Who Cares About Identity Theft?

That is the question we ask in our most recent column in the New York Times Magazine. Along the way, we try to clear up some misconceptions about the subject, and get a guided tour of a hacker chat room where credit-card numbers, passwords, and PIN’s are bought and sold. Below is some of the research cited in the Times piece, along with some extras.

+ Steven Peisner is a veteran of the credit-card industry whose current company, Sell It Safe, helps merchants avoid fraud. Peisner spends a lot of time monitoring hacker chat rooms, and also sussing out fraudulent sites like this fake Bank of America website. A close look at the site reveals that its URL has nothing to do with Bank of America, but in fact reads “www.paypalacustomers.com.” “Even hackers get tired,” Peisner explained, “and sloppy.” The site will accept any keystrokes as a login and password; on the following page, a form asks for a complete array of personal information including – oops! – “Father Maiden Name.” (Warning: unless you really want to hand over your personal information to the hackers who created this site, don’t enter any real data.) [Addendum: a few hours after this blog post, the page described in the previous sentence was disabled; it had been in existence for at least two weeks.]

+ In this paper called “Why Phishing Works,” computer scientists Rachna Dhamija (Harvard) and J.D. Tygar and Marti Hearst (both at Berkeley) found that the best phishing sites were able to fool 9 out of 10 people.

+ In his forthcoming book Stealing Your Life, reformed fraudster Frank Abagnale (famous for Catch Me If You Can) argues that identity theft is extraordinarily easy to commit and very difficult to stop.

+ And yet a new report by Javelin Strategy and Research (which, admittedly, is funded by financial institutions) found that identity theft has actually leveled off. The full report isn’t available to the public, but this consumer version is, along with this summarizing press release; the Federal Trade Commission has also reported a leveling-off of identity theft.

+ Here is a Victim’s Guide for Identity Theft issued by the Los Angeles County Sheriff’s Department, which runs one of the most aggressive identity-theft task forces in the U.S. If you’re curious about your own vulnerability, take this safety quiz from the Better Business Bureau.

+ The TowerGroup, a research firm owned by MasterCard Worldwide, recently found that “banks are not yet ready to dedicate resources to solving any ID theft problem,” which leaves the onus largely on the merchants.

+ In this ingenious credit-card prank, the prankster wonders how crazy he would have to make his signature before someone actually cares.


You can find the post I just promised at: http://www.freshpeel.com/2007/03/security-mascaraed.html or just go to www.FreshPeel.com


Firefox does not recognize it as a Phishing site either (FF and IE7 rely on a registry of known fake sites); also, I think they only worry about https sites. Note that it also does not use https, which should clue most people into a problem (anything asking for a password which does not use https is exposing that password in clear text). The 1st thing any user should know is that the URL bar should go yellow and a lock symbol should be shown if asked to enter sensitive information.
I hope you have separated out the friend/relative ID theft, as that is still the most serious problem.
What is odd about people not recognizing Phishing scams is that there is one very easy way to check. When an email has links to where you should go, just hover over the link. The status bar will show the URL. If it does not match the name of the company (and they never do), that is a good clue. The vast majority of Phishing emails have the link to a numerical URL, and that is an instant clue it is Phishing.
The problem for financial institutions is that they are trying to provide convenience and the costs to them so far have been relatively low. The problem for the customers is that most Phishing mails are designed to scare you into acting quickly ("you account is about to be closed"; "you charged $600 for this item, tell us if this is wrong"; "someone has been trying to access your account, please change password and confirm data"; etc), and enough people are scared into acting.
If people would at least verify it is an https (secure) page, this would stop a lot of this problem right off.



pkimelma: People don't check. We take it for granted... that's the problem.

Btw, "...and get a guided tour of a hacker chat room where credit-card numbers, passwords, and PIN's are bought and sold"

In IRC there are chat rooms where passwords aren't even sold. You just have to type in some command like !password and a bot will list down a list of passwords for known sites et al.


To "pkimelma" ...

