Phishing
But if the thieves are more patient, they can get by with less information and create a phantom version of you and have that phantom apply for credit cards, buy things with those cards, and then not pay for them. While there are examples of the direct theft method (such as Russian hackers who used key loggers to raid French bank accounts last year) most thieves seem to prefer identity theft, presumably because it involves less expertise.
Anyone who can walk into a department store and apply for a credit card can do it—the trick is to impersonate someone else while doing so. But to impersonate someone the thief needs specific data about that person. The most computerized way of getting such data is called phishing, a re-spelling of fishing, the act of dangling a hook with bait in the water and waiting for a fish to bite it. Usually, phishing involves sending spam e-mail that tries to convince the recipient that he or she needs to supply personal information to the sender.
In the US, phishing attacks have risen to the point where a user with a long-standing e-mail account (one that’s been around long enough to have gotten on all the hacker lists) can expect to get several a week. Yes, banks he’s never heard of are supposedly informing him that his account will be suspended if he does not log on immediately and provide full identification information to ‘confirm’ the account.
Amazon and Paypal are frequent disguises, also. The e-mails usually include artwork that you’d associate with the bank or service, and a link to a URL that looks like it could be legitimate, but the hyperlink takes you elsewhere. Also, the text is often filled with grammar and spelling errors.
The thief can start stealing after getting only a name, address, social security number (in the US) and date of birth. If the thief can get a number of an existing creditcard, so much the better, since he can skip the step of applying for a new account.
What’s new? Computerized speed
While social security numbers were once used as an alternate means of identification and birthdays were printed in newspapers, in the face of all these cyber-threats the trend now is to keep both secret. Go ahead and reveal what year you were born, urge the experts, but say you were born on January 1 unless there is a real need to give the real date, and then be sure you can trust the person asking for it. Obviously, the new cyber age has thrust us into a world filled with new dangers.
Except it really hasn’t - none of these dangers are new, and evidently most thieves are not terribly computer literate. For instance, a recent report by the Council of Better Business Bureaus showed that on-line fraud was involved in only 9% of identity theft cases, and only 3% of total cases resulted from phishing.
Data taken from lost wallets (the old-fashion, leather kind) accounted for 30% of the cases. Another 15% involved family members, friends, roommates, or other acquaintances of the victim who chose to impersonate the victim, and probably got the necessary data by asking for it politely. Another 15% involved fellow employees who probably got the data from office files. Eight percent involved mail that had been stolen or miss-directed. The rest had unknown sources.
In fact, the number of Americans victimized last year by identity theft actually fell 4%, although the total was still a shocking 9.3 million people. The average fraud $750, the same as last year, and cost the victim $420 to fix. But the crime was hardly without risk, since the victim could identity the thief in a third of the cases.
What’s new these days is that when things go wrong they go wrong at computerized speeds. For instance, last month two newspapers in Boston discovered that the packing slips tucked into thousands of bundles of Sunday newspapers were recycled, and the backs contained computer-generated lists of names and credit card numbers. About 220,000 subscriber accounts were compromised.
At about the same time, a Boston bank revealed that it had been trying for the previous six months to get a nearby hospital to stop faxing it medical reports, which contained not only confidential personal information but results of medical tests. They shredded the miss-directed faxes.
As if to top that, a Canadian distributor then complained that its toll-free fax number was one digit away from that of an American health insurance company, and over the previous 15 months it had received more than a thousand miss-directed faxes from US doctors, often with personal and financial information.
Indeed, various US states now require that a consumer must be informed when a corporation looses confidential data that involves that person. The Federal Government is considering a similar law. The sum of these disclosures indicates that as many as 50 million Americans have had their personal data compromised during the past year. Many of these incidents, however, involved lost storage tapes or laptops that contained large files. The files may not have fallen into the wrong hands. But it will be interesting to see if, next year, the number of victims is still falling.
Lamont Wood