That is the question we ask in our most recent column in the New York Times Magazine. Along the way, we try to clear up some misconceptions about the subject, and get a guided tour of a hacker chat room where credit-card numbers, passwords, and PIN’s are bought and sold. Below is some of the research cited in the Times piece, along with some extras.
+ Steven Peisner is a veteran of the credit-card industry whose current company, Sell It Safe, helps merchants avoid fraud. Peisner spends a lot of time monitoring hacker chat rooms, and also sussing out fraudulent sites like this fake Bank of America website. A close look at the site reveals that its URL has nothing to do with Bank of America, but in fact reads “www.paypalacustomers.com.” “Even hackers get tired,” Peisner explained, “and sloppy.” The site will accept any keystrokes as a login and password; on the following page, a form asks for a complete array of personal information including – oops! – “Father Maiden Name.” (Warning: unless you really want to hand over your personal information to the hackers who created this site, don’t enter any real data.) [Addendum: a few hours after this blog post, the page described in the previous sentence was disabled; it had been in existence for at least two weeks.]
+ In this paper called “Why Phishing Works,” computer scientists Rachna Dhamija (Harvard) and J.D. Tygar and Marti Hearst (both at Berkeley) found that the best phishing sites were able to fool 9 out of 10 people.
+ In his forthcoming book Stealing Your Life, reformed fraudster Frank Abagnale (famous for Catch Me If You Can) argues that identity theft is extraordinarily easy to commit and very difficult to stop.
+ And yet a new report by Javelin Strategy and Research (which, admittedly, is funded by financial institutions) found that identity theft has actually leveled off. The full report isn’t available to the public, but this consumer version is, along with this summarizing press release; the Federal Trade Commission has also reported a leveling-off of identity theft.
+ Here is a Victim’s Guide for Identity Theft issued by the Los Angeles County Sheriff’s Department, which runs one of the most aggressive identity-theft task forces in the U.S. If you’re curious about your own vulnerability, take this safety quiz from the Better Business Bureau.
+ The TowerGroup, a research firm owned by MasterCard Worldwide, recently found that “banks are not yet ready to dedicate resources to solving any ID theft problem,” which leaves the onus largely on the merchants.
+ In this ingenious credit-card prank, the prankster wonders how crazy he would have to make his signature before someone actually cares.
From 1 to 25 of 34 Comments
ah..er i do
— bmcCanadian goverment has had to shut down it’s e-tax system was hacked on the week end , so they must care ….
— RandyfromCanadaAs a marketer I have found this issue as one that is increasingly becoming popular among companies who have access to this information. Many customers are putting this issue at the top of the list when choosing a bank, credit card, or any other process in which confidential information is necessary. A majority of my clients are banks, and at least 3 out of 4 messages to their customers in the past few months have been regarding identity security measures. Maybe this is all talk to make customers feel secure. Really there is no way that they can physically prove to their customers that their information will be safe. Their marketing message may not match what they are actually doing. I think I feel a new topic for my blog coming on. Thanks Stephen. (www.FreshPeel.com)
— FreshPeelWith respect to the credit card receipt signature issue, from what I understand the purpose of the signature is so that fruadulent charges can be later contested. I.e., you claim a charge isn’t yours, and the merchant and credit card company verify the signature as one means of checking out the issue. Note also that you can now purchase things with a credit card and never sign anything — such as online, at gas pumps, etc.
— wdevriesYou can find the post I just promised at: http://www.freshpeel.com/2007/03/security-mascaraed.html or just go to http://www.FreshPeel.com
— FreshPeelI just looked at the NY Times this morning online and read an article titled “Violent Crime in Cities Shows Sharp Surge” by KATE ZERNIKE Published: March 9, 2007.
Here is the link:
http://www.nytimes.com/2007/03/09/us/09crime.html?hp
I could not find an email address for Mr. Dubner and Dr. Levitt so I posted the article here. SORRY!
In Freakonomics it talks about attributing the decrease in crime during the 90’s to Roe V. Wade and the legalization of abortion. I was just wondering if anyone had a quirky explanation for why “[v]iolent crime rose by double-digit percentages in cities across the country over the last two years” as Ms. Zernike states in her article. Does anyone have an idea?
— ndiacouRegarding the fake Bank of America site — I am amused that IE7’s vaunted anti-phishing feature fails to flag the site as suspect.
