The Federal Trade Commission (FTC) announced in September that 27.3 million Americans have fallen victim to identity theft in the past five years. About half of those thefts took place last year. According to the FTC report, the thefts resulted from several outlets that include credit cards, ATM machines and the Internet. These thefts caused billions of dollars in losses for businesses and consumers.
The prominence of the Internet is often blamed for the increase in the number of identity thefts. But that view of the Internet as a wasteland filled with digital highway robbers is greatly exaggerated, according to one lawyer specializing in information security and technology law.
Randy Sabett, an attorney in the Cybercrime and Information Security practice at Cooley Godward LLP in Virginia, said the focus today is on greater occurrences of identity theft on the Internet. But he finds that blaming the Internet for the large number of identity thefts is more of a misguided perception than a prosecutorial reality.
“The more traditional ways [of identity theft] are still there. It’s still easy to obtain false identification from the government. But offline carelessness can be worse than online activity,” said Sabett, a former crypto engineer and current co-vice chair of the ABA Information Security Committee and an adjunct professor at George Washington University. “Technology is only one component,” he told TechNewsWorld.
“There is no such thing as fully preventing identity theft,” he warned.
Reading the Fine Print
Is identification theft on the rise? Sabett said lawyers are not in agreement on that point. Much of the answer to that question depends on how you define identity theft.
The FTC defines identity theft as occurring when con artists hijack a consumer’s personal identifying information — name, address, credit card or social security number — and use the data to open new charge accounts, order merchandise or borrow money. “That is a very broad net,” he said.
By comparison, the Identity Theft Resource Center definition is much narrower, said Sabett. That definition says an identity theft occurs when an impostor ruins a person’s credit history.
Some lawyers, Sabett noted, think the rising number of identity thefts being reported online is only the result of computer-industry hype designed to convince people to buy more security products.
Using Common Sense
Sabett said people need to use common sense when exposing their personal information. Consumers must be aware of where the personal information they provide, whether online or offline, is used. That means reading the fine print and reading the privacy policies of companies with whom they share their information.
Better consumer awareness is an important ingredient of identity protection online, agreed James Hurley, vice president and managing director for security at Aberdeen Group. “Market research shows a sharp increase in awareness by consumers over the past year,” he told TechNewsWorld. The recent flood of news media coverage of worms and viruses has galvanized the public.
“Newspapers finally got the story right,” Hurley said. “It scared the daylights out of consumers.”
Hurley recommends several basic essentials for safeguarding your online identity. First and foremost, he said, you must have a firewall. Next in importance is constantly updated virus-protection software. No identity-protection plan is complete, he added, without spyware-monitoring software.
Paying close attention to Web site access procedures is also very important. Sabett tells his clients that they can’t just cut and paste passwords anymore. Computer users should diversify their passwords and not place information on any Web site that doesn’t provide a strong password-selection procedure, he said.
Ian O’Sullivan, an associate principal at Delta Corporate Services, added more details to reinforcing passwords. “The best thing individuals can do to protect themselves against identity theft is to change their password … right now.” A strong password is a randomly generated sequence of letters and numbers no less than eight characters long. It should be interspersed with upper- and lowercase letters if the system taking the password is case sensitive — for example, “Eye4GOtIT.” Alternatively, it should have both alphabetic and nonalphabetic characters, such as “Ob3#Hayv.”
A strong password could contain phrases, nonsense words, combinations of words or even intentionally misspelled words, such as “pazwordsrez.” Better yet is to have a punctuation mark in the middle of the word — such as “canugue?ss” — or between two words, such as “mybest!one.” In addition, passwords should be changed on a frequent basis, said O’Sullivan.
Beyond the Password
With advances in technology, passwords are becoming easier for computer thieves to steal. A digital signature is one line of defense beyond passwords. The concept of the digital signature is the same as a handwritten signature in that it validates your identity for e-mail or other purposes, noted O’Sullivan. “Digital signatures are not vulnerable to identity theft and do not have to be different each time,” he said.
Users can obtain their own digital certificate from a certificate issuer. The industry leader is VeriSign.
Sabett said he sees a trend in which Web sites are taking a few extra steps to protect user information. These steps include requiring better password construction. For instance, many Web sites now caution consumers to use complex passwords made from personal information that is not readily accessible to hackers who gain some information about them.
Another step is to encourage users to mix letters and numbers to defeat dictionary scans that use trial and error to guess passwords. A third step involves using safer hints or password prompts. For example, don’t use answers that are obvious to anyone who might be able to view your biography or other documents that contain information about you.
Innovative Cyber Law
Allen Brown, president and CEO of The Open Group Security Forum, told TechNewsWorld that his organization has decided there are currently few effective technical or policy defenses against identity theft online. At its meeting in Boston in July, the group started a project to investigate the design of protection mechanisms to combat identity theft.
That project will proceed in three phases: identifying documented cases, constructing preconditions to identity theft attacks, and finding methods that can prevent events necessary for successful identity theft to occur. The Open Group Security Forum hopes to deliver its report by September 2004.
In the meantime, a new law in California that took effect in July could provide the impetus for a nationwide trend toward online protection of consumer information. The California law requires any state agency, person or business using computerized data that includes personal information to disclose any breach of that data’s security.
Account Monitoring Solution
If the data is encrypted, however, the agency or company is not liable for damages to the consumer, according to Steve Seavecki, product manager at VIACK. The California law — combined with the FTC report — could push forward new legislation to make it more difficult for hackers to obtain consumers’ personal information.
The FTC reported that 52 percent of identity theft victims first detected the fraud by monitoring their own accounts, which ultimately could be the best way to protect your identity online. Consumer advocates say, invariably, that the sooner you identify the fraud, the better your chances of recovering your money and your identity will be.
To monitor accounts closely, several software companies and credit-reporting agencies — such as Equifax — have developed automated systems that can help identify malicious action with little effort on the consumer’s part.