Friday, May 30, 2008
Bank of New York Mellon loses data on 4.5 million
Bank of New York Mellon loses data on 4.5 million
Dan KaplanMay 22 2008
An unencrypted backup tape holding the personal information of about 4.5 million Bank of New York Mellon customers disappeared three months ago while in possession of a third-party vendor, the Connecticut attorney general announced Wednesday.
The attorney general, Richard Blumenthal, said in a statement that hundreds of thousands of Connecticut residents may be affected.
“This security breach seems highly dangerous, indeed possibly devastating in light of the identity theft threat,” said Blumenthal, a noted privacy advocate.
The storage tape, which contained the sensitive information of Bank of New York Mellon Shareholder Services customers, was lost Feb. 27 en route to a storage facility, Blumenthal said.
Archive Systems, a New Jersey-based records storage company, successfully delivered nine other tapes. A company spokesman, Craig Abramson, told SCMagazineUS.com that the firm could not comment due to confidentiality agreements it signs with customers.
Blumenthal said he was upset victims did not learn of the breach until this week, when People's United Bank notified his office. Based in Bridgeport, Conn., People's United Bank provided the Bank of New York Mellon with customer information so it could offer customers “an investment opportunity.”
“I am especially concerned by the delay in informing consumers, possibly heightening the risks of wrongdoing,” he said. “The loss of this tape -- so far unrecovered and unremedied -- is inexplicable and unacceptable.”
A Bank of New York Mellon statement, emailed to SCMagazineUS.com, said the company, upon learning of the lost tape, immediately launched an investigation, contacted authorities and introduced procedures to prevent a similar breach in the future. The bank plans to offer one year of free credit monitoring to affected individuals.
“Shareowner Services has no evidence suggesting that any of the data has been inappropriately accessed or used,” the statement said. “Communications with affected shareowners include that assurance.”
A bank spokesman could not be reached for comment to determine why the tapes were not encrypted.
Dan KaplanMay 22 2008
An unencrypted backup tape holding the personal information of about 4.5 million Bank of New York Mellon customers disappeared three months ago while in possession of a third-party vendor, the Connecticut attorney general announced Wednesday.
The attorney general, Richard Blumenthal, said in a statement that hundreds of thousands of Connecticut residents may be affected.
“This security breach seems highly dangerous, indeed possibly devastating in light of the identity theft threat,” said Blumenthal, a noted privacy advocate.
The storage tape, which contained the sensitive information of Bank of New York Mellon Shareholder Services customers, was lost Feb. 27 en route to a storage facility, Blumenthal said.
Archive Systems, a New Jersey-based records storage company, successfully delivered nine other tapes. A company spokesman, Craig Abramson, told SCMagazineUS.com that the firm could not comment due to confidentiality agreements it signs with customers.
Blumenthal said he was upset victims did not learn of the breach until this week, when People's United Bank notified his office. Based in Bridgeport, Conn., People's United Bank provided the Bank of New York Mellon with customer information so it could offer customers “an investment opportunity.”
“I am especially concerned by the delay in informing consumers, possibly heightening the risks of wrongdoing,” he said. “The loss of this tape -- so far unrecovered and unremedied -- is inexplicable and unacceptable.”
A Bank of New York Mellon statement, emailed to SCMagazineUS.com, said the company, upon learning of the lost tape, immediately launched an investigation, contacted authorities and introduced procedures to prevent a similar breach in the future. The bank plans to offer one year of free credit monitoring to affected individuals.
“Shareowner Services has no evidence suggesting that any of the data has been inappropriately accessed or used,” the statement said. “Communications with affected shareowners include that assurance.”
A bank spokesman could not be reached for comment to determine why the tapes were not encrypted.
Labels: Bank of New York Mellon
LendingTree sued over data breach
LendingTree sued over data breach
Sue Marquette PorembaMay 21 2008
At least two lawsuits have been filed against LendingTree in response to a data breach that occurred between October 2006 and early 2008.
The breach reportedly was caused by former employees who shared passwords with mortgage lenders, providing access to loan and personal information of customers.
A lawsuit filed in U.S. District Court in New York last Friday alleges that LendingTree, a mortgage loan provider, failed to adequately protect customers and their confidential records, which included names, Social Security numbers and dates of birth. The suit stated, in part, that customers had their privacy rights violated and were exposed to risks of fraud.
