ID Theft Costs Victims $2.4B in One Year

Nearly two million adults fell prey to identity theft scams over a one-year
period, costing them about $2.4 billion in losses from fraud, according to
new research from Gartner .

The Stamford, Conn.-based research outfit found that perpetrators were
gaining illegal access to checking accounts from such subtle tactics as
“phishing,” the act of e-mailing a user falsely claiming to be an legitimate
business to dupe the user into providing private information that will be
used for identity theft.

That information, which often includes names, addresses, social security
numbers and — perhaps most damaging — credit card data, cost 1.98 million
online users some $1,200 apiece, said report author Avivah Litan, vice
president and research director at Gartner, in a company statement.

As much as half of the $2.4 billion in fraud came from phishing, Litan said in
an earlier report, which also estimated that 57 million Americans have
received a phished e-mail in the past year.

Litan, who culled her latest data by surveying 5,000 online U.S. adults in
April 2004, said illegal access to checking accounts is proliferating, with
thieves finding a goldmine of victims to scam through online channels.
Unauthorized access to checking accounts, grew the fastest in the past year.

Methods rarely involve face-to-face encounters anymore, she said, noting
that passwords were pilfered to help perps access accounts online or through
telephone banking services.

For example, the analyst said that by merely clicking a pop-up ad, Web users
unknowingly download spyware, technology that “spies” on users’ information
without their knowledge. Spyware traps IDs and passwords for users’ online
bank accounts without their knowledge.

In one major 2003 phishing scam, users received
e-mails purporting to be from eBay and/or its subsidiary PayPal claiming
that the user’s account was about to be suspended unless he clicked on the
provided link and updated the credit card information that the genuine eBay
already had.

In another ploy that aped Best Buy’s e-commerce operations, users received
e-mails from supposed employees of the retail giant who warned of possible
fraudulent activity occurring on their account. The e-mail urged users to
enter personal identification, such as social security numbers and
passwords, in order to verify account activity.

Phishing become a hot enough topic for the Federal Bureau of Investigation
to track
last year. In April, research group MessageLabs said phishing leaped
1,200 percent in the last six months.

Now, Litan is calling for those in the financial services industry to write
back-end tools that protect consumers from identity theft and other online
crimes. This will take time, but in the interim, “banks must implement
stronger access controls to online and telephone banking systems.”

The analyst endorsed shared-secret authentication as one good remedy to
stave off those with malicious intent. In this method, a consumer might
select a topic, such as “favorite restaurant,” and enter an answer that is
shared with a service provider either when the consumer registers on its
site or when the provider sends an e-mail to the consumer.

Some community sites, such as Yahoo!, already use this shared secret method.
Installing photographs in a consumer’s profile that is stored in a company’s
database may work, too, she said. But these are stop-gap moves.

“In the longer term, banks need more effective tools to detect fraud and
stop checking accounts from being hijacked,” Litan said in a statement.

News Around the Web