• silicon.com
• Technology
• Security

By Will Sturgeon, 16 December 2003 09:25

COMMENT Is the internet responsible for a rise in ID theft and credit card fraud? Will Sturgeon asks whether we should be paying more attention to the contents of our bins than the contents of our hard drives...

ID theft – along with associated crimes such as credit card fraud - is now reaching epidemic proportions aided by the variety of ways in which it can be committed both online and offline, but consumers intent on blaming technology, or those too wary to use it, may still be doing too little to protect themselves.

There is a tendency to think of ID theft in the internet age as a complex sting, but in essence it can be as easy or as difficult as we chose to make it.

Here are some figures to consider. Every day in the UK £10m of cash flow can be attributed to criminals using a stolen ID - and ID theft will this year cost the UK economy £1.3bn. The associated costs to each of us is around £300, because you can be sure banks, merchants and credit card companies don't take it on the chin.

These figures make for alarming reading, but more alarming still is the fact they are merely the tip of the iceberg, because according to security company RSA who compiled them, 80 per cent of ID theft still goes unreported, or goes on without the victim becoming aware.

Much of the blame for such high figures is aimed at technology companies or the catch-all of the 'the internet'. But this is a gross over-simplification.

After all, snatching an unguarded wallet is still about the easiest form of ID theft - or copying a card handed over in a restaurant or left behind a bar.

Bob White, senior fraud investigator at Barclaycard, believes consumers have a very skewed idea about the severity of online fraud.

"Last year card-not-present fraud in the UK accounted for around £100m," he said. "Of that online fraud made up about £28m. In my opinion that's actually quite low. Of course £28m is a lot of money, but in terms of the overall picture - making up a quarter of card-not-present fraud - is actually not very much."

"The biggest fraud we see is with counterfeit cards," said White. "In a restaurant example, you lose sight of your card when you hand it over to the waiter and if he's crooked then he can swipe your card and have all the data stored on it within a second."

So why are consumers so wary of divulging personal information online?

John Holland, senior VP of Trusecure, said: "I think a lot of the fear comes from ignorance. It's a normal human reaction to think something is safer if you can actually see somebody and hand over your card to them."

But Holland believes the threats posed on the high street and offline are if anything far more real than those facing consumers online. He said it's ridiculous that users are wary of the internet and yet will give out card details, passwords and all manner of sensitive information over the phone to an unknown call centre operative within earshot of all and sundry.

"You have to identify what the real threats are and technology is just one," added Holland, blaming the hype and uncertainty "which always comes with any new technology" for creating the impression that the internet is inherently insecure.

The fact is that would-be fraudsters don't even have to know how to turn on a computer - they just need a strong stomach or a poor sense of smell.

Rifling through bins is one of the easiest ways to obtain somebody's ID and yet while many people are sat indoors blaming fraud on 'the internet' there's a bin full of bank statements outside their house which tells another story.

According to credit rating company Experian 75 per cent of local authorities have reported 'bin raiding' in their area. Of course there's a chance that it's tramps or foxes looking for some food - but don't kid yourself, raiding bins is a simple and effective means of stealing your identity.

And what might the bin raiders find? 72 per cent of UK bins contain a full name and address, 40 per cent contain a credit card number and expiry date and 20 per cent contain a bank account number and sort code. So for every 100 houses in a street or town, there are at least 40 who are going to throw away enough data to enable an identity theft.

Barclaycard's White said: "The biggest thing with identity fraud is 'take-over' where somebody assumes your identity and pretends to be you."

This is different to credit card fraud, according to White, but the two are often complementary. Often a bin will provide fraudsters with utility bills, bank statements and personal information such as date of birth and phone number. These are all very useful to somebody set on committing fraud anonymously, as the paper trails will all lead back to the original victim who is being impersonated.

Fraudsters often get enough information to apply for credit cards, mobile phones, video club memberships or even open bank accounts to write fraudulent cheques - all in the victim's name.

They may only get a month's grace period - until the first bills and statements are sent out to the victim's address - "but you can get away with a lot in a month" said White. As such White says Barclaycard is urging all its users to invest in a shredder. The message is simple. "Shred it or burn it," he said.

Similarly, if somebody wants to steal identity on bulk then it is likely there will be a physical element to their crime.

Trusecure's Holland said: "We're really looking at this issue the wrong way. Trying to steal information online is incredibly difficult - in fact I think it's probably never been done. If you want to steal information then it's far easier to steal it from where it's stored than trying to intercept it online"

"We should be far more vigilant about where our data is stored and yet people are more worried about whether a site offers SSL encryption than where the data ends up."

Data warehouses are therefore the likeliest target for large scale operations - but even still it's likely many will shun a subtle digital attack when a quick in and out ram-raid will suffice.

In westerns it was always easier for the men in black hats to steal the safe and empty it at their leisure than it was to crack it on the premises. That's still very much the case, according to Holland.

The truth of the matter is that if you look after your ID online and offline then you should be safe. But how careful can you be? And what should you be doing?

Trusecure's Holland said: "Education has got to be the most important aspect in fighting ID fraud and credit card crime. Criminal activity in this area typically targets the naïve user."

In technology terms, simple tricks such as getting users to open an email or visit a website can be enough to commit identity theft.

Phishing scams - such as emails purporting to be from Barclays, Citibank, eBay and NatWest asking for account information - are a very overt attempt to commit ID fraud, but Holland believes covert devices, such as spyware will pose the biggest technological threat going forward.

Malware placed on a computer during a web session can monitor a user's activity and in the case of key loggers can record information which could easily betray passwords and other sensitive information.

However, it is just as important that consumers don't allow the hype to distract them from the truth.

Holland said shoppers are probably still far safer buying online from the comfort and safety of their own home - as long as they stick to trusted sites - than they are taking their chances on the high street where so many more factors than the fallibility of technology can come into play.