A similar lawsuit was filed last week in Charlotte, N.C., where LendingTree is based.
Data breaches are the most common type of criminal activities committed by employees or former employees, said Avishai Wool, co-founder and chief technology officer of AlgoSec, provider of firewall operations and security risk management solutions.
“The problem of stealing information from within a company is as old as money,” Wool told SCMagazineUS.com on Wednesday. “With emerging technologies, the theft takes new shapes.”
For that reason, he added, it is vital for companies to closely monitor any employee who has access to confidential information.
Because the Lending Tree breach was caused by sharing passwords, Wool recommended that companies review their password policies.
“Companies should reset passwords frequently,” he said.
Also, when an employee leaves a company, the password to that account should be changed immediately, especially if the account is otherwise left open for any reason, Wool said.
Most importantly, companies should not rely solely on passwords to protect data, he said. Security-conscious companies also use additional measures, such as token with code numbers that change every few minutes.
LendingTree representatives did not respond to a request for comment.
Sue Marquette PorembaMay 21 2008
At least two lawsuits have been filed against LendingTree in response to a data breach that occurred between October 2006 and early 2008.
The breach reportedly was caused by former employees who shared passwords with mortgage lenders, providing access to loan and personal information of customers.
A lawsuit filed in U.S. District Court in New York last Friday alleges that LendingTree, a mortgage loan provider, failed to adequately protect customers and their confidential records, which included names, Social Security numbers and dates of birth. The suit stated, in part, that customers had their privacy rights violated and were exposed to risks of fraud.
A similar lawsuit was filed last week in Charlotte, N.C., where LendingTree is based.
Data breaches are the most common type of criminal activities committed by employees or former employees, said Avishai Wool, co-founder and chief technology officer of AlgoSec, provider of firewall operations and security risk management solutions.
“The problem of stealing information from within a company is as old as money,” Wool told SCMagazineUS.com on Wednesday. “With emerging technologies, the theft takes new shapes.”
For that reason, he added, it is vital for companies to closely monitor any employee who has access to confidential information.
Because the Lending Tree breach was caused by sharing passwords, Wool recommended that companies review their password policies.
“Companies should reset passwords frequently,” he said.
Also, when an employee leaves a company, the password to that account should be changed immediately, especially if the account is otherwise left open for any reason, Wool said.
Most importantly, companies should not rely solely on passwords to protect data, he said. Security-conscious companies also use additional measures, such as token with code numbers that change every few minutes.
LendingTree representatives did not respond to a request for comment.
Labels: Lending Tree
FBI: China may use counterfeit Cisco routers to penetrate U.S. networks
FBI: China may use counterfeit Cisco routers to penetrate U.S. networks
An FBI presentation states that China has counterfeited Cisco Systems network routers and may be using the equipment to penetrate U.S. government and private sector computer networks.
Federal authorities in February seized some 400 counterfeit Cisco Systems knockoffs worth $76 million. The equipment included routers, switches, gigabit interface converters and WAN interface cards.
Among the purchasers of the fake equipment were the U.S. Naval Academy, U.S. Naval Air Warfare Center, U.S. Naval Undersea Warfare Center, U.S. Air Base at Spangdahelm, Germany, the Bonneville Power Administration, General Services Administration, and the defense contractor Raytheon, which makes key missile and weapons systems.
The FBI briefing slides on the case stated that while there are “intelligence gaps” on why the Chinese made the counterfeit equipment it could have been for profit or as part of a state-sponsored operation.
Additionally the scope of the Chinese counterfeit equipment may extend beyond routers to include fake IT equipment such as PCs and printers.
Under a section titled “The Threat,” the FBI described the effort as “IT subversion/supply chain attack” that could “cause immediate or premature system failure during usage.”
The counterfeit equipment also could be used to “gain access to otherwise secure systems” and to “weaken cryptographic systems.”
The briefing slide said the Chinese information warfare efforts require “intimate access to target systems.”
An FBI presentation states that China has counterfeited Cisco Systems network routers and may be using the equipment to penetrate U.S. government and private sector computer networks.
Federal authorities in February seized some 400 counterfeit Cisco Systems knockoffs worth $76 million. The equipment included routers, switches, gigabit interface converters and WAN interface cards.
Among the purchasers of the fake equipment were the U.S. Naval Academy, U.S. Naval Air Warfare Center, U.S. Naval Undersea Warfare Center, U.S. Air Base at Spangdahelm, Germany, the Bonneville Power Administration, General Services Administration, and the defense contractor Raytheon, which makes key missile and weapons systems.
