Online, nobody knows you're a fraud

By David Braue

Sep 19, 2005: Surveys show that as a nation, we've gotten over our fear of shopping online. David Braue wonders whether that might not be such a good thing.

You can't buy a pack of cigarettes without being confronted with a bold warning about its effect on your health. Just a few years ago, e-commerce wasn't in a much better position: media reports about its tremendous growth lauded its ability to change the world, while inevitably warning about the criminals lurking just out of sight, waiting to steal the credit card numbers of online shoppers.

These days, it appears that most Australians have moved on. A recent Visa International survey found that the 4.2 million Australians shopping online spent more than $617 million buying products and services on the Internet in March alone. That's the equivalent of annual sales of $7.4 billion, making us the world's third largest buyers of online goods, and represents an increase of 38 percent on last year. The average purchase was a healthy $142, with 10 percent of orders coming from overseas.

Credit cards are readily used for all sorts of online purchases, and Internet security consultants no longer try to scare up business with surveys pointing out how many people are deathly afraid of their credit card numbers being stolen. Card issuers adequate indemnification policies and a general dissipation of the online mystique may also take some of the credit for this shift in attitude; plastic has definitely become the accepted currency of the Web.

A matter of identity

Fortunately, most of us have never had any problems with credit cards being stolen or misused. Yet even as consumers increasingly move online for their retail therapy, their newfound confidence could be a liability for other reasons. With most sites facing a continuous barrage of attacks and authors of information-stealing applications finding new ways to worm their way onto remote PCs, a whole new breed of boggards is waiting in the dark of cyberspace.

The most extreme dangers come from the theft and misuse of personal information, enabling identity theft that is usually for financial gain but occasionally for more nefarious purposes. The most comprehensive study of identity theft, released by the US Federal Trade Commission (FTC) in 2003, found that 27.3 million Americans-10 percent of the population-had been victims of identity theft during the previous five years.

Credit card misuse (reported by 67 percent of respondents) was the most common result of identity theft, 19 percent of respondents also said they'd had funds siphoned from bank accounts. Total losses to businesses and financial institutions was estimated at $US48 billion, and an additional $US5 billion was siphoned out of the accounts of innocent consumers. Average individual losses were $US4800 per attack on businesses and financial institutions, while individuals lost an average of $US500.

Immediate financial losses are only the beginning of the problem for both businesses and individual victims, however: damage to credit ratings, business or personal reputation and the exposure of information security vulnerabilities can all have far-reaching implications. In the FTC survey, 1.5 million people said their personal information was misused for non-financial goals such as obtaining government documents or on tax forms-during 2002 alone.

The FTC's 2003 survey was updated this year by the US Better Business Bureau (BBB), which conducted a follow-up survey and found that 9.3 million Americans were victims of identity theft during 2004-a finding consistent with the FTC's results. Total losses were $US52.6 billion, a finding that corroborates the results of the initial FTC survey.

Clearly, the Internet has become a valuable weapon for identity thieves, since it provides many methods for would-be bandits to surreptitiously gather all sorts of personal information to help them in their efforts. Credit reports, bank histories, drivers' licenses, passports-by building up a false history of transactions, it's possible for a fraud to substitute their identity with that of an innocent person.

Forget social engineering: they don't even have to be located in the same country to find out where a person lives, their income, email address, physical addresses, and so on. This information can then be combined with traditional identity theft techniques such as intercepting bills, credit cards, and other sensitive information. They typically won't be questioned unless they set off red flags, which are out there but can nonetheless be circumvented with alarming regularity.

Rogue agents

The identity fraud documented by the FTC all happened in the US, where the collection and marketing of personal information has become a multi billion dollar industry. In Australia, however, recently enacted legislation requires medium and large businesses to take adequate measures to prevent misuse of personal information. By and large, they have behaved well, or at least no worse than they were before the law came in.

Local protections, however, will struggle to protect information online since the Internet transcends national boundaries. Even casual users may access Websites in a half-dozen countries, spread across three continents, during an average session-often without knowing it.

This level of internationalisation is largely responsible for the success of new forms of personal information collection, which range from phishing attacks (in which victims are sent emails requesting personal details from organisations purporting to be a bank or other service organisation) to keystroke loggers and sneaky Trojan horses that can sniff out credit card numbers, passwords and other information.

Such insidious programs can, we are told, load themselves onto our systems simply by reading infected emails, visiting infected Websites, or sharing music online. Antivirus vendors have stepped up their efforts to quickly deal with new viruses, which continue to appear fast and furious: Sophos, for one, reported analysing and protecting against 1146 new viruses in April alone, adding that 2.2 percent of all emails sent during April were carrying viruses.

The people writing these viruses have normally been written off as electronic vandals. That could be changing, however: an April study by security firm invectionvectors.com found that Bagle, a worm that has emerged in nearly 100 variations since first appearing in January 2004, shows worrying signs that its author is using careful iteration techniques to modify each successive version-testing antivirus defences with a deliberate intent that suggests the author may be working for financial gain. This is a worrying change as it would suggest that viruses are becoming proactive tools in new forms of theft of personal information.

The best protection

Despite their potential severe consequences, avoiding such nasties is easy. A daily updated antivirus system is a must, for example, and use of a desktop firewall application will close up most stray security holes. Other necessary practices, however-for example, the frequent updating of operating systems to patch up recently discovered security holes that are frequently exploited by Net nasties-are not so common.

Against what would normally be seen as common sense, many users still don't bother to update their antivirus software or to install updates. Others, particularly large companies, find they simply cannot keep up with the flood of patches to their core operating systems and business applications.

The otherwise impossible task of distributing those patches across hundreds or thousands of PCs can be automated thanks to patch management tools from the likes of PatchLink and Computer Associates-but even though patches can be automatically applied doesn't mean they should be. Some patches have been known to break otherwise working applications, which can be a nightmare should an affected application be necessary to run the business. Damned-if-they-do-and-damned-if-they-don't, some companies have chosen to defer applying patches even when they know the patch protects against a potential gaping vulnerability in their IT armour.

This is an unfortunate but understandable decision, says Chris Thomas, security architect with Computer Associates. "From a vendor standpoint the quality of patching has gotten a lot better, but it's always up to the user to make sure they go through the proper regression testing," he explains. "Even if it is a very critical vulnerability, you've got to make sure it works. There's no point taking the system down by applying a patch."

Fuelled by the FUD over theft of personal information and other Net nasties, security experts may be aghast at the suggestion that companies should not apply patches. In a practical sense, however, it's critical for both companies and businesses to retain a measure of pragmatism when considering the real extent of their exposure.

After all, most identity theft still happens through offline means such as the theft of a wallet or other non-Internet activities. Just 13 percent of the surveyed victims-3.5 million people, by the FTC's extrapolation-could pinpoint the theft of their personal information to a credit card purchase made online, through the mail or over the phone.

In the BBB's follow-up survey, only 11.6 percent of respondents knew their information was obtained online-compared with 68.2 percent that knew it was obtained offline. This figure corroborates the findings of a 2003 Gartner survey in which 12 percent of respondents said that the identity theft happened when someone stole or obtained improperly a paper or computer record with their personal information on it.