Monday, September 05, 2005

grand theft identity

Be careful, we've been told, or you may become a fraud victim. But now it seems that corporations are failing to protect our secrets. How bad is the problem, and how can we fix it?

By Steven Levy and Brad Stone
Newsweek

Sept. 5, 2005 issue - Millions of people now have a new reason to dread the mailbox. In addition to the tried-and-true collection of Letters You Never Want to See—the tax audit, the high cholesterol reading, the college-rejection letter—there is now the missive that reveals you are on the fast track to becoming a victim of identity theft. Someone may have taken possession of your credit-card info, bank account or other personal data that would enable him or her to go on a permanent shopping spree—leaving you to deal with the financial, legal and psychic bills. Deborah Platt Majoras got the pain letter recently, from DSW Shoe Warehouse. Hers was among more than a million credit-card numbers that the merchant stored in an ill-protected database. So when hackers busted in, they got the information to buy stuff in her name—and 1.4 million other people's names. "It's scary," she says. "Part of it is the uncertainty that comes with it, not knowing whether sometime in the next year my credit-card number will be abused." Now she must take steps to protect herself, including re-examining charges closely, requesting a credit report and contacting the U.S. Federal Trade Commission to put her complaint into its ID-theft database. The latter step should be easy for her, since Majoras is the FTC chairman.

Somewhere, Willie Sutton is smiling. Sutton was the sly swindler who, when asked why he robbed banks, was said to reply, "Because that's where the money is." Today the easy money is still in banks—databanks: vast electronic caches in computers, hard disks and backup tapes that store our names, ID numbers, credit-card records, financial files and other records. That information can be turned into cash; thieves can quickly sell it to "fraudsters" who will use it to impersonate others. They visit porn sites, buy stereo systems, purchase cars, take out mortgages and generally destroy the credit ratings of innocent victims, who may be unable to get new jobs, buy houses or even get passports until the matter is painstakingly resolved. And since the crime is all done remotely, modern ID thieves suffer little of the risk that Sutton shouldered a half century ago when he robbed banks with a machine gun.

We've become accustomed to the digital grease that smooths transactions, loans and eBay bids, even as worries about identity theft quietly shadow us, often leading us to restrict our activities and be extra careful with our credit cards and personal information. In recent months, though, there's been something different, a cascade of reports about big break-ins and bungles where the booty is our secrets. Suddenly things seem out of control: instead of losing our identities one by one, we're seeing criminals grabbing them in massive chunks—literally millions at a time. Just last week security firm Sunbelt Software discovered a U.S.-based server storing passwords for online accounts from 50 banks, eBay and PayPal log-ins, and credit-card numbers stolen by a Trojan virus. In June lax security at an Atlanta-based company called CardSystems exposed a possible 40 million Discover, Visa, MasterCard and American Express numbers to hackers, who have already begun turning the digits into cash and prizes. "It only makes sense that criminals would go where information is collected," says Martha Stansell-Gamm, head of the computer-crime division in the U.S. Justice Department.

"Over the last nine years, criminals have gotten a better understanding of the power of information," says Rob Douglas of PrivacyToday, a security consulting firm. "Instead of selling drugs, so much can be made so quickly with identity theft, and the likelihood of getting caught is almost nil." Avivah Litan of research firm Gartner Group speculates that fewer than 1 in 700 identity crimes leads to a conviction. This goes a long way toward explaining why it's the fastest-growing crime of this century. Crooks rack up $53 billion a year in ID theft in the United States alone. Consumers get stuck with $5 billion directly; and the rest is paid by retailers and businesses—which pass it on in higher prices.

Losing your credit card can be a huge hassle, but laws usually limit losses. In more distressing forms of ID theft, someone —swipes not just your card but also your entire financial persona. Judy McDonough, a 56-year-old occupational psychologist from the north of England, has been living a nightmare since last year, when she found that someone—she suspects a relative—racked up 33,000 pounds sterling of debt over three years, which included two credit cards, three bank loans and 2,300 pounds sterling of catalog orders. She reported the crime six times before taking it to her member of Parliament. Most banks, says McDonough, "just hope you'll go away."

For years, the primary cause of ID theft has been good old-fashioned analog crime. Thieves rifle mailboxes, snatch purses and dive into the garbage for discarded bank statements or credit-card receipts. More recently, we've seen a plague of "phishing"—sending bogus e-mails that look as if they come from legitimate companies, asking us to supply personal information. After the CardSystems heist, phishers, trying to capitalize on the news, sent out e-mails sup-posedly from MasterCard, asking people to update their information. "They played on the fear that consumers had when the announcement was made," says Susan Larson of SurfControl, an Internet-security firm.

Savvy computer users know the requisite defense against a phishing attack: never respond to a request for personal information. This wisdom is part of the standard tool kit of protections against ID theft. Check your credit-card bills with an eagle eye. Request your credit report. Shred your information. This regime makes perfect sense for individuals. But when it comes to companies charged with safeguarding millions, sometimes even billions, of records, what do they do?