The FBI briefing slides on the case stated that while there are “intelligence gaps” on why the Chinese made the counterfeit equipment it could have been for profit or as part of a state-sponsored operation.
Additionally the scope of the Chinese counterfeit equipment may extend beyond routers to include fake IT equipment such as PCs and printers.
Under a section titled “The Threat,” the FBI described the effort as “IT subversion/supply chain attack” that could “cause immediate or premature system failure during usage.”
The counterfeit equipment also could be used to “gain access to otherwise secure systems” and to “weaken cryptographic systems.”
The briefing slide said the Chinese information warfare efforts require “intimate access to target systems.”
Labels: Cisco
Foreign hackers sniff out credit card data
Foreign hackers sniff out credit card data
Chuck MillerMay 12 2008
Foreign hackers have compromised cash register terminals at 11 Dave & Buster's restaurants around the United States. The scheme resulted in losses of some $600,000.
The hackers were arrested in various locations, including Turkey and Germany. The hackers sold the stolen data to others who used it to make fraudulent purchases or resold it to make such purchases.
In announcing the arrests, U.S. Attorney Benton J. Campbell said, “Hackers who reach into our country from abroad will find no refuge from the reach of U.S. criminal justice.”
According to the U.S. Department of Justice, the people arrested gained unauthorized access to cash register terminals, though details on how were not specified. They allegedly installed “packet sniffer" programs at each restaurant to capture communications on the Dave & Buster's link. The packet sniffer was configured to capture "track two" data as it moved from each restaurant's point-of-sale server to computer systems at the company's corporate headquarters.
Track two data includes a customer's account number and expiration date, but not cardholder names or other personally identifiable information.
Also involved in the investigation was the U.S. Secret Service.
“This investigation and the resulting indictments should serve as a warning to cybercriminals that law enforcement will continue to pursue them wherever they are,” U.S. Secret Service Director Mark Sullivan said.
Chuck MillerMay 12 2008
Foreign hackers have compromised cash register terminals at 11 Dave & Buster's restaurants around the United States. The scheme resulted in losses of some $600,000.
The hackers were arrested in various locations, including Turkey and Germany. The hackers sold the stolen data to others who used it to make fraudulent purchases or resold it to make such purchases.
In announcing the arrests, U.S. Attorney Benton J. Campbell said, “Hackers who reach into our country from abroad will find no refuge from the reach of U.S. criminal justice.”
According to the U.S. Department of Justice, the people arrested gained unauthorized access to cash register terminals, though details on how were not specified. They allegedly installed “packet sniffer" programs at each restaurant to capture communications on the Dave & Buster's link. The packet sniffer was configured to capture "track two" data as it moved from each restaurant's point-of-sale server to computer systems at the company's corporate headquarters.
Track two data includes a customer's account number and expiration date, but not cardholder names or other personally identifiable information.
Also involved in the investigation was the U.S. Secret Service.
“This investigation and the resulting indictments should serve as a warning to cybercriminals that law enforcement will continue to pursue them wherever they are,” U.S. Secret Service Director Mark Sullivan said.
Labels: Dave and Busters
Wednesday, May 07, 2008
Hackers harpoon US executives with phony email subpoenas by Glenn Chapman
Hackers harpoon US executives with phony email subpoenas by Glenn Chapman
Mon May 5, 10:35 PM ET
US federal court officials have warned that hackers are emailing phony subpoenas embedded with malicious software to high-ranking executives to steal valuable corporate information.
Thousands of powerful US executives have received the bogus emails that contain links which, if clicked on, install software letting hackers take control of computers and swipe passwords or other sensitive data.
Internet security insiders refer to the attacks as "whaling" because they use social-engineering trickery involved in "phishing" but target individual "big phish" instead of casting nets in a sea of Internet users.
"The success rate was incredibly high," Websense Security Labs manager Stephan Chenette told AFP.
"Most likely due to the nature of the content and the real data, the emails had their exact names and legal language in there that made it seem like a serious subpoena."
The emails are crafted with the seal of the US federal court in San Diego, California, and are addressed to executives using their names, addresses and other individual details.
Clicking on a link to see a "subpoena" displays a realistic looking document and stealthily installs malicious computer code in the reader's computer.
