Identity theft is grabbing headlines just about every day. I’ve had my own identity stolen more than once and so I can believe the stats that suggest 8 million Americans a year are being targeted by cybercriminals who steal identities to perpetrate credit card fraud and other scams. Byron Acohido and Jon Swartz, both business reporters at USA Today, have been covering this topic for years. Now they’re written a book on the topic, “Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity,” (Union Square Press, 2008). As the subtitle suggests, these journalists make the controversial case that our banking and credit card system is failing to protect consumers and has little motivation to do anything about it. You can bet there are plenty of start-up opportunities in addressing this problem. Here is a Q&A with Acohido. (The book blog is here).
Q: The book is well-researched. But it’s hard to swallow the thesis. You almost suggest collusion between credit card companies and criminal hackers, as if they are in league together against consumers. That sounds ridiculous. But what convinces you this is the case?
Corporate America is colluding with cyber crooks in this sense: Banks, merchants, media companies and tech companies are completely committed to porting commerce wholesale to the Internet. Yet the Internet was never intended to be a secure transactions network. The deeper Corporate America embraces Web 2.0, the more doors and windows it is opening for very focused, profit-minded crime groups. Lost in this dynamic is any sort of substantive due diligence concerning the risk and exposure that befalls the average consumer.
Here we are in April 2008 writing news stories about how hackers are using fuzzing tools to find zero-day security holes in Microsoft Office, Apple iTunes, JavaScript and other popular applications. We have a story coming out this week about the scaling up of cross-site scripting attacks, taking aim at big-name news, shopping and university web sites. This is the same type of attack described in our book that corrupted the Miami Dolphin Stadium web site and allowed a hacker named Samy to infect 1 million MySpace users.
Q: Can you describe your own backgrounds?
I started in 1977 as a local news reporter; covered city hall, cops and prisons, and in 1985 became a business reporter. I spent 13 years covering aerospace and Boeing for the Seattle Times [Editor's note: Acohido won a Pulitzer Prize for his coverage of Boeing] and then joined USA Today in December 2000, at which point I began covering technology and Microsoft. Jon Swartz covered tech for trade pubs before becoming a tech reporter for the San Francisco Chronicle in 1996. He joined USA Today in May 2000 to cover technology. We both continue to cover tech for USA Today.
Q: When did the two of you start covering hackers and identity theft?
The summer of 2003. The MS Blast worm, which was to open back doors on 25 million PCs, caught my attention. Jon was drilling down at the time on the onslaught of spam. It seemed to make sense that viruses and spam were somehow related. But no one at the time was explicitly connecting the dots. So we teamed up to see if we could document the convergence, if any.
Q: What were some of the bigger stories you worked on?
From 2004 through 2007 we collaborated on something like 150 news and feature stories and a dozen or so investigative cover stories on Internet security. The shorter pieces allowed us to build expertise and cultivate sources, and lay the groundwork for the longer cover stories. We were the first mainstream media reporters to explain botnets; this was back in July 2004. We exposed how banks and tech companies made things easier for cyber crooks. Our cover story on reshipping mules was later done by Dateline’s Chris Hansen. And our cover story about how a cell of Edmonton meth addicts was able to plug into the global cyber crime machinery became the kernel of our book.
Q: The anecdotes about the life of the criminal hackers is very detailed. How much time did you spend with them?
I made three trips to Canada to piece together the activities of the Edmonton cell. Jon traveled to Grass Valley, Sacramento and L.A., as well as North Carolina, Pittsburgh and Miami to report on criminals and victims. In addition, we both communicated extensively via phone, email, IM, ICQ, chat rooms and forums with our various sources. (pictured: hacker named Socrates standing outside a Canadian motel where he had been arrested once).
Q: You draw connections between criminal hackers and meth addicts. Please describe it. The book keeps coming back to the story of some addicts.
One of our goals was to show how the cyber crime economy is driven by capitalist principals and entrepreneurship. Add an accelerant like meth, and things can scale up pretty quickly, and just as quickly spin out of control. We wanted to show that story in microcosm, as a way to convey the bigger picture. We discovered that the kind of quick, anonymous partnerships the Edmonton meth addicts set up so profitably—before flaming out so spectacularly—also were at the core of highly organized, large scale scams. That’s where the TJX data breach of 94 million credit card records—and the quick distribution of that data to street cells in Miami and elsewhere–ties in.
Q: Hacking crimes have always been around. When did identity theft and hacking become an alarming problem?
Two dates come to mind. The first is January 2003, with the release of the SoBig A email virus. That was the first really stunning example of serious R&D effort going into developing a purely for-profit virus. The second is April 2004, with Sven Jaschan’s release of the Sasser worm. We argue in the book that Sven, with his vigilante bent, is the last of the bragging-rights type of hacker. After Sven and Sasser, the for-profit motive becomes paramount.
