Thieves Use Many Ways to Obtain Personal Data

ChoicePoint Inc. and LexisNexis may face withering criticism for not keeping identity thieves out of their massive databases, but information brokers are far from the only sources of the Social Security numbers, addresses and other tidbits that fuel the fast-growing brand of fraud.

Just ask Brielle LaCosta, whose personal data was stolen when she responded to a seemingly official e-mail purportedly from online auctioneer EBay Inc. Within a few days of filling out the online forms, a car she had put up for auction had been sold out from under her and someone had run up $12,000 in charges on her credit card.

“I was stupid,” said the 20-year-old college sophomore from Connecticut. “I put it all on there.”

She’s not the only one. Despite high-profile security breaches at big data aggregators like ChoicePoint and LexisNexis, online attacks, inside jobs and old-fashioned burglaries provide crooks the bulk of the personal data they need to open fake credit-card and other accounts.

The rise of online commerce, in particular, has been a boon to thieves. Obtaining sensitive identifying information has become so easy, according to investigators, that the wholesale rate for valid credit-card numbers has fallen to as little as a dollar apiece.

“Consumers are not equipped to defend themselves properly,” said Gartner Inc. data security analyst Avivah Litan. Among thieves’ weapons of choice are so-called “phishing” attacks like the one that snared LaCosta, in which e-mailers pretend to be from a bank or other commerce site and refer people to sites that look official, and the use of spyware that surreptitiously logs account passwords as victims type.

As those tools become more effective, “there’s no lack of supply of stolen credit-card information,” said former Assistant U.S. Atty. Scott Christie, who prosecuted members of Shadowcrew, an accused identity-theft ring. Some thieves try to obtain card numbers issued by banks in specific parts of the country, making fraudulent purchases less likely to stick out on consumers’ bills because they look local.

So worried are people about attacks that the percentage of online shoppers willing to enter a credit-card number has flattened out after several years of sharp growth, sparking concern that electronic commerce may start to slow down.

“It took several years for e-commerce to take off,” said Shawn Eldridge, chairman of the Trusted Electronic Communications Forum. “Now the same problem is creeping up. The underlying trust people have in the Internet is being eroded again.”

To be sure, identity theft is nothing new and plenty of information is swiped through tried-and-true methods that originated long before the rise of the Internet or data miners like ChoicePoint and LexisNexis. In many cases, the original leak of sensitive data comes from an employee inside a merchant or other company. A forthcoming study of 1,037 identity theft arrests found that more than 50% involved corporate insiders, said study co-author Judith Collins, a criminal justice professor at Michigan State University.

“The biggest problem is the workplace, and the biggest problem in the workplace is there’s a lack of personnel security,” Collins said.

In one instance, a contract employee at General Motors Corp. took information on thousands of company executives home from her last day of work. She was caught and convicted, but while still on probation, she was hired elsewhere and did the same thing, Collins said.

Robberies and burglaries trigger some identity thefts, giving criminals enough information to take out a loan in the victim’s name or charge purchases to an existing credit card. Some restaurant and gasoline station workers run credit cards through unauthorized, special machines in order to copy the encoded information that can be used to make counterfeit cards. Big scores come from corporate databases or volume operations like spyware and phishing.

The ChoicePoint and LexisNexis thieves gained regular access to much broader files on ordinary citizens maintained by the two data giants. As is far more common, Shadowcrew got hold of card numbers and other information from hacked databases, prosecutor Christie said.

“Many online merchants have credit-card databases that are accessible online, which makes it very tempting for hackers who can get hundreds of thousands -- or even millions -- of numbers at one fell swoop,” he said.

Thieves have rifled through the databases of such companies as BJ’s Wholesale Club, CD Universe and Data Processors International, a credit-card handler with files on 8 million MasterCards and Visas. In California, the biggest possible breach so far reported under the state’s unique disclosure law came at UC Berkeley, where a researcher had the Social Security numbers, names and dates of birth of more than 1 million people stored on a computer that was hacked.