"When the recipient tries to view the document, they unwittingly download and install software that secretly records keystrokes and sends the data to a remote computer over the Internet," court officials said in their warning.
"This enables criminals to capture passwords and other personal or financial information and starts software that allows the computer to be controlled remotely."
Subpoenas in the United States are usually served in person to assure judges that the orders from courts have been properly received by those named.
US investigators believe the hackers are not familiar with the court system because the website executives are directed to uses a "uscourts.com" domain name while actual court online addresses typically end in ".gov."
Aspects of writing in the messages appear British, according to police.
Among the targets have been executives at banking giant CitiBank, Time Warner-owned America OnLine and Internet auction house eBay, according to the courts.
The hackers likely got confidential information about intended victims stolen or gathered in the Internet's underworld.
"In the malicious community there is a lot of buying and selling of credit card and other information," Chenette said.
"Attackers buy cell phone numbers, home addresses and other specifics about people. In this case they were identifying and going after larger executives."
There is a trend toward more convincing, targeted "whaling" attacks, according to Chenette, who says to be wary of supposed court or tax department emails.
Trick emails with giveaway spelling errors of the kind that gave "phishing" its name are giving way to well-crafted, believable messages honed using confidential information about targets.
"The future of spam is to become more evasive and successful," Chenette said. "It is always a cat and mouse game ... a very real game
Mon May 5, 10:35 PM ET
US federal court officials have warned that hackers are emailing phony subpoenas embedded with malicious software to high-ranking executives to steal valuable corporate information.
Thousands of powerful US executives have received the bogus emails that contain links which, if clicked on, install software letting hackers take control of computers and swipe passwords or other sensitive data.
Internet security insiders refer to the attacks as "whaling" because they use social-engineering trickery involved in "phishing" but target individual "big phish" instead of casting nets in a sea of Internet users.
"The success rate was incredibly high," Websense Security Labs manager Stephan Chenette told AFP.
"Most likely due to the nature of the content and the real data, the emails had their exact names and legal language in there that made it seem like a serious subpoena."
The emails are crafted with the seal of the US federal court in San Diego, California, and are addressed to executives using their names, addresses and other individual details.
Clicking on a link to see a "subpoena" displays a realistic looking document and stealthily installs malicious computer code in the reader's computer.
"When the recipient tries to view the document, they unwittingly download and install software that secretly records keystrokes and sends the data to a remote computer over the Internet," court officials said in their warning.
"This enables criminals to capture passwords and other personal or financial information and starts software that allows the computer to be controlled remotely."
Subpoenas in the United States are usually served in person to assure judges that the orders from courts have been properly received by those named.
US investigators believe the hackers are not familiar with the court system because the website executives are directed to uses a "uscourts.com" domain name while actual court online addresses typically end in ".gov."
Aspects of writing in the messages appear British, according to police.
Among the targets have been executives at banking giant CitiBank, Time Warner-owned America OnLine and Internet auction house eBay, according to the courts.
The hackers likely got confidential information about intended victims stolen or gathered in the Internet's underworld.
"In the malicious community there is a lot of buying and selling of credit card and other information," Chenette said.
"Attackers buy cell phone numbers, home addresses and other specifics about people. In this case they were identifying and going after larger executives."
There is a trend toward more convincing, targeted "whaling" attacks, according to Chenette, who says to be wary of supposed court or tax department emails.
Trick emails with giveaway spelling errors of the kind that gave "phishing" its name are giving way to well-crafted, believable messages honed using confidential information about targets.
"The future of spam is to become more evasive and successful," Chenette said. "It is always a cat and mouse game ... a very real game
Labels: US Executives
Stealing RFID Credit Card Data Is Easy!
Stealing RFID Credit Card Data Is Easy!
Remember when someone actually needed to have your card before they could steal your data? With RFID, or radio frequency identification, all they need to be is near your card, with an $8 RFID reader, to get your information now! If you watch this episode of boing boing TV, you can watch as an $8 reader pulls your card’s details from you without actually having your card. What can you get? Card name, cardholder’s name, and expiration date (probably more, you can transmit about 2 kB of data) - or essentially everything off the face of your card.
