Complain about a product or service

Stopping Identity Theft and Spyware

How to Surf Smart Without Being Scammed or Scared

By Martin H. Bosworth
ConsumerAffairs.com

April 8, 2005
Whether it's yet another big company misplacing people's data records, computers getting hacked or compromised by thieves, or just plain old-fashioned fraud, identity theft has people scared silly.

The fear of fraud and loss is keeping shoppers off the Web and inspiring a clarion call for government to take more action, and businesses to be more responsible.

Orson Swindle

Data Theft • Bank Data Breach Affects 12.5 Million Consumers • Data Breaches Exceed 2007 Record • Thieves Steal AT&T Laptop with Employee Data • Report: Data Breach Disclosure Laws Don't Affect Identity Theft • Patient Information Exposed in Data Breach at Walter Reed • Supermarket Chain Reports Data Breach • Report: Feds Still Not Doing Enough To Secure Data • Data Thieves Hit Georgetown University Students, Faculty • 800,000 Job Seekers At Risk In Gap Data Breach • TJX Data Breach Settlement Has Strings Attached • More ...

Orson Swindle, a former Federal Trade Commission (FTC) commissioner and member of the Center for Information Policy Leadership, sees the growing fears of identity theft and spyware as damaging to what he calls "the currency of information."

"Information has tremendous economic value," said Swindle, who spent six years and four months as a prisoner of war in North Vietnam. "The challenge consists of implementing proper protection of privacy versus maintaining the flow of the information-driven economy to keep it running … There's a big trust deficit on the part of the consumer right now."

What You're Up Against

The continual stream of data breaches, hacks, and fraud reports has filled the public's ears with a lot of scary terms that often get confused or misunderstood. Before knowing what to do about identity fraud and online crimes, you have to know what they are.

Adware consists mostly of those annoying pop-up ads that appear when you visit certain Web sites. Adware is more irritating than directly harmful, but it can be used to infect your computer with spyware if you click on the ad itself, or consent to use its content via the "Terms of Service" agreement.

Spyware and malware are the "catchall" terms for programs or applications that can get inside a user's computer without their knowledge, usually by visiting a Web site or being sent from another machine. These can include viruses, Trojan horses, and keyloggers, which record the user's keystrokes and sends them back as a file to the author, who may use it to break into the user's secure bank accounts or files.

Phishing is the practice of masquerading as a trustworthy person or business in order to gain access to your personal information. E-mails purporting to be from Nigerian ambassadors who need donations are a form of phishing, as are fake Web sites designed to look like legitimate auction or merchant sites, such as eBay or PayPal.

A more advanced form of phishing is pharming, where the address to a Web site can be "hijacked," redirecting visitors to a fake site in the hopes of stealing whatever data they provide.

Identity theft or identity-based fraud is the crime of someone stealing your personal information and using it for their own purposes, such as applying for credit cards in your name, charging items to your own card, or selling it to other criminals. Many forms of online fraud or hacking run the risk of leading to identity theft, but it can happen just as often by criminals diving through dumpsters for credit card offers or by stealing a wallet or purse.

Statistics: How Bad Is It?

You've probably been overwhelmed with figures claiming that spyware is a multibillion dollar industry, and that millions of Americans will fall victim to identity theft each year.

John Bambenek at the Internet Storm Center estimated that spyware could provide "over $24 billion in assets and credit that can be leveraged by 'hostile entities' today. I believe this number is an underestimate."

The makers of the "PC Immunity" anti-spyware program claim that 26.7 million American computer users have some form of spyware on their machine, and that there were 10 million cases of identity theft in 2004 alone. Naturally, each claims its product is the best solution to keeping your computer safe from hackers and fraudsters.

Separating cases of actual identity-based fraud (such as having credit cards opened using your data, or fraudulent charges made to your account) from cases of spyware or virus attacks, or losses of data records that may contribute to identity fraud, allows for a more objective look at just how bad the problem is.

The infamous CardSystems data breach exposed the accounts of 40 million Visa and MasterCard users to a ring of hackers, but of those accounts, roughly 263,000 were actually stolen. The rest may have simply been observed or left untouched, but as is so often the case, there isn't any way to prove damage.

The Internet Crime Complaint Center (IC3), a clearinghouse for law enforcement agencies dealing with cybercrime, received 103,959 complaints of genuine Internet fraud in 2004, according to its "Internet Fraud Report." (pdf file)

Of those complaints, 71.2% involved online auction fraud, while credit or debit card fraud accounted for only 5.4%. Of the actual fraudulent transactions, 63% were performed via e-mail, while 23% were done via Web sites, real or false. The IC3 report noted that many complaints involved multiple types of fraud, including spam e-mails, phishing, and so on, which prevented the crimes from being easily categorized.

Finally, the Javelin Strategy & Research firm reported that the Federal Trade Commission and the Identity Theft Clearinghouse received 246,970 complaints of identity theft in 2004, up by over 50,000 from 2003. However, the vast majority of complaints came from "traditional" forms of theft, such as stealing a wallet or checkbook.

Incidents of online theft or spyware-generated theft came in at only 5.2 percent. The firm claimed that the total numbers of theft victims also decreased slightly from 10 million in 2003, down to roughly 9 million in 2004. Whether this is due to better prevention or less reporting is unknown.

Whatever the statistics say, the perception of rampaging hackers infecting every computer has taken its toll on Web surfers.

The Consumer Reports WebWatch poll found 80 percent of Internet users have changed their online behavior out of fears of identity theft, with 30 percent reducing their usage of the Internet overall.