Q: Do you believe major criminal enterprises are behind identity theft now?
Absolutely. If you think of cyber crime as a fast-flowing $200 billion-a-year river, you basically have script kiddies and novice scammers splashing in the shallows, grabbing law enforcement attention. But out in the deeper running water you have the elite hackers creating zero-day viruses, running massive botnets, like Storm, and operating bullet-proof hosting services, like the Russian Business Network. These heavyweights operate like Al Capone at the height of the Prohibition. But there is no Elliott Ness on the horizon to slow them down.
Q: Clearly, you have shown that credit card companies and others could do more to prevent identity theft. What do you suggest?
One of the credit card companies main initiatives is to push the burden onto merchants to be more diligent about encrypting credit card data. This is called the Payment Card Industry Data Security Standard, or PCI DSS. But PCI DSS has a major shortcoming. Hackers are now planting data stealing programs on internal servers that collect store data on the way to being encrypted. That’s apparently what happened at 300 Hannaford Brothers grocery stores that were PCI-compliant, but still lost 4.5 million customer records. To slow down cyber crime, something more fundamental has to change. It seems to us that the solution has to somehow involve slowing down the speed built into the credit issuing system, which has now been ported to the Internet. But this means a reduction in consumer convenience, and slower growth in banks’ profits. So it’s a tough nut.
Q: What are your predictions about the future of cybercrime?
So much of our sensitive data has already been harvested that it’s mind boggling. Attritition.org, a terrific open-source index of reported data breaches, shows reported data loss cases tripled in 2007, with little sign of slowing so far in 2008. It’s pretty clear that major cyber crime groups are going to continue to expand their operations with impunity for the foreseeable future.
Q: Given that, how should consumers change their own behavior?
Reduce your digital footprint. Make sure your anti-virus subscription is current. Make certain all software updates are current, not just from Microsoft, but from Apple, Adobe, Mozilla, Java, Sun, Oracle, any software vendor whose products reside on your hard drive. Track your credit card statements like a hawk. Never type your Social Security number or your debit card number in an email or at a web site. Be extremely judicious about doing any online banking or online stock trading. Be ultra cautious about clicking on any attachment or web link in an email, IM or text message, or on a web site, even if sent from a trusted sources or posted on a familiar web site.
If and when you do become an identity theft victim, speak out! Don’t just passively accept reimbursement and a new account number from the bank. Realize that if the bad guys have your name and that account number, they likely have other data. Complain loudly to the financial institution for exposing you to that risk. Take you business elsewhere. Report the theft to local police and your state attorney general. Contact your state and federal lawmakers and demand more oversight of how banks and credit bureaus handle your sensitive data.
2 Comments
-
james van dyke said:
Hi, we’re the original source of the data you reference in your second sentence, but you didn’t quite get it right. From our nationally-representative study, it’s true that 8.1mm people were victims of ID fraud in the last year. However, it’s not accurate to say that all these victims were “targeted by cybercriminals”. Unquestionably, there’s a lot of cybercrime. Yet until we acknowledge that identity crime is a multi-channel crime, we give the criminals an advantage. The cyberworld is made of two-way streets, in which the Internet brings both serious security risks and valuable security advantages. Again, until we take the broader view we only give the bad guys the upper hand. The data is our guide to understanding this. See our Feb 11 press release for more on the ID Fraud survey report’s findings.
-
Samiullah said:
I review getting good idea and view that written here about life lock they always protect the people and monitor them full time.
Identity Theft protection lock.
28 Trackbacks
10:20 am
theft book said:
[...] [...]
5:11 pm
writing business email said:
[...] [...]
4:34 pm
» Venture Beat grills author about ZDT said:
[...] I should’ve known that Dean Takahashi, formerly of the San Jose Merc, now blogging at Venture Beat, would pull no punches interviewing me about Zero Day Threat. See Dean’s grilling of me here. [...]
10:47 pm
Q&A: Hard-driving Seagate CEO talks about making money in storage » VentureBeat said:
[...] VB: You have lawsuits with the flash chip makers? BW: Yes, I’m suing them all. I have one interesting patent on flash. Drive guys are legalists. We looked at what patents we needed. We bought a patent from HP. HP didn’t realize what they had. It said that if you put solid state storage in a notebook, desktop or enterprise application, and the format is half an inch to five inches, I own that technology. If you want to sell ice cream with one scoop, I own it. If you want to sell it with two scoops, I own it. If you want to sell it with three scoops, I own it. If you want to put in ten scoops, you can probably do that. If the courts uphold this patent we have, it’s a showstopper if you don’t pay me. Everybody in the enterprise, desktop or notebook, they can’t handle solid state like solid state. When you start making it look like a hard drive, then you violate an application patent that I have. Samsung and Toshiba are probably OK. We have all cross-licensed each other. The SanDisks of the world don’t have licenses. If you liked this interview, please let us know through comments. And here are links to other recent interviews: Byron Acohido, author, “Zero Day Threat”, on who to blame for identity theft [...]