— stankwellFirefox does not recognize it as a Phishing site either (FF and IE7 rely on a registry of known fake sites); also, I think they only worry about https sites. Note that it also does not use https, which should clue most people into a problem (anything asking for a password which does not use https is exposing that password in clear text). The 1st thing any user should know is that the URL bar should go yellow and a lock symbol should be shown if asked to enter sensitive information.
— pkimelmaI hope you have separated out the friend/relative ID theft, as that is still the most serious problem.
What is odd about people not recognizing Phishing scams is that there is one very easy way to check. When an email has links to where you should go, just hover over the link. The status bar will show the URL. If it does not match the name of the company (and they never do), that is a good clue. The vast majority of Phishing emails have the link to a numerical URL, and that is an instant clue it is Phishing.
The problem for financial institutions is that they are trying to provide convenience and the costs to them so far have been relatively low. The problem for the customers is that most Phishing mails are designed to scare you into acting quickly (”you account is about to be closed”; “you charged $600 for this item, tell us if this is wrong”; “someone has been trying to access your account, please change password and confirm data”; etc), and enough people are scared into acting.
If people would at least verify it is an https (secure) page, this would stop a lot of this problem right off.
pkimelma: People don’t check. We take it for granted… that’s the problem.
Btw, “…and get a guided tour of a hacker chat room where credit-card numbers, passwords, and PIN’s are bought and sold”
In IRC there are chat rooms where passwords aren’t even sold. You just have to type in some command like !password and a bot will list down a list of passwords for known sites et al.
— ChewxyIf you hover the cursor over the link in a message in Apple Mail, it will show you the real url.
I’ve been fooled by a few phishing attempts but I don’t click links in that kind of email but instead go to the website I’m used to and see if that connects to the same info claimed in the email.
— jonathankA handy thing to keep in mind is that nobody, least of all financial institutions, relies on e-mail to keep customers aware of important goings-on.
Therefore, whenever anybody that you don’t know personally appears to be telling you something important in an e-mail, you should ignore it.
That’s the beginning and end of phishing defense (and rids us of stupid e-mail forwards, which bother me more than phishing, frankly).
— MangoThis can be solved very easily. Whatever bank or merchant accepts invalid credentials to issue a new credit card is responsible for all direct and consequential damage to the defrauded individual.
— derekwebTo “pkimelma” …
The fact that you *do* see ‘https://’ is NOT .. I repeat, NOT any sort of guarantee that you are on a ’secured’ site. The phishers use a small .php file to fully spoof the URL .. *including* the ‘https’ and have been doing that for about the past 3+ years.
A considerable amount of current ‘anti-phishing’ literature fails to take that into account and keeps promoting ‘https’ as ’safe.’
The ‘little yellow lock’ indicator of a valid security certificate has also been compromised for about the past year or so. Yes, on the spoofed ones there is a warning pop-up box that not all elements of the certificate match the current site you’re on, but most end-users will click right on thru.
End-users don’t know what the certificate means for starters nor have they ever double clicked one to check. No reason to, right? This site is my banking site, yes? I was told that if I see the lock, I’m safe, yes? The pop-up warning, for most, is meaningless.
I’m puzzled by the Javelin Strategy and Research and FTC reports stating that ID theft has ‘leveled off.’ I don’t see that at all. And how may people actually report to the FTC? Most victims don’t know reporting to them is even an option.
There is so much more on this that is part of the overall issue .. including holes in marketing and where marketing *is* part of the problem .. and ‘tired hackers.’ :)
Looking forward to the article.
— lonewolf13derekweb, the problem is that the Phishers are getting real credentials. People do move and they do apply for new cards, so the question is how the bank or merchant knows it is invalid?
— pkimelmaAs to the problem of people not checking, the issue is how to make it easier for the users? The difficulty is that the system does not know you think you are going to a Bank or e-commerce site, so it cannot protect you. Otherwise, it would be easy enough to enforce certificates and other controls.
One method proposed in the past was a separated application for entering in certain sensitive information. If you do not see that application start, then you know there is something wrong. By making it distinctive, fake popups cannot be created to look like the app, etc. But, this never got going because they could not get all the browsers on board (read MS, who wanted their own method). It is a shame, because it is possible to train people never to enter certain information except into a special dialog/app, but you have to get a common method for this to work.
