by Doug Pollack

This week President Bush signed into law the Identity Theft Enforcement and Restitution Act of 2008.  As reported in the Washington Post, this law will:

“make it easier for prosecutors to go after cybercrooks, while ensuring that identity theft victims are compensated for their time and trouble when convicted identity thieves are forced to cough up ill-gotten gains.”

It can take the victim of ID crime hundreds of hours to restore themselves to pre-theft condition. This law enables them to be compensated for this time at a level:

“equal to the value of the time reasonably spent by the victim in an attempt to remediate the intended or actual harm incurred by the victim from the offense.”

The FBI has set up a clearinghouse for addressing cybercrime complaints called the Internet Crime Complaint Center. It works closely with a range of law enforcement agencies and private sector organizations.

Rebecca Seaman

Data breaches are on the rise, despite preventative measures such as state notification laws. Specifically, the Washington Post reports that data breaches reported by businesses, governments and universities are up 69 percent this year. Businesses alone accounted for a 27 percent increase in breaches, or one third of all those reported.

This may not be as alarming a trend as it may appear on the surface. In fact, it may be that businesses are simply more aware of breaches now that they know what to look for and have a better understanding of how breaches occur. Likewise, with the implementation of state notification laws, businesses may feel more compelled to report a breach than they were in the past.

Linda Foley, founder of The Identity Theft Resource Center, a nonprofit organization in San Diego, points out that “Part of this may be that organizations are finding out about more breaches because they’re really starting to look for them,” Foley said. “The other part is that companies are coming forward because they want to control the flow and spin of the disclosure.”

Regardless of how these breaches are occurring, businesses need to remain vigilant in preventing a breach, rather than focusing on damage control once a breach has occurred. Lost or stolen laptops remain the largest reported cause of business related breaches. They account for 20 percent of all reported cases, while hacking was the least cited. In other words, these breaches were largely preventable.  By making breach prevention a matter of policy (For example-evaluating risk and implementing tough cyber-security rules), businesses are less likely to experience a breach, and better prepared to manage one that does occur.

by Doug Pollack

We all hear about how more and more identity theft is now being done with the internet. What you don’t hear as much about is how an increasing percentage of US-based identity theft is perpetrated by organized crime overseas.

A recent FBI press release titled “38 Individuals in US and Romania Charged in Two Related Cases of Computer Fraud Involving International Organized Crime” describes a frightening phishing scheme that:

“uses the Internet to target large numbers of unwary individuals, using fraud and deceit to obtain private personal and financial information such as names, addresses, bank account numbers, credit card numbers and Social Security numbers.  Phishing schemes often work by sending out large numbers of counterfeit e-mail messages, which are made to appear as if they originated from legitimate banks, financial institutions or other companies.”

The level of organization of this criminal enterprise and effectiveness of their efforts is remarkable.  According to the indictment:

“The Romania-based members of the enterprise obtained thousands of credit and debit card accounts and related personal information by phishing, with more than 1.3 million spam emails sent in one phishing attack.  Once directed to a bogus site, victims were then prompted at those sites to enter access device and personal information.  The Romanian “suppliers” collected the victims’ information and sent the data to U.S.-based “cashiers” via Internet “chat” messages.  The domestic cashiers used hardware called encoders to record the fraudulently obtained information onto the magnetic strips on the back of credit and debit cards, and similar cards such as hotel keys.  Cashiers then directed “runners” to test the fraudulent cards by checking balances or withdrawing small amounts of money at ATMs.  The cards that were successfully tested, known as “cashable” cards, were used to withdraw money from ATMs or point of sale terminals that the cashiers had determined permitted the highest withdrawal limits.  A portion of the proceeds was then wire transferred to the supplier who had provided the access device information.”

As organized crime becomes increasingly sophisticated in using our affinity for online commerce to their advantage, we should all be extra cautious, especially in watching out for something that has become as commonplace as the phishing scam.