the U.S. Secret Service, the FBI and other law-enforcement agencies crack open the networks and prosecute those that run them.In this special report, writers Deborah Gage and John McCormick map out how the networks get started, how they work, what they steal, and how the feds stay on their tails.

The article likens these guys to the offline mafia, and I guess the analogy is apt in a few ways, i.e. they’re criminals, they’re organized, and they have colorful nicknames. But while the offline mob has its fingers in all sorts of unsavory pies, the number one way that the mafia has made its money since time immemorial is the protection racket. In contrast, the online thieves described by the article, who steal large amounts of personal data and sell it in underground auctions to the highest bidder, are more properly pirates. They prey on the networks that make commerce possible, and they smuggle and traffic in illicit "cargo." The problem is that "pirates" is already wrongly taken by Big Content, who use it to apply to file sharers. But whatever you call these guys, they’re costing us billions.

At any rate, I’ll end this post with a piece of advice that a surprising number of otherwise savvy people aren’t aware of: don’t ever buy anything online with a bank card; use a credit card instead. The credit card companies are way ahead of banks when it comes to dealing with identity theft. One phone call to the card company and they’ll cancel the charges, send you an affadavit to sign, and deal with getting their money back themselves. On the other hand, when crooks from Turkey steal your bank card number and clean out your bank account, which happened to me a while back, it’s a whole different story. So always use a credit card for online transactions, and watch your statements religiously.

Yahoo! News - Congress to take up growing problem of identity theft

By Frank Davies, Knight Ridder Newspapers

WASHINGTON - A growing outcry over security breaches at giant information brokers - coupled with the growing sophistication of scammers - is jolting consumers with a grim threat: They’re more vulnerable than ever to identity theft.

Congress begins a series of hearings Thursday into how data-collection companies with huge databases collect, handle and sell personal information, and whether new federal regulations are needed to improve security and privacy.

Capitol Hill is responding to growing consumer anxiety fueled by two serious security breaches at large data brokers, much of whose business is unregulated.

ChoicePoint, the largest information broker, warned 145,000 people last month that criminals posing as small businesses had accessed their personal data. The firm, which is headquartered in suburban Atlanta, compiles data on millions of Americans and sells it to companies and government agencies.

At least 750 people were defrauded, but California officials who are investigating the breach estimate that more than 400,000 consumers may have had their data compromised.

And on Wednesday, Lexis Nexis announced that intruders using identification from legitimate businesses were able to get access to information on as many as 32,000 U.S. citizens in a database of Seisnet, its subsidiary.

Seisnet, based in Boca Raton, Fla., and recently acquired by Lexis Nexis’ corporate parent, Reed Elsevier Group, supplies data to a crime and terrorism database, called Matrix, for the U.S. government.

As online shopping and banking boom, consumers are becoming more exposed to identity theft, security experts warn. The Federal Trade Commission reported that it was the No. 1 consumer complaint last year.

An FTC survey in 2003 found that 9.9 million Americans had their personal data stolen.

One of those victims, Ruth Wilburn of Cocoa, Fla., discovered that someone had opened 15 credit card accounts in her name and her mother’s name. Hundreds of miles from her home, a "Ruth Wilburn" was charging high-priced clothes, jewelry and electronics.

"Fighting this is like a full-time job, and there’s no one place to go to get help - it has been a nightmare," said Wilburn, 43, who still has bad credit two years after the fraudulent accounts were opened.

Like many victims, Wilburn isn’t sure how her identity was stolen. Thieves are finding holes in computer systems, taking advantage of insecure databases and using such low-tech tricks as persuading data brokers that they’re legitimate customers.

"Identity theft is mushrooming, from college students trying to make false IDs to sophisticated criminals," said Bill Callahan, a former federal prosecutor who heads a security company called Unitel.

Several members of Congress are proposing legislation to give the FTC more authority to regulate information brokers, improve the standards for selling data and require the data companies to notify people when their personal information has been compromised.

"If we don’t do something in the law, no American will have any privacy left," said Sen. Bill Nelson (news, bio, voting record), D-Fla., whose bill would increase FTC oversight much in the way fair credit laws cover the credit industry.

Sen. Dianne Feinstein (news, bio, voting record), D-Calif., is pushing the notification bill. She said the ChoicePoint breach wouldn’t have come to light without the strong California law requiring notification.

Several members of both parties also want restrictions on the use and distribution of Social Security (news - web sites) numbers, which scammers use to set up false accounts. Rep. Joe Barton (news, bio, voting record), R-Texas, chairman of the House Energy and Commerce Committee, has said he favors some restrictions.

Sen. Patrick Leahy (news, bio, voting record), D-Vt., warned that if criminals are finding it easier to get personal data, terrorists could do the same.

Deborah Majoras, the chairwoman of the FTC, will testify Thursday before the Senate Banking Committee - the first of several hearings - and said she’s open-minded about legislation.

"We may have some gaps in the law and there may be some need for legislation," Majoras said in a brief interview after meeting Monday with Nelson.

Consumer groups are pushing for more regulation. They also want more rights for consumers to protect data about themselves and for companies to be required to correct the information when it’s wrong.

"With the fallout from ChoicePoint, I’m optimistic Congress will act because we have two important ingredients - a scandal that woke people up and the fact that states are showing the way," said Ed Mierzwinski, who heads consumer programs for the U.S. Public Interest Research Group.

Industry representatives are cautious and point out that data brokers, or aggregators as they’re called, are often compiling and selling information that’s already public.

"These companies are not the bad guys, and the industry wants to work to improve security," said Mike Zaneis, director of congressional affairs for the U.S. Chamber of Commerce (news - web sites).

"I don’t think we need new regulations."

ChoicePoint has faced a wave of bad publicity. It’s disclosed that it’s under investigation by the FTC and the Securities and Exchange Commission (news - web sites). The company’s two top executives earned $16.6 million from stock sales after the security breach was discovered but before it was made public.

ChoicePoint’s CEO, Derek Smith, announced that he would support additional federal regulation and that the company would stop selling sensitive data to small businesses and instead concentrate on corporate clients and the government.

The company also hired a top security official from the government, Carol DiBattiste, to improve security and the screening of customers. DiBattiste, a former Air Force undersecretary, was deputy administrator of the Transportation Security Administration.

Seisnet and Reed Elsevier will move quickly to notify any customers affected by the security breach, a spokesman said Wednesday, and improve ID and password procedures.

Davies reports for The Miami Herald