Trade-group leaders and industry analysts say penalties are slight and enforcement has been weak, in part because many of the crooks are members of organized crime rings based overseas. The problem has been compounded, they say, because no single U.S. agency is in charge of investigating ID theft and related fraud. Cases are divided among local and state authorities, the Secret Service, the FBI and the many multi-agency task forces set up by geographic area.

The Trusted Electronic Communications Forum was founded last year by IBM Corp., Best Buy Co. and others to develop standards for combating phishing attacks with technology. Since then, the number of malicious e-mails has soared, more than doubling in the three months through January.

Even longtime Internet users have been fooled by phishing pitches. Mark Nichols, a consignment store owner in Crosby, N.D., had been planning to update his credit-card information on his EBay account when an e-mail told him his account had been suspended. “I believed it because I knew the credit-card number I used needed to be updated. It took me to a site that looked OK,” Nichols said.

After he entered his user name and password, Nichols wondered why his account page didn’t appear. Returning to the original e-mail message, Nichols studied the link and realized it hadn’t taken him to an official EBay site after all. Nichols quickly changed his password and avoided serious consequences.

As for Brielle LaCosta, she got the same bogus “account suspended” message as Nichols. She thought the information she was entering -- including a bank card and code number and the password for her e-mail account -- seemed excessive. But she really wanted to sell the Volkswagen Jetta she had just put up for bidding on EBay.

Two days later, she couldn’t sign in to her EBay account. A friend checked and told her the Jetta was listed on EBay as sold.

LaCosta figured out that her incoming e-mail was being forwarded to an America Online account, and she struck up an instant-message conversation with the man who had bilked her.

The man said he was working in Italy for a group that paid for his and others’ tuition in exchange for phishing financial information. That information, he said, went into a database that helped get false identities for illegal immigrants in the U.S.

The thief took $200 out of LaCosta’s bank account and ran up $12,000 in credit-card charges. Merchants covered those, leaving as her biggest loss so far the more than $200 in EBay listing fees she was charged for fraudulent auctions held after she lost control of her account.

In later conversations with LaCosta, the con man took pity, warning her to cancel the cards and to disregard future e-mails asking for information. By then, she had come to the same conclusion. “I’m really skeptical of everything,” LaCosta said.

Even if they don’t click on the Web link, users can be infected with spyware that steals data.

“Absent any affirmative conduct on your part, your personal financial information can be sucked out of your computer,” said Christie, who recommends that consumers keep financial information off machines connected to the Internet.

Other experts advise computer users to avoid electronic banking, stick to established online merchants, eschew debit cards online, never click on e-mailed links, and install a firewall and at least one well-reviewed anti-spyware program like Ad-Aware or Spybot Search & Destroy. Users report fewer problems with alternative Web browsers and Apple Computer Inc. operating systems.

Credit-card holders should read their bills carefully and get copies of their credit reports at least annually, and some specialists say consumers should change which cards they use as often as every six months.

While they privately worry about the future of e-commerce, some major banks and credit-card associations continue to assure the public that their information is safe online.

Visa USA, banker Wells Fargo & Co. and online payment firm CheckFree Corp., all of which profit from Internet banking, paid for one report on the topic that was released this year. The most startling finding by the study’s author, Javelin Strategy and Research: “Although there has been much recent public concern over electronic methods of obtaining information, most thieves still obtain personal information through traditional channels rather than through the Internet.”

The report said 72% of ID theft crimes occurred the old-fashioned way, such as via a pinched wallet or pilfered mail. Javelin advised consumers to do more online banking, not less, because those who bank online check their records more frequently and therefore tend to detect improper billing sooner.

The problem with the study’s widely reported conclusions is that they may be misleading. Only 54% of the victims surveyed knew how their information leaked. So only 72% of those cases were believed to be traditional theft -- or 39%.

Javelin founder James Van Dyke argued that the majority of unsolved cases were likely to be physical-world crimes. Federal Trade Commission Associate Director Lois Greisman disagreed with Javelin’s conclusion.

“We have concerns with putting out, frankly, numbers like that,” she said, adding that extrapolating from the 54% who knew what happened to them doesn’t make sense. “I know if I’ve lost my purse. A big problem with phishing is that people have no idea they’ve been phished.”