They leave it unencrypted on computers, where malicious hackers get hold of it. The DSW Shoe Warehouse is far from the only hacked database owner. According to a U.S. government consent order, BJ's Wholesale Club, a Massachusetts-based firm operating big-box stores and gas stations, not only failed to encrypt, but stored records in violation of bank-security rules, didn't use a firewall to prevent wireless intrusions and protected the information with the easy-to-guess default passwords that came with the system. Result: credit cards ripped off in early 2004 were used to charge millions in goods.

They inadvertently allow employees to sell it. This June, a 24-year-old Indian man named Karan Bahree, who at the time worked for Gurgaon-based online marketing firm Infinity eSearch, allegedly sold information on 1,000 bank accounts to an undercover journalist working for The Sun, a British tabloid, for 2,750 pounds sterling, according to a Sun article. Bahree has since claimed that he was only a middleman and that he did not sell data his employer had collected (he's since been fired, according to a statement by Infinity eSearch). Infinity eSearch has said the company doesn't handle any data for the banks named in the Sun report, and that Bahree didn't have access to confidential data of any kind through his employment with the company, according to press reports. But the case has raised fears of an anti-outsourcing backlash if Indian firms are seen to be careless with the data they handle.

They pack it in boxes and put it in a mail truck. That's what CitiFinancial, a unit of Citigroup, did with the financial secrets of 3.9 million customers last May. The box never arrived at its destination, and now CitiFinancial is telling customers that their identities are at risk.

They leave it on laptops that get stolen. Last March at UC Berkeley someone made away with a computer holding personal information of almost 100,000 grad students and applicants.

They don't monitor what insiders may do with it. In April, more than a dozen people, including employees of an MphasiS call center in Pune, India, were charged with cheating Citibank customers out of $350,000. Citibank had outsourced some of its customer-service operations to MphasiS.

They just plain lose it. Bank of America is still looking for backup tapes with information on 1.2 million government workers, discovered lost in December.

They don't do what they say. CardSystems, a privately held company, processes an es-timated $15 billion in credit-card trans-actions a year (between the merchant and the bank). In direct violation of its agreement with MasterCard and Visa, CardSystems retained 40 million credit-card numbers "for research purposes," as its CEO John Perry initially told the press. These were sucked out of the system by digital invaders. CardSystems' clients admit that protection was lax: "Obviously there were deficiencies and other issues," says Josh Peirez, head of government affairs for MasterCard. Since the break-in, CardSystems has reportedly installed a new "intrusion-prevention product" (hey, thanks).

An elaborate infrastructure of crime has emerged to collect and distribute stolen records. When it comes to attacking databases, malicious hackers either use automated software "bots" to methodically probe the Internet for vulnerable databases or target companies that are likely to harbor honey pots. Most often, they enter systems through preventable security flaws, like guessable passwords (example: "Dave" or the default password that came with the program) or known vulnerabilities in software.

Once records are stolen, they are passed on or sold in fleeting digital dark alleys—chat rooms or instant-messaging sessions where transactions are quickly, stealthily enacted. Sometimes the crooks are sufficiently brazen to post their offerings on Web sites that are sort of fraudster eBays. At one site posted by a member of the Shadowcrew organization (which was shut down by the U.S. government last year), $200 gets 300 credit cards without the security codes printed on the back of the card. If you want card numbers with the code, it will cost you $200 for 50 of them.

After fraudsters buy the purloined numbers, they commonly use them to grab goodies as fast as possible. It's kind of a high-tech form of supermarket sweepstakes, where the crook keeps stealing until the fraud-management software of the credit-card companies kicks in. "The method is smash-and-grab," says Bryan Sartin, VP for in-formation-security firm Cybertrust. "The turnaround time is amazing."

As bad as the recent exposures have been, they may well wind up helping spur some very long-needed reform. Though identity theft is a devilishly difficult crime to combat, the key to fighting these huge cyber-raids is making the databases that hold private records more secure. Indian outsourcing firms have been quick to beef up internal security, and local police departments—like the one in Pune, which solved the Citibank case—have been starting cybercrime units. The best solution would make the companies that collect the data liable for their failings. The U.S. Congress may slap fines on companies that lose records. Anything that increases the cost of losing information to the company, as opposed to the consumer, would give firms an incentive to protect consumer secrets.

Each time we hear of another huge data breach, the pressure increases to tighten up security and fight the ID crooks. But change, if it comes, will come too late for Daniel Bulley, who's spent months trying to distance himself from a home he never owned, a job he never held and a portfolio of credit cards and accounts he never opened. Bulley is angry—at the crooks, at the cops (no one would investigate his case) and at the corporations that let his information fall into evil hands. He's especially steamed at the billion-dollar industry that has emerged to sell people protection against data theft—run by parts of the same industry that fails to protect the information in the first place. Corporations, says Bulley, need to be tighter with the data they hold: "Why should we pay them to do their job right?"

Reported by William Lee Adams, Holly Bailey, Jennifer Barrett, Juliet Chung, Temma Ehrenfeld, Charles Gasparino, Andrew Horesh, Nicole Joseph, Susannah Meadows, Ben Whitford, Kathryn Williams, Jason Overdorf and Mary Acoymo

© 2005 Newsweek, Inc.