If you remember back to physics class, electricity and magnetism are inter-related. A magnetic field around a conductive material will generate an electric charge. If you want to get real nostalgic, remember the right hand rule? Anyway, RFID works off that principle. The reader sends out a magnetic signal that generates a current in the RFID chip. The current powers the chip and gets it to send out a signal that the reader will detect. The signal is encrypted, that’s not the problem, the problem is that it can be decrypted by the reader, a reader you can buy for $8. The security flaw has nothing to do with RFID technology, the failure is in the implementation by the credit card industry.
The technology expert in the clip, Pablos Holman, does point this out by saying the decryption should happen back at a secure location rather than at the point of sale and I suspect this is a cost cutting measure on the credit card industry’s part. By decrypting at the POS, they get to reuse their systems (i.e. use RFID on the cheap) as-is rather than building a mechanism for decrypting the data somewhere down the data stream. I’m 99.9% sure that someone in the entire industry has thought of the scenario in which someone buys an $8 reader and starts stealing data but it’s cheaper to fix the fraud than develop a better system.
As to the concerns that you could walk into a Starbucks and steal everyone’s data with a reader augmented with a powerful antennae, that’s not 100% accurate because an RFID tag has a read range based on its frequency. Smart cards are said to use high-frequency tags, which have a read range of 3′ or less. So while you could activate every card in the room, you’d have to wander within 3′ of everyone (still easy, just not as easy as turning it on and standing there) to grab the data.
Remember when someone actually needed to have your card before they could steal your data? With RFID, or radio frequency identification, all they need to be is near your card, with an $8 RFID reader, to get your information now! If you watch this episode of boing boing TV, you can watch as an $8 reader pulls your card’s details from you without actually having your card. What can you get? Card name, cardholder’s name, and expiration date (probably more, you can transmit about 2 kB of data) - or essentially everything off the face of your card.
If you remember back to physics class, electricity and magnetism are inter-related. A magnetic field around a conductive material will generate an electric charge. If you want to get real nostalgic, remember the right hand rule? Anyway, RFID works off that principle. The reader sends out a magnetic signal that generates a current in the RFID chip. The current powers the chip and gets it to send out a signal that the reader will detect. The signal is encrypted, that’s not the problem, the problem is that it can be decrypted by the reader, a reader you can buy for $8. The security flaw has nothing to do with RFID technology, the failure is in the implementation by the credit card industry.
The technology expert in the clip, Pablos Holman, does point this out by saying the decryption should happen back at a secure location rather than at the point of sale and I suspect this is a cost cutting measure on the credit card industry’s part. By decrypting at the POS, they get to reuse their systems (i.e. use RFID on the cheap) as-is rather than building a mechanism for decrypting the data somewhere down the data stream. I’m 99.9% sure that someone in the entire industry has thought of the scenario in which someone buys an $8 reader and starts stealing data but it’s cheaper to fix the fraud than develop a better system.
As to the concerns that you could walk into a Starbucks and steal everyone’s data with a reader augmented with a powerful antennae, that’s not 100% accurate because an RFID tag has a read range based on its frequency. Smart cards are said to use high-frequency tags, which have a read range of 3′ or less. So while you could activate every card in the room, you’d have to wander within 3′ of everyone (still easy, just not as easy as turning it on and standing there) to grab the data.
Labels: RFID Credit Card Data
How Identity Theft Happens and How to Protect Yourself
How Identity Theft Happens and How to Protect Yourself
Most Common Ways Your Identity Gets Stolen and How to Fight Back
By ELISABETH LEAMY
May 1, 2008—
The first step to preventing identity theft is to understand how it happens. Here are some of the most common vulnerabilities and strategies for fighting back:
Hacked Shopping Sites
Shopping online has become so routine for many of us that it's easy to forget that some Web sites haven't taken the steps they should to protect us. Sophisticated identity thieves -- often in foreign countries -- spend all day just trying to figure out how to hack into those sites and grab their treasure troves of credit card numbers and other identifying information. What to do?
Make sure when you move from the informational section of a Web site to the purchasing section, that the "HTTP" in the URL changes into an "HTTPS." The "S" stands for "secure."
Only shop at well-established retailers. If you must buy from an obscure site, check its reputation first with the Better Business Bureau.
Never use a debit card to make online purchases. If the thieves snatch your account information, they will be draining your actual bank account. Better to use a credit card, which limits your liability to $50. Usually the card company covers the entire loss.
