Archive for Sunday, May 29, 2005

ID thieves strike

Scams more sophisticated, profitable

May 29, 2005


— It is the hot crime of the 21st century - and you are the target.

Sophisticated super hackers are turning identity theft into a multibillion-dollar criminal enterprise, plundering data about ordinary people from alumni directories, ATM machines, credit cards, tax returns and myriad other sources.

The massive scams are costing American businesses and consumers more than $47 billion a year, according to the Federal Trade Commission.

Rings of international terrorists, money launderers and petty street thieves are in the business, according to New York City District Atty. Robert Morgenthau and other law enforcement officials.

"How the information is stolen - high-tech or low-tech - is one thing, but what happens in the end is just as important: how the information is used and the impact on the victim, or credit card companies and other businesses," said Aaron Karczmer, chief of the New York City district attorney's identity theft bureau.

Nearly 10 million American identities are hijacked each year, with more stolen worldwide, according to the FTC.

Theoretically secure databases with personal and credit information on millions of Americans have been penetrated recently, including the Polo Ralph Lauren customer list.

"It's not just the money lost, but the time it takes for a victim to clear their credit and get their identity back," said Dave Foley, of the Identity Theft Resource Center.

Foley and other experts say the nine-digit Social Security number is the single most important key for the ID thief. Date of birth and mother's maiden name are the two other critical elements.

"Once they have your name and Social Security number, they pretty much have your ID and they go to work," said Bruce Helman, supervisor of the FBI's computer hacking squad in the agency's New York office.

Beware, credit card holders

Credit card numbers are the major target, sold and traded on a vast underground international Internet market.

Dealers later sell the card numbers - often manufacturing embossed new cards with the requisite magnetic strips - at a high markup to street thieves.

Electronics, clothing, a wide variety of mail-order merchandise, airline tickets and hotel stays are among the most common illicit charges.

Enterprising thieves also use stolen identities to loot bank and brokerage accounts, take out mortgages and bank loans, set up cell phone service and even pay utility bills, said Richard Staropoli, a Secret Service agent who specializes in ID theft.

Most of the direct cost of ID theft is borne by credit card companies, banks that issue cards and other businesses "whacked" by ID thieves. But those losses are later passed onto consumers with higher fees or insurance premiums.

In some cases, subscribers to commercial databases access information and sell it on the ID theft underground.

In April, it was revealed that a thief posing as a legitimate customer of ChoicePoint - a commercial data broker that serves prospective employers, insurers, banks and credit card companies - downloaded ID information on more than 145,000 people.

The tab, thought to be in the millions of dollars in bank and credit card charges, is still being calculated by various law enforcement agencies.

Hackers keep up

The new underworld is confounding software companies, virus protection companies and law enforcement. That's because every time a new security measure is conceived, the hackers find a new weakness to exploit.

Nothing is sacred or secure, not even encrypted wireless traffic broadcast by individuals or company networks.

The hackers can decipher such traffic by using transmission "sniffer" software tools available at no cost at underground Internet sites. A hacker with his own wireless-equipped computer simply drives or walks around until a wireless signal is detected.

"The software can break the encryption and provide the information for the password," said Alfred Huger, senior director of engineering for the Symantec Corp., a computer and software security company. "Then the hacker can 'listen,' or record transmissions unencrypted and get whatever information is broadcast."

Cellular phones and pocket PCs that have computing or Internet access also can be hacked.

Wired networks and individual computers connected to modems can be "cracked" as well by the illicit impresarios. They use a variety of tools that probe passwords and vulnerabilities in commonly used file sharing and software, including various Microsoft, Unisys and Linux programs.

Once the hacker gets into a computer or network, he typically installs undetectable BOT (short for robot) programs because they can be controlled remotely.

BOTs can be instructed to seek out credit card numbers, bank account information and other identity information.

"The bottom line is once hackers are in they can do whatever they want - take your files, run your computer, erase files, deny your Internet service or use your computer to attack other computers," said A.T. Smith, agent in charge of the Secret Service's New York field office.

Added the FBI's Helman: "Call me paranoid if you want, but I wouldn't do any banking online, not with what I know. Victims only find out when they get the bills or find out that their ID has been used in other ways."

Underground business

Hackers can conceal their computer addresses while they're using the Internet, by using a Web site - - that costs $6.95 a month.

The system, located outside the United States, guarantees anonymity in all chat rooms, E-mail accounts, file sharing and Internet surfing. It operates using servers located in Russia, Malaysia, the Netherlands and Germany.

Meanwhile, for ID thieves who don't want to go to the trouble of advanced hacking, there are numerous Internet sites where thousands of stolen credit cards and other ID information are available.

The traffickers, who also frequently trade lists of numbers, are known as "carders." The lists of numbers are known as "dumps."

On one site, a Russian hacker has offered a wide variety of credit cards. Prices ranged from $20 for large number of "USA Visa Classic" numbers to $170 for "dumps" of Visa Gold cards issued in France, Spain and Turkey.

The price per card typically hovers around $1 but drops as each card's expiration date draws nearer.

The top-dollar underground product is the "full info card," with a victim's name, passport information, Social Security number, credit cards, date of birth and mother's maiden name.

"That costs about a thousand dollars," said Larry Johnson, agent in charge of the Secret Service's criminal investigation unit.

Commenting has been disabled for this item.