One of the reasons it has been difficult for the law enforcement community in the USA to get the problem of identity theft under control is that the problem extends well beyond our borders.  The common misperception that Internet malfeasance is perpetrated by 15 year old boys with nothing better to do after school could not be further from the truth.  Identity theft operations are more often than not the purview of highly organized international groups of technology savvy criminals.

A common scenario involves a multitude of players.  First, there is the bot-herder, an Internet criminal who infects hundreds of thousands of PCs (perhaps located in the US or maybe in Brazil) with bots, or remotely controlled malware.  The bot-herder rents his botnet to the highest bidder who then sends phishing email to unsuspecting victims.  Even if these messages are traced, they merely lead back to someone who is a victim himself and not to the criminals.

These phishing and spam emails usually contain a link to a website that is cleverly designed to mimic a real web site.  For example, you might get an email “alert” of unauthorized account activity from your “bank”.  You click the link and instead of taking you to your bank’s website, you are taken to a fake website and prompted to log in; by the time you realize what happened it is too late.  That website could be hosted in China and it stores records in a database in the Ukraine.

Typically, the victims’ personal information is then harvested from the database, but this time maybe by someone in Ghana.  He then lists those identities for sale on a message board hosted in Poland where they are bought (usually with a stolen credit card) by a criminal in the US, or perhaps Thailand.

I journeyed into the dark side of the web a few months ago and discovered hundreds of websites, mostly hosted in Eastern Europe or China, which form a lively online trade in stolen identities.  Complete identities sell for $80-$300, bulk discounts given, which includes financial account numbers, billing address, Social Security number, home address, phone number and birth date.  Visa, Mastercard, Amex all go for $20-$30 for what’s called a full dump, or a reading of the magnetic strip that can be used to write a new card.  Credit card numbers, security codes and PINs are cheaper – usually less than $10 each and sometimes as low as $5 each.

Now the difficult part happens.  Our criminal can’t simply use the 10,000 credit cards he bought online.  If he has full magnetic strip info and the right equipment he can print new cards and sell them on the street.  However, it is much more likely that this stolen information will be used for online transactions, but if he buys lots of stuff then where will he have it shipped?  Incidentally, I have seen identity thieves stupid enough to use the stolen credit cards to order tens of thousands of dollars of merchandise shipped to their houses.  The good news is that usually makes them easy to catch.

A more common method is to launder the money, once again internationally.  Many times this is done through unsuspecting money mules.  A typical scenario involves a mass spam campaign advertising to the recipient that he/she can make hundreds or thousands of dollars a week working from home.  Or then there’s the “you’ve won the Spanish lottery” spam, or the “you can recover this bank account you forgot you had” spam.  In all these cases, the point is to swindle the money mule into sending legitimate funds to the con man.  If it’s a straight on con, then they just keep the money.  If they’re laundering money, then they will actually send back some amount of “dirty” money in exchange for your “clean” money.  Now you’ve not only been cheated, but you’re part of an international identity theft and money laundering scheme.

I see two actions that are required to combat this international conspiracy.

The first measure is something that I’ve been writing about for about 5 years – better collaboration between international law enforcement agencies and the establishment of an international body to police the Internet. How can a police office in San Francisco work with a fraud department in Texas, let alone an ISP in the Ukraine and an email provider in Brazil?  And in those rare cases where such collaboration does take place, it takes so long that by the time they can shut down the servers the bad guys have already moved on.

The second is increased end-user education, which is the primary goal of the IDGuardian.com blog.  A more savvy email recipient is less likely to fall for a spam based scheme or phishing.  Remember when your father told you if a deal seems too good to be true then it isn’t?  Apply that to every Internet transaction.  Never give away information or money before you know exactly who and what you’re dealing with.  When in doubt walk away.  If someone you never met before asked for your ATM card and your PIN would you give it to him?  Apply the same heavy skepticism you have in dealing with physical strangers towards dealing with Internet strangers.

Until law enforcement devises a solid methodology to defeat this international specter, it looks like we’ll have to do it ourselves.  Reading this blog and learning how to protect yourself online is a good first step.

No related posts.