Phishing Attacks
When I infiltrated the Internet underworld where identity thieves buy and sell people's information, it was most gut-wrenching to see "full profiles" where the crooks even had the person's Social Security number, mother's maiden name and ATM PIN. Usually, this kind of detail is provided to the crooks by the victims themselves, when they respond to phishing e-mails. A phishing attack is an illegitimate e-mail made to look as if it's from a bank or government agency. They're very convincing. The crooks claim they need to verify your account information "for your own protection." They then ask for every possible financial detail.
Keep in mind that banks and government agencies rarely communicate with their customers/citizens via e-mail. If in doubt, call the entity in question and ask if they sent you an e-mail.
Be on the lookout for poor spelling and grammar. Many identity thieves are foreigners who mangle the English language. On the other hand, in researching this story, I found that some ID thieves actually copy phishing e-mails from consumer protection Web sites that post samples for educational purposes.
Only provide financial information when you have initiated the contact, whether by e-mail or by phone.
If you are phished, you need to know about the Federal Reserve Board's Regulation E. It states that as long as you report the problem within two days, you are only liable for $50 in losses. Wait three days and your liability jumps us to $500. Wait more than 60 days and your liability is unlimited.
Skimming
As we show you in Part 2 of our special report "Stealing You" on "World News With Charles Gibson," clever con artists have learned to attach false fronts to ATM machines and capture people's PIN numbers that way.
Basically, they mount a skimming device over the slot where you insert your card. Then, there are two ways they learn your PIN. Either they mount a hidden camera nearby to record your PIN. Or they rig the machine so your card gets stuck in it. A spotter waits nearby, and when you struggle with the card, he offers assistance, claiming he just had the same problem. Eventually, he asks you to input your PIN, claiming that's what's needed to get your card out.
You should be aware that crooks have even managed to mount skimmers on the increasingly common credit card authorization devices in stores. A ring in Delaware slapped one right on the device at the front counter of a drugstore without employees even noticing.
Try to use mainly one "home base" ATM. And the next time you do, take a few minutes to memorize the look of it.
If the card slot of an ATM looks odd, give it a tug. Some customers have had illegal skimming devices come off in their hands.
Stay on top of your bank balance and bank statements -- a tedious but healthy habit.
Restaurants
Would you hand a stranger your credit card? Sounds risky, but we do it all the time at restaurants. It's one of the few times we are separated from our card. Florida authorities say it's the No. 1 source of credit card cloning cases in that state. Waiters and waitresses can carry tiny skimming devices, the size of a pack of gum, and record all the information on the magnetic strip of your card. They then sell that information to more serious crooks who use it to clone cards.
Consider paying cash at restaurants.
More and more restaurants now use tableside credit card authorization devices. Encourage this service when you see it.
Use a credit card rather than a debit card at restaurants. Again, better that the crooks tap into your bank's money than your own money.
Data Breaches It's frustrating to write about this category because consumers have so little control. When companies lose laptops carrying precious personal information or when hackers gain access to their hard drives, there's so little consumers can do. We live in a high-tech world and it's nearly impossible to withdraw from it.
Order your free credit reports faithfully. If you alternate between the big three credit bureaus, you can get one every four months and keep a pretty regular eye on your accounts. Scan them for unfamiliar accounts.
Consider one of the credit check services offered by the credit bureaus and some others. They alert you if anybody tries to open an account in your name or if there is unusual activity in your accounts. Don't go with a no-name company that could just be trying to get your personal information.
Another tip: Carry fewer cards. The more you have, the more that can be breached. Even if you cut up a card long ago, all a crook needs is the account number to activate it. Send a letter to formally cancel those accounts. It's usually better for your credit score anyway.
Dumpster Diving This is the oldest form of identity theft and it still happens. Garbage can be a rich target for thieves willing to do the legwork.
Shred important documents.
Ask your doctor, dentist, attorney, accountant and others who keep records on you to do the same.
Copyright © 2008 ABC News Internet Ventures
Most Common Ways Your Identity Gets Stolen and How to Fight Back
By ELISABETH LEAMY
May 1, 2008—
The first step to preventing identity theft is to understand how it happens. Here are some of the most common vulnerabilities and strategies for fighting back:
Hacked Shopping Sites
Shopping online has become so routine for many of us that it's easy to forget that some Web sites haven't taken the steps they should to protect us. Sophisticated identity thieves -- often in foreign countries -- spend all day just trying to figure out how to hack into those sites and grab their treasure troves of credit card numbers and other identifying information. What to do?