Another poll found that 20 percent of respondents will stop doing business with any company that has lost customer data or allowed it to be stolen.

What's Being Done: Government

Each new incident of data loss, identity theft, and spam or spyware has provoked more calls for legislation and law enforcement against thieves, spammers, and fraudsters. As of this writing, there are no fewer than five anti-spyware bills making their way through Congress as successors to the "CAN-SPAM" act of 2003.

Sen. Patrick Leahy (D-VT), himself a victim of the data breach caused when Bank of America lost millions of its government customers' records, has co-sponsored legislation designed to restrict data sellers' ability to trade information.

The problem isn't necessarily that Congress is incensed and wants to take action to protect Americans from theft and fraud. The problem is that much of the federal legislation being proposed will explicitly override state laws against identity scams, many of which are stronger than the federal equivalent.

Worse yet, like most legislation passed by the current anti-consumer Congress, the proposed measures block the right of individuals to sue companies that distribute spam and spyware for damages.

The main features of the "I-SPY" Act, for example, are that it prohibits individuals from bringing civil suits against defendants found violating the act's injunctions against spyware, and that the law provides exceptions for "lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency or a U.S. intelligence agency."

The "Enhanced Consumer Protection Against Spyware Act" not only dispenses with the cute acronyms, it also "denies a private right of action in either federal or state court." It also "preempts state and local law remedies," and prevents state attorney generals from initiating enforcement actions if the U.S. Attorney General or the FTC have already done so.

While supporters of stronger national legislation against spyware and Internet fraud claim a unified standard will be more effective than a "crazy quilt" of differing state laws, opponents believe the states are more capable of handling their individual citizens' needs than the government.

It was a state law against deceptive practices that enabled New York's attorney general Elliot Spitzer to successfully sue adware/spyware company Intermix and reach a settlement agreement.

The FTC and the Department of Justice already have plenty of weapons to use against fraudsters and hackers as well. As technology reporter Declan McCullagh recently put it, "A better solution might sound like a radical one: for Congress to do nothing."

What's Being Done: Business

Trading of personal information and online advertising are big moneymakers, with big businesses lining up to get in on the action. Unfortunately, in the zeal to sell your information for targeted marketing or to get you clicking on adware, businesses often forget how important it is to secure the data they gather so greedily.

Major corporations often contract out to advertising firms and their affiliates to get adware onto consumers' computers. The result is a dizzying network of adware sellers, buyers, and marketers with very little accountability and less recourse to stop it.

According to PC World's special report on adware, "The Hidden Money Trail," many adware marketers are tempted by the huge profits and lack of oversight to go "rogue," and start placing ads on your machine without your knowledge or consent.

Even ads claiming to provide spyware cleanups and defenses are often just tools used by advertisers to get adware on users' computers. Mike Healan, author of the Spyware Weekly newsletter, admonishes Web surfers not to be fooled by pop-up ads, no matter what they advertise.

"[A] window popping up on a Web site, screaming that it has detected spyware [on your computer], is just an advertisement," he says. "Installing the program being advertised most likely will lead to a worse malware infection than anything it claimed to detect in the ad."

According to Healan, legitimate anti-spyware companies advertise through word of mouth, good reputations, and good reviews. "They don't need to scare you into using their products."

And when it comes to businesses' protection of the data they collect, the news speaks for itself. Whether it's ChoicePoint allowing multiple exposures of its collected records, major banks giving up security for faster performance, or Blockbuster employees leaving customer membership records on the sidewalk, the message is clear: Until companies take more responsibility for protecting the information they collect, it's up to the consumer to be vigilant in how they share their personal data, and who they choose to do business with, both online and offline.

What You Can Do

Just as there are many aspects to the problems of identity theft and spyware, there are many solutions. There's no cure-all panacea to safer Web surfing and shopping, but there're many preventative remedies.

Alex Eckelberry, president of Florida-based Sunbelt Software, believes in what he calls the "four pillars of Internet security" -- software firewalls and downloading security "patches," plus anti-virus and anti-spyware programs. "With these basics, your Internet experience is dramatically safer," he says.

"Most certainly, anti-virus [programs] and patching are absolutely essential," said Eckelberry. "Most, if not all, of these products can be obtained at no charge on the Internet."

An engineer at Sunbelt was responsible for identifying a keylogger program that was connected to a large identity theft operation. The company's investigation found several thousand computers infected with keyloggers of various types.

"The good news is that we didn't find infestation rates in the tens of thousands," he said. "One thing we found with all of these is that they were infecting users who were on unpatched systems."

Consumers are also demonstrating greater smarts when it comes to responding to credit card and online fraud.

When Visa and MasterCard holders were hit with unauthorized "spam charges" from a still-unidentified source, the Internet was abuzz with sharing information on disputing the charges, canceling the cards, getting help from authorities, and so on.

Orson Swindle believes that though identity theft and online fraud may never be completely stopped, that shouldn't keep Americans from utilizing the Internet's many opportunities.

"Consumers want to feel safe, secure, and have convenience," he says. "They need to use good practices and be responsible" when giving out information online or dealing with dubious Web vendors.

Businesses need to be "just as accountable" when it comes to protecting the information they collect, he said in an interview with ConsumerAffairs.com. "We've got a huge problem ahead of us, and it'll take all of us to solve it."

Report Your Experience
If you've had a bad experience -- or a good one -- with a consumer product or service, we'd like to hear about it. All complaints are reviewed by class action attorneys and are considered for publication on our site. Knowledge is power! Help spread the word. File your consumer report now.

Back to the top |