@pkimelma and derekweb:
Validity of credentials doesn’t matter. The simplest formulation of the real problem of identity theft is formulated thusly –
If Lender A lends money to Person B, then Lender A should *not* be able to demand repayment from Person C.
There is no legal or moral reason why A should be able to demand money from C. The fact that A thought B was C at the time is immaterial.
— Mangolonewolf13, if people ignore a warning that a certificate is invalid or missing, then there is a real problem. This is about the same as buying a “Rolex” on the street corner. The browsers are pretty clear that this is not good. Since you got this after clicking a link from an email, it should be sounding alarm bells. But, I agree that the browsers could do better. By lock, I meant at the bottom of the window and the URL line being colored. The newer browsers do not allow you to fake this without the warning. Yes, some phishing sites use a lock favicon, but that should not be enough to fool someone.
— pkimelmaMango, the problem is how a bank knows person B is equal to person C or not, if person B has all the confidential information of person C. You are supposed to keep your private information confidential. But, you can contest invalid charges and all, so the risk is rarely actual charges (although many people pay the charges without knowing it). The problem is that your credit report is trashed and it is hard to get repaired.
The problem is that it is a seemingly victim less crime. My card was double swiped @ a restaurant and 3 months later the guy created a new card with my info on it and went on a shopping spree to the tune of over $7k. I notified the bank that my card was being run and took about 2 weeks to get my banking back in order, but I didn’t have to pay anything, i don’t think the bank had to and the one left holding the bag is the retailer (I think).
Nobody suffers enough to change their behavior and it just keeps on going and probably results in higher credit card fees, retailer charges, prices in stores and the consumer is the one that gets screwed - yeah!
— finnadatpkimelma:
“the problem is how a bank knows person B is equal to person C or not, if person B has all the confidential information of person C.”
Indeed, but this should be the bank’s problem, not the customer’s. It’s easy to blame the customer for not being diligent with personal information, but why should it be the customer’s responsibility for preventing banks from giving money to fraudsters? Quite simply, it shouldn’t, for the reason stated in my previous post. Whoever holds the money is responsible for keeping it safe.
And insofar as customers are suffering from problems caused by identity theft, we have a real problem. I would suggest that government action may be needed to sort this out. If Person C is the subject of identity theft, there should be clear way to demonstrate this is the case (typically this part isn’t hard), and then there should be legislative onus on the banks to undo any harm to that person’s finances and/or reputation.
“This is about the same as buying a “Rolex” on the street corner. The browsers are pretty clear that this is not good.”
For some reason the average person has an easy time understanding the security implications of buying a watch out of a briefcase, but not so much the implications of a explanatory warning dialog in a browser.
— MangoYou’ve got more influence than I have - I went through the FTC information site on Identity Theft a week or so ago and could not find what all the hype was about. In fact, I think this is an over hyped fear. I wrote about it on my blog.
— Doug Karrhttp://www.douglaskarr.com/2007/03/01/internet-fraud/
“Indeed, but this should be the bank’s problem, not the customer’s.” - the problem is balancing convenience with security. In the old days you had to show up in person for any financial transaction, so fraud was much less common. But, we as consumers want convenience. This means we want it to be easy to buy things, open accounts, etc. How a bank validates information is a tricky problem, given how much confidential information seems to leak out (phishing sites being one way). Of course, a lot of identity theft is still relatives, and that is a problem as they have access to most confidential information.
— pkimelmaIf banks and others are held fully responsible, then consumers have no impetus to protect their information. As it is, consumers normally only suffer from the pain of fixing broken credit records, not financial costs. So, phishing attacks work in part because people do not see real consequences from filling out information on web pages. If consumers were held more responsible (as they were when dialing 976 and 900 numbers for example - a previous scam), they would learn a lot faster I expect.
Let me preface this comment by stating upfront that our company “Kena Kai” (www.kenakai.com) sells a product line designed to stop a potential form of identity theft associated with the new “contactless credit cards”.
In regards to the comments above I think you touch on very valid points and I believe the answer is a combination of all. We (individuals and companies) all need to be more vigilant and responsible with the data we give out and the data that is entrusted to us. People will always be able to find ways to ’scam’ others and there seems to be an endless supply of victims, especially since we are all connected electronically as never before in history. There will always be victims that are not as sophisticated as the scammer.
