This summer, the Department of Justice cracked the biggest case of identity theft in history. While we are thankful to the Justice Department for its hard work in bringing the identity thieves to justice, it does not negate the fact that over 40 million credit card numbers were stolen by some loose outfit of swashbuckling hackers. Identity theft, as this glaring example shows us, has become a serious problem in today’s world. Both at home and abroad, the news is fairly distressing when it comes to our collective vulnerability to crime on the Internet. When we turn to the Identity Theft Resource Center’s latest findings, we learn that the total of number of data breaches (or hacks) reached an all-time high in 2008, and over 15 million Americans are victims of identity theft each year.
As the average Internet user has grown increasingly comfortable with doing business on the Web, we have seen a corresponding rise in the amount of private information that changes hands there. And of course, the potential for foul play has increased in conjunction with the rising amount of transactions. Many larger companies have the funding and technological capacity to secure the private information exchange in this process, whereas we have increasingly found that smaller companies – as well as the average consumer – is not as protected as one would like to think.
So I asked Scott Mitic, CEO of TrustedID, a private company dedicated to providing consumers with the strongest identity theft protection solutions available, what we might learn from the latest string of high-profile security breaches and the rise in ID theft.
Scott informed me that most of the research out there today shows that consumers are still most concerned about online shopping as a source of potential vulnerability, even though it has proliferated for over ten years now. Obviously, the high-profile crimes like the one the Justice Department dealt with this summer, affect the psychology of the average web user and what we think is appropriate to do or buy on the Web, "Clearly it’s a major threat. Anytime a small group of individuals can use off-the-shelf tools and consolidated brain power to compromise the identities of tens of millions of people, it’s a threat that every single person needs to understand and consider," Mitic says.
All of the old rules still apply, the CEO continued. It’s become clear that we need to be wary of any individual, company, website, or communication that asks for our personal information. And most importantly, we need to take proactive steps to protect our information, like placing anti-spyware on our computers and fraud flags on our credit reports, for example. It also wouldn’t hurt to do business with companies who are explicit about their investment in information security and privacy, Mitic explained.
What is important to remember — and certainly unsettling — is that the goal of these new "pharming" attacks is not to spread viruses; they are not perpetrated for fun or for bragging rights as in the case of "trolls," they are about collecting sensitive personal information and thus financial gain — they are about "exploiting technology for the benefit of their wallets."
Luckily, the government has taken some preliminary steps to respond to the growing number of identity thefts. Last week, President Bush signed into law a bill that will make it easier for prosecutors to go after cyberpunks and will ensure that victims of ID theft are compensated for their stolen property once thieves are convicted.
Todd Feinman, CEO of Indentity Finder, LLC, reassured me that the government is increasingly passing regulations to make sure private information is kept secure. And where the government has struggled, companies like Identity Finder are working to close the gap. Of course, it's up to consumers to do their part as well. To help them get started, Mr. Feinman suggested three ways in which people can ramp up their protection against security threats:
(1) Find and identify unprotected forms of your identity. People should go through all of their files and emails to make sure nothing is left vulnerable, like social security numbers, credit and debit card numbers, bank accounts, passwords, dates of birth, and addresses. (2) Once you find your personally identifiable information (PII), protect it. If you need the document, but not the PII, then redact the PII. And, hey, if you don’t need that personal information anymore, then digitally shred it! Get rid of it. And if you do need it but think its not safe enough, encrypt the document or email. (3) Change your behavior. You don't want to give other people or companies the chance to access your PII, so try not to give it to other companies or websites unless it's mandatory. If a cell phone company asks for it, tell them you’d like to provide a small deposit until your history and credit with them is established first.
By doing the little things right, and by encouraging the media to cover web security news, we can stay ahead of the curve: "The media’s continued focus on the topic will help marshal the resources, both private and public, that can mitigate and potentially eliminate many of the most dangerous forms of web-crime we see today," says Mitic. And I think he's onto something.
We could all benefit from being a little more careful of what we share on the Internet and how we do business there.
By Rip Empson