9:33 am
Q&A with Isaac Mao on tech blogging in China: Censorship, and opportunity » VentureBeat said:
[...] Isaac Mao is one of the earliest and most prominent bloggers in China. He’s been covering Chinese technology since 2002. He’s confronted censorship — even writing an open letter beseeching the Google founders to not self-censor search results in China. I met him today in Beijing and got to ask him more questions about his life as a Chinese blogger (while he also blogs in Chinese, you can read his English blog here). VentureBeat: Why’d you start blogging? How long have you been doing it for? Isaac Mao: I wrote a biz column on a famous IT magazine before 2002, but they didn’t keep a digital archive. As a long time reader (then subscriber) to prominent blogger Dave Winer, I started to realize that I needed a personal media to talk about my ideas on technologies in China. So I started my own blog like Dave in 2002 when there were only few similar people in China. Our group blog, cnblog.org, was even one of the most visited blog site in China, then it was diluted as millions of blogs emerged in the next few years. But we are happy to see such changes. There are more and more full time bloggers or independent bloggers now in China. VB: You mentioned you’ve been contacted by the Chinese authorities about things you’ve written. What can or can’t you blog about? What can you get away with in English that you’d get in trouble for in Chinese? IM: My blog site was unplugged by ISP for twice because I blogged about the mechanism of GFW, the national censorship system. I guessed the working model of the system with my experiences and background as a software architect. And then they contacted me to have a cafe talk and ‘discussed’ the dangers that I may face to talk too much about this issue on my blog. [Here's what got Mao shut down.] VB: What sort of dangers? IM: It was a very sutle warning, they never said explicitly, but mentioned family and businesses I was working on. But since then, I’ve come to understand more about the whole censorship system not only from technical view, but political view. The censorship is now more serious than two years ago when my blog was shut down the first time. You can hardly avoid site blockage every day because there are so many possibilities for meeting the criteria of censorship — you can easily see the [censor's] RESET message in your browser even you are accessing some very normal web pages. I realized it’s very harmful to the creativity of this country. VB: Why do you think censorship has gotten more strict? IM: It’s like a cat and mouse game, the mouse is now running faster with more and more new technologies especially 2.0 tools. There are more and more people like to share their real ideas and dare to speak out. And there are more social problems emerged in the passing two years. The ruling party “has to” enforce the voice space from their theory of “keeping stability.” But they are facing challenges from all angles now. People become more savvy about censorship, lawsuits from bloggers on the legitimacy of the censorship, and international pressures on free speech and fair trade (because international businesses also have to comply to their hidden rules in China). VB: What’s the effect on innovation? IM: It’s very harmful to innovation. Many entrepreneurs have to face the daily censorship orders if they provide content hosting service with user generated content. They have to have a specific team to work on the self-censorship problem in 24hr way. It’s really a big burden to startups to deal with this problem the same time competing in the market. Also, since there are many people can’t access those knowledge sites, like Wikipedia, they can’t even get the competency same as their international counterparts from their childhood. VB: Do you think the factors you’ve mentioned are going to force the gov to stop/significantly scale back censorship within the next, say, 5-10 years? IM: I’m not so optimistic to the changes from the government, but I’m so confident to see the force from people (user) side. They will eventually turn the direction to eclipse the whole wall with various ways. VB: Chinese bloggers (example) criticized Western blog coverage of the Chengdu earthquake for a variety of reasons. Broadly, what do outsiders most misunderstand about what’s happening in China today. IM: I think blogging has been a great tool to increase understanding between Chinese people and Western people or simply blurring the distinction between each other. But there are still a lot of people relying on traditional narrow band media at both sides. The biggest misunderstanding about China is many Western people believe that their values can be welcomed by Chinese people in short term — free speech, democracy, etc. — but they always “offend” Chinese people by criticizing the government. Many Chinese people still bundle their feelings with the ruling party. There should be more international collaborations to change for time being by involving both Chinese people and international communities, I strongly believe. There will be new opportunities in the next few years for Chinese people to adopt free thinking and universal values by harnessing the power of vast social media tools. If you liked this interview, please let us know through comments. And here are links to other recent interviews: Byron Acohido, author, “Zero Day Threat”, on who to blame for identity theft [...]