The fact that you *do* see 'https://' is NOT .. I repeat, NOT any sort of guarantee that you are on a 'secured' site. The phishers use a small .php file to fully spoof the URL .. *including* the 'https' and have been doing that for about the past 3+ years.

A considerable amount of current 'anti-phishing' literature fails to take that into account and keeps promoting 'https' as 'safe.'

The 'little yellow lock' indicator of a valid security certificate has also been compromised for about the past year or so. Yes, on the spoofed ones there is a warning pop-up box that not all elements of the certificate match the current site you're on, but most end-users will click right on thru.

End-users don't know what the certificate means for starters nor have they ever double clicked one to check. No reason to, right? This site is my banking site, yes? I was told that if I see the lock, I'm safe, yes? The pop-up warning, for most, is meaningless.

I'm puzzled by the Javelin Strategy and Research and FTC reports stating that ID theft has 'leveled off.' I don't see that at all. And how may people actually report to the FTC? Most victims don't know reporting to them is even an option.

There is so much more on this that is part of the overall issue .. including holes in marketing and where marketing *is* part of the problem .. and 'tired hackers.' :)

Looking forward to the article.



The problem is that it is a seemingly victim less crime. My card was double swiped @ a restaurant and 3 months later the guy created a new card with my info on it and went on a shopping spree to the tune of over $7k. I notified the bank that my card was being run and took about 2 weeks to get my banking back in order, but I didn't have to pay anything, i don't think the bank had to and the one left holding the bag is the retailer (I think).

Nobody suffers enough to change their behavior and it just keeps on going and probably results in higher credit card fees, retailer charges, prices in stores and the consumer is the one that gets screwed - yeah!


"Indeed, but this should be the bank's problem, not the customer's." - the problem is balancing convenience with security. In the old days you had to show up in person for any financial transaction, so fraud was much less common. But, we as consumers want convenience. This means we want it to be easy to buy things, open accounts, etc. How a bank validates information is a tricky problem, given how much confidential information seems to leak out (phishing sites being one way). Of course, a lot of identity theft is still relatives, and that is a problem as they have access to most confidential information.
If banks and others are held fully responsible, then consumers have no impetus to protect their information. As it is, consumers normally only suffer from the pain of fixing broken credit records, not financial costs. So, phishing attacks work in part because people do not see real consequences from filling out information on web pages. If consumers were held more responsible (as they were when dialing 976 and 900 numbers for example - a previous scam), they would learn a lot faster I expect.


Jeff Sovern

You can read more about the disincentives faced by both lenders and credit bureaus to stop identity theft in my article "The Jewel of Their Souls: Preventing Identity Theft Through Loss Allocation Rules," available at 64 Univeristy of Pittsburgh Law Review 343 (2003).


ah..er i do


Canadian goverment has had to shut down it's e-tax system was hacked on the week end , so they must care ....


As a marketer I have found this issue as one that is increasingly becoming popular among companies who have access to this information. Many customers are putting this issue at the top of the list when choosing a bank, credit card, or any other process in which confidential information is necessary. A majority of my clients are banks, and at least 3 out of 4 messages to their customers in the past few months have been regarding identity security measures. Maybe this is all talk to make customers feel secure. Really there is no way that they can physically prove to their customers that their information will be safe. Their marketing message may not match what they are actually doing. I think I feel a new topic for my blog coming on. Thanks Stephen. (www.FreshPeel.com)


With respect to the credit card receipt signature issue, from what I understand the purpose of the signature is so that fruadulent charges can be later contested. I.e., you claim a charge isn't yours, and the merchant and credit card company verify the signature as one means of checking out the issue. Note also that you can now purchase things with a credit card and never sign anything -- such as online, at gas pumps, etc.


I just looked at the NY Times this morning online and read an article titled "Violent Crime in Cities Shows Sharp Surge" by KATE ZERNIKE Published: March 9, 2007.

Here is the link:

I could not find an email address for Mr. Dubner and Dr. Levitt so I posted the article here. SORRY!