On the other side of the coin, the amount of personal information bouncing around cyberspace about all of us is mind-blowing! We give it out all too freely, and after we’ve given it out it is often sold off. When it’s not sold off we’re at risk of someone “losing” the data, or the system being hacked.
I believe anyone on this blog is probably fairly well versed on the basic precautions that one should take — and anyone following this subject knows the multitude of articles written about the subject daily. I for one would agree that the subject certainly seems to be getting a lot more attention these days not less. As for the actual occurrences of identity increasing or decreasing, I’d place my money on it increasing.
In an earlier post someone talked about our quest for ‘convenience’ and I think that is a big part of the problem. We live in a society where we are always searching out more convenience and we usually will trade away a little privacy for this convenience — most of the time without even knowing. How many Americans use their ‘club cards’ at the supermarket, pharmacy or hardware store?? Who do they think pays for their subsequent discounts? They tell us to ’sign-up’ for the card and we do. Meanwhile all this data is being to sold over and over again.
The ‘convenience’ factor will also play a huge role in the credit card companies roll-out of their new ‘contactless credit cards’. Their motivation of course is the entry into a market that was previously the almost exclusive realm of their only competitor — cash. They now have a new medium that can compete with cash for the “under $20″ purchase. This is a $724Billion market segment!
I have no doubt that this new type of credit card will catch on because it really is much quicker and the public will love the ‘convenience’ factor. The potential new identity theft issue here though is the security of this data that is wirelessly transmitted from card to reader. Again, you will have people on both sides of the aisle here, but the fact is that studies have been done that have ‘taken’ information such as name, cc#, and expiration date wirelessly from a distant much further than the “stated” maximum. Why couldn’t someone with a juiced up reader simply sit in a crowded public place and take data all day long. People’s pockets would be picked without their cards actually leaving their wallets. This would happen wirelessly through their clothes.
We all need to take much more responsibility and precautions in regards to our personal data. We’re prone to jump at new technologies without considering their potential downsides. If we’re willing to take on new technologies, we must be aware of their limitations and know how to protect this new medium.
[Our company, BTW, sells a line of radio-frequency blocking/shielding wallets specifically designed to protect the new contactless credit cards. These 'DataSafe Wallets' have been tested and approved by the GSA to meet the new Homeland Security FIPS-201 security protocols for “electromagnetic opaque sleeves”. These are the only line of wallets currently approved. Our view is that if you are going to embrace this new, more convenient, technology that you also need to protect it.]
— KenaKaiKenaKai, be aware that the next step just beyond the contactless cards is the contactless purchase using mobile phones (using the same NFR). People want this convenience, but they are assuming and counting on the vendors to not expose their data in clear text. As you say, the 1st round of these has been worrisome, as *some* data has been sent out unencrypted and easily read by anyone nearby.
— pkimelmaYou can read more about the disincentives faced by both lenders and credit bureaus to stop identity theft in my article “The Jewel of Their Souls: Preventing Identity Theft Through Loss Allocation Rules,” available at 64 Univeristy of Pittsburgh Law Review 343 (2003).
— Jeff SovernRegarding violent crime (above) - Ummm its the greatest political trick of the twentieth (now twenty first) century to use rising crime to justify policy measures.
Crime is falling despite what people like Rudolph Guiliani say (and do) about the matter. Those figures quoted in the Times are a load of old cobblers.
The only forms of crime that have risen nationally since 1974 are 1. Drug offences and 2. Car theft according to the Federal Governments 2005 review of crime in the United States. Albeit gun related crimes (importing, trafficking and deaths) have all remained steady in that period in proportion to population growth.
This is trend that has been repeated around the world (Well in western developed nations at least).
ACS0202
— ACS0202Jeff, I think the point is that no one has an incentive to do much about it, except those least able to (the smaller merchants). As long as the general population “worries” about it, but does not get penalized enough to modify their behavior, they are not the solution. Banks and credit card companies have no incentive, as you say. Merchants have an incentive, except that any action they take will lose customers, so harm them more (Sadly, the smaller merchants pay the biggest price, and are least able to do anything about the problem). Police have no incentive, since the criminals are unlikely to be in their jurisdiction. The FBI or Interpol would be best suited to the task, but do not care about small crimes - arrests would likely have little impact, since their too many small time crooks involved. The only likely outcome of new legislation will be to focus on credit rating companies, who make it very hard to fix broken records - but that does not actually address the problem at all.
— pkimelma