7:56 am
John Antal on making a video game, novel and history book all at once » VentureBeat said:
[...] If you liked this interview, please let us know through comments. And here are links to other recent interviews: Byron Acohido, author, “Zero Day Threat”, on who to blame for identity theft [...]
7:59 am
A Q&A with Mark Jacobs, EA’s chief warrior on Warhammer Online » VentureBeat said:
[...] VB: If you succeed with Warhammer, can you do three or four of these things at once? MJ: Oh my God. When you try to do too many of these, you will always fail. They are so complicated. It’s like the film industry. When you see a great team, or director, you could always tell if the team or the talent was doing a bit too much. The quality would suffer. If you liked this interview, please let us know through comments. And here are links to other recent interviews: Byron Acohido, author, “Zero Day Threat”, on who to blame for identity theft [...]
10:01 am
Cisco’s VP of green engineering on data center efficiency, virtualization, and startup opportunities » VentureBeat said:
[...] If you liked this Q&A, please check out our others: Byron Acohido, author, “Zero Day Threat”, on who to blame for identity theft [...]
12:02 pm
An interview with EA Maxis’ Lucy Bradshaw on the making of Spore » VentureBeat said:
[...] If you liked this Q&A, please check out our others: Byron Acohido, author, “Zero Day Threat”, on who to blame for identity theft [...]
5:22 am
Interview with Microsoft’s Robbie Bach, part 1, on Zune » VentureBeat said:
[...] If you liked this Q&A, please check out our others: Byron Acohido, author, “Zero Day Threat”, on who to blame for identity theft [...]
10:12 pm
Interview with Microsoft’s Robbie Bach, part 2, on Xbox 360 » VentureBeat said:
[...] If you liked this Q&A, please check out our others: Byron Acohido, author, “Zero Day Threat”, on who to blame for identity theft [...]
7:00 am
Q&A with Insomniac Games chief Ted Price on cloning the golden goose » VentureBeat said:
[...] If you liked this Q&A, please check out our others: Byron Acohido, author, “Zero Day Threat”, on who to blame for identity theft [...]
11:24 pm
Interview with Vinod Dham, father of the Pentium, on a life in technology and venture investing » VentureBeat said:
[...] If you liked this Q&A, please check out our others: Byron Acohido, author, “Zero Day Threat”, on who to blame for identity theft [...]
9:18 am
Interview: Gameloft gung ho about iPhone gaming » VentureBeat said:
[...] If you liked this Q&A, please check out our others: Byron Acohido, author, “Zero Day Threat”, on who to blame for identity theft [...]
8:23 am
E3 preview: A Q&A with Mike Gallagher, head of the Entertainment Software Association » VentureBeat said:
[...] If you liked this Q&A, please check out our others: Byron Acohido, author, “Zero Day Threat”, on who to blame for identity theft [...]
12:21 pm
Nintendo sales chief Cammie Dunaway on the quest for a broader game market » VentureBeat said:
[...] If you liked this Q&A, please check out our others: Byron Acohido, author, “Zero Day Threat”, on who to blame for identity theft [...]
8:58 am
Q&A: Sony’s new worldwide game studio chief recalls the humble underdog years » VentureBeat said:
[...] If you liked this Q&A, please check out our others: Byron Acohido, author, “Zero Day Threat”, on who to blame for identity theft [...]
12:08 am
Q&A: Microsoft game exec John Schappert talks about Xbox Live, Netflix deal, and Blu-ray » VentureBeat said:
[...] If you liked this Q&A, please check out our others: Byron Acohido, author, “Zero Day Threat”, on who to blame for identity theft [...]
9:27 am
Black Hat: An interview with Dan Kaminsky, the DNS dude who saved the Internet » VentureBeat said:
[...] If you liked this Q&A, please check out our others: Byron Acohido, author, “Zero Day Threat”, on who to blame for identity theft [...]
11:54 am
Q&A: A chat with Black Hat/Defcon organizer Jeff “The Dark Tangent” Moss » VentureBeat said:
[...] If you liked this Q&A, please check out our others: Byron Acohido, author, “Zero Day Threat”, on who to blame for identity theft [...]
7:20 am
A Q&A that is 25 years late: David Scott Lewis, the mystery hacker who inspired the film “War Games” » VentureBeat said:
[...] If you liked this Q&A, please check out our others: Byron Acohido, author, “Zero Day Threat”, on who to blame for identity theft [...]
5:00 am
Q&A: an interview with Sega’s Simon Jeffery on monkeying around with iPhone games and the Wii » VentureBeat said:
[...] If you liked this Q&A, please check out our others: Byron Acohido, author, “Zero Day Threat”, on who to blame for identity theft [...]
8:17 am
Interview with Epic Games’