Make sure when you move from the informational section of a Web site to the purchasing section, that the "HTTP" in the URL changes into an "HTTPS." The "S" stands for "secure."
Only shop at well-established retailers. If you must buy from an obscure site, check its reputation first with the Better Business Bureau.
Never use a debit card to make online purchases. If the thieves snatch your account information, they will be draining your actual bank account. Better to use a credit card, which limits your liability to $50. Usually the card company covers the entire loss.
Phishing Attacks
When I infiltrated the Internet underworld where identity thieves buy and sell people's information, it was most gut-wrenching to see "full profiles" where the crooks even had the person's Social Security number, mother's maiden name and ATM PIN. Usually, this kind of detail is provided to the crooks by the victims themselves, when they respond to phishing e-mails. A phishing attack is an illegitimate e-mail made to look as if it's from a bank or government agency. They're very convincing. The crooks claim they need to verify your account information "for your own protection." They then ask for every possible financial detail.
Keep in mind that banks and government agencies rarely communicate with their customers/citizens via e-mail. If in doubt, call the entity in question and ask if they sent you an e-mail.
Be on the lookout for poor spelling and grammar. Many identity thieves are foreigners who mangle the English language. On the other hand, in researching this story, I found that some ID thieves actually copy phishing e-mails from consumer protection Web sites that post samples for educational purposes.
Only provide financial information when you have initiated the contact, whether by e-mail or by phone.
If you are phished, you need to know about the Federal Reserve Board's Regulation E. It states that as long as you report the problem within two days, you are only liable for $50 in losses. Wait three days and your liability jumps us to $500. Wait more than 60 days and your liability is unlimited.
Skimming
As we show you in Part 2 of our special report "Stealing You" on "World News With Charles Gibson," clever con artists have learned to attach false fronts to ATM machines and capture people's PIN numbers that way.
Basically, they mount a skimming device over the slot where you insert your card. Then, there are two ways they learn your PIN. Either they mount a hidden camera nearby to record your PIN. Or they rig the machine so your card gets stuck in it. A spotter waits nearby, and when you struggle with the card, he offers assistance, claiming he just had the same problem. Eventually, he asks you to input your PIN, claiming that's what's needed to get your card out.
You should be aware that crooks have even managed to mount skimmers on the increasingly common credit card authorization devices in stores. A ring in Delaware slapped one right on the device at the front counter of a drugstore without employees even noticing.
Try to use mainly one "home base" ATM. And the next time you do, take a few minutes to memorize the look of it.
If the card slot of an ATM looks odd, give it a tug. Some customers have had illegal skimming devices come off in their hands.
Stay on top of your bank balance and bank statements -- a tedious but healthy habit.
Restaurants
Would you hand a stranger your credit card? Sounds risky, but we do it all the time at restaurants. It's one of the few times we are separated from our card. Florida authorities say it's the No. 1 source of credit card cloning cases in that state. Waiters and waitresses can carry tiny skimming devices, the size of a pack of gum, and record all the information on the magnetic strip of your card. They then sell that information to more serious crooks who use it to clone cards.
Consider paying cash at restaurants.
More and more restaurants now use tableside credit card authorization devices. Encourage this service when you see it.
Use a credit card rather than a debit card at restaurants. Again, better that the crooks tap into your bank's money than your own money.
Data Breaches It's frustrating to write about this category because consumers have so little control. When companies lose laptops carrying precious personal information or when hackers gain access to their hard drives, there's so little consumers can do. We live in a high-tech world and it's nearly impossible to withdraw from it.
Order your free credit reports faithfully. If you alternate between the big three credit bureaus, you can get one every four months and keep a pretty regular eye on your accounts. Scan them for unfamiliar accounts.
Consider one of the credit check services offered by the credit bureaus and some others. They alert you if anybody tries to open an account in your name or if there is unusual activity in your accounts. Don't go with a no-name company that could just be trying to get your personal information.
Another tip: Carry fewer cards. The more you have, the more that can be breached. Even if you cut up a card long ago, all a crook needs is the account number to activate it. Send a letter to formally cancel those accounts. It's usually better for your credit score anyway.
Dumpster Diving This is the oldest form of identity theft and it still happens. Garbage can be a rich target for thieves willing to do the legwork.
Shred important documents.
Ask your doctor, dentist, attorney, accountant and others who keep records on you to do the same.
Copyright © 2008 ABC News Internet Ventures