In Freakonomics it talks about attributing the decrease in crime during the 90's to Roe V. Wade and the legalization of abortion. I was just wondering if anyone had a quirky explanation for why "[v]iolent crime rose by double-digit percentages in cities across the country over the last two years" as Ms. Zernike states in her article. Does anyone have an idea?


Regarding the fake Bank of America site -- I am amused that IE7's vaunted anti-phishing feature fails to flag the site as suspect.


If you hover the cursor over the link in a message in Apple Mail, it will show you the real url.

I've been fooled by a few phishing attempts but I don't click links in that kind of email but instead go to the website I'm used to and see if that connects to the same info claimed in the email.


A handy thing to keep in mind is that nobody, least of all financial institutions, relies on e-mail to keep customers aware of important goings-on.

Therefore, whenever anybody that you don't know personally appears to be telling you something important in an e-mail, you should ignore it.

That's the beginning and end of phishing defense (and rids us of stupid e-mail forwards, which bother me more than phishing, frankly).


This can be solved very easily. Whatever bank or merchant accepts invalid credentials to issue a new credit card is responsible for all direct and consequential damage to the defrauded individual.


derekweb, the problem is that the Phishers are getting real credentials. People do move and they do apply for new cards, so the question is how the bank or merchant knows it is invalid?
As to the problem of people not checking, the issue is how to make it easier for the users? The difficulty is that the system does not know you think you are going to a Bank or e-commerce site, so it cannot protect you. Otherwise, it would be easy enough to enforce certificates and other controls.
One method proposed in the past was a separated application for entering in certain sensitive information. If you do not see that application start, then you know there is something wrong. By making it distinctive, fake popups cannot be created to look like the app, etc. But, this never got going because they could not get all the browsers on board (read MS, who wanted their own method). It is a shame, because it is possible to train people never to enter certain information except into a special dialog/app, but you have to get a common method for this to work.



@pkimelma and derekweb:
Validity of credentials doesn't matter. The simplest formulation of the real problem of identity theft is formulated thusly --
If Lender A lends money to Person B, then Lender A should *not* be able to demand repayment from Person C.

There is no legal or moral reason why A should be able to demand money from C. The fact that A thought B was C at the time is immaterial.


lonewolf13, if people ignore a warning that a certificate is invalid or missing, then there is a real problem. This is about the same as buying a "Rolex" on the street corner. The browsers are pretty clear that this is not good. Since you got this after clicking a link from an email, it should be sounding alarm bells. But, I agree that the browsers could do better. By lock, I meant at the bottom of the window and the URL line being colored. The newer browsers do not allow you to fake this without the warning. Yes, some phishing sites use a lock favicon, but that should not be enough to fool someone.
Mango, the problem is how a bank knows person B is equal to person C or not, if person B has all the confidential information of person C. You are supposed to keep your private information confidential. But, you can contest invalid charges and all, so the risk is rarely actual charges (although many people pay the charges without knowing it). The problem is that your credit report is trashed and it is hard to get repaired.



"the problem is how a bank knows person B is equal to person C or not, if person B has all the confidential information of person C."

Indeed, but this should be the bank's problem, not the customer's. It's easy to blame the customer for not being diligent with personal information, but why should it be the customer's responsibility for preventing banks from giving money to fraudsters? Quite simply, it shouldn't, for the reason stated in my previous post. Whoever holds the money is responsible for keeping it safe.

And insofar as customers are suffering from problems caused by identity theft, we have a real problem. I would suggest that government action may be needed to sort this out. If Person C is the subject of identity theft, there should be clear way to demonstrate this is the case (typically this part isn't hard), and then there should be legislative onus on the banks to undo any harm to that person's finances and/or reputation.

"This is about the same as buying a “Rolex” on the street corner. The browsers are pretty clear that this is not good."

For some reason the average person has an easy time understanding the security implications of buying a watch out of a briefcase, but not so much the implications of a explanatory warning dialog in a browser.