44.493
Issues in Criminal Justice Technology & Security
Identification (continued)
Arguments against National Identification
Card:
- wouldn't avoid terrorist attacks:
terrorists would just find ways to get the cards (and the fact
that they have new features such as biometrics might give us
a false sense of security)
- "unintended consequences:
" once in effect, police and others might begin to use them
in additional ways (ACLU points out that the Social Security
Act included "strict prohibitions against use of Social
Security cards for unrelated purposes"
- would require creating a government
database, continually updated, including every American -- this
data base would be prone to the same kind of errors that the
"no fly" list has, and might really cause serious problems
for people. "Law enforcement and other government agencies
would soon ask to link into it, while employers, landlords, credit
agencies, mortgage brokers, direct mailers, landlords, private
investigators, civil litigants, and a long list of other parties
would begin seeking access, further eroding the privacy that
Americans have always expected in their personal lives.
- Might be seen as "internal
passports" that authorities could use to track innocent
people's movements (VA
was considering a RFID-chip in licenses, which would have facilitated
this).
- Could result in new types of
discriminatory action against minorities and others.
My article on the benefits of a "smart"
passport such as those used in Malaysia.
How would smart cards do in light of our
evaluation criteria?
Identity theft
What is it?
According to the FTC,
identity theft is "when
an identity thief obtains some piece of your sensitive information
(your bank and credit card account numbers; your income; your
Social Security number (SSN); or your name, address, and phone
numbers) and uses it without your knowledge to commit fraud or
theft."
What is the current extent
of the problem?
- US Public Interest Group
estimates 500,000-700,000 people are victimized yearly. It takes
the average victim 23 months to resolve their cases, spending
an average of 175 hrs. and $808 in out of pocket fees (not including
lawyers' fees).
- According to the Anti-Phishing
Working Group, incidents of phishing alone increased an average
of 28% a month from July 2004 through March 2005
- 78 brands were highjacked
by phishing in March.
- The average length of time
online for these sites was 5.8 days, with longest being up for
31 days.
- Organized crime is now becoming involved.
Evidence that the MyDoom virus last year was used by organized
crime rings to steal money from individuals' accounts.
Sites such as www.oemcd.biz, www.mega-oem.biz, http://huge-sales.info
and www.atlantictrustbank.com, that might appear legitimate
aren't: "The one thing all of these sites have in common
is that none of them exist. If you buy something from them, you'll
get nothing, and they will never charge your credit card. But
what they will do is steal your identity."
- Several cases in 2005 of data base theft from legitimate retailers, including
Ralph Lauren Polo and DSW Shoes, have included thefts of millions
of credit card numbers, social security numbers, and bank account
numbers.
- Colleges
and universities whose student and alumni records have been stolen
in recent months include BC, Tufts, Carnegie Mellon, and Stanford.
- More than 300,000 had their records stolen
from a variety of companies, including Lexis-Nexis, that sell
data bases.
How is it done?
According to the FTC, the current techniques include:
- Getting information from businesses
or other institutions by:
- stealing records from their
employer,
- bribing an employee who has
access to these records, or
hacking into the organization's computers.
- They rummage through your trash,
or the trash of businesses or dumps in a practice known as "dumpster
diving."
- They obtain credit reports by
abusing their employer's authorized access to credit reports
or by posing as a landlord, employer, or someone else who may
have a legal right to the information.
- They steal credit and debit
card numbers as your card is processed by using a special information
storage device in a practice known as "skimming."
- They steal wallets and purses
containing identification and credit and bank cards.
- They steal mail, including bank
and credit card statements, pre-approved credit offers, new checks,
or tax information.
- They complete a "change
of address form" to divert your mail to another location.
- They steal personal information
from your home.
- They scam information from you
by posing as a legitimate business person or government official.
One of newest variations is "phishing,"
in which you are sent what
appears to be a legitimate email that directs you to a website
where you are asked to divulge personal information such as social
security numbers or bank accounts. Phishing involves "both
social engineering and technical subterfuge to steal
consumers' personal identity data and financial account credentials.
- "Social-engineering schemes
use 'spoofed' e-mails to lead consumers to counterfeit websites
designed to trick recipients into divulging financial data such
as credit card numbers, account user names, passwords and social
security numbers. Hijacking brand names of banks, e-retailers
and credit card companies, phishers often convince recipients
to respond.
- Technical subterfuge schemes
plant crimeware onto PCs to steal credentials directly,
often using Trojan keylogger spyware. Pharming crimeware
misdirects users to fraudulent sites or proxy servers, typically
through DNS hijacking or poisoning"
Another is "DNS
poisoning," which takes over a computer and installs
range of adware and spyware. "Very sophisticated attack."
It involves: fooling domain name system servers into directing
those heading to any .com site to "a malicious Web site that
the attackers control. That Web site then surreptitiously installs
a wide range of adware and spyware on the victim's computer. Results
include:
- complete disruption of Internet
connection for anyone using the affected DNS server. That can
be an entire company in case of small firms.
- later, the company must clean
up adware and spyware.
- "an estimated 3000 DNS
servers at a range of U.S. companies, including at least two
with more than 8000 employees, were compromised over the past
month."
Still another is turning home-based
computers with always-on connections (and without current firewall
protection, etc.) into "zombies,"
which are then used to spread up to 80% of all spam. One of the
dangers to individuals is U.S. Code Title 18, which says that
anyone whose computer contains child pornography files, "regardless
of intent, has committed a felony and is subject to five years
in prison. This includes zombie victims, anyone who has had a
pop-up window with illegal content appear on-screen, and so forth."
What are techniques to combat it?
- There are some
simple steps which individuals can take to reduce their risk:
- Sign your credit cards as soon
as they arrive.
- Carry your cards separately
from your wallet, in a zippered compartment, a business card
holder, or another small pouch.
- Keep a record of your account
numbers, their expiration dates, and the phone number and address
of each company in a secure place.
- Keep an eye on your card during
the transaction, and get it back as quickly as possible.
- Void incorrect receipts.
- Destroy carbons.
- Save receipts to compare with
billing statements.
- Open bills promptly and reconcile
accounts monthly, just as you would your checking account.
- Report any questionable charges
promptly and in writing to the card issuer.
- Notify card companies in advance
of a change in address.
- Don't:
- Lend your card(s) to anyone.
- Leave cards or receipts lying
around.
- Sign a blank receipt. When you
sign a receipt, draw a line through any blank spaces above the
total.
- Write your account number on
a postcard or the outside of an envelope.
- Give out your account number
over the phone unless you're making the call to a company you
know is reputable. If you have questions about a company, check
it out with your local consumer protection office or Better Business
Bureau.
- California passed a law in 2003 that
requires companies whose data may have been stolen to notify
their customers -- Congress
is considering a national equivalent
- Anti-phishing Working Group maintains
a running list of phishing schemes
- Highly likely, because of so many incidents
and level of public and corporate outrage, that Congress will
pass identity-theft legislation this session.
- Biometrics may be the best way to solve
it, perhaps in conjunction with a national id card.
1 | 2 | 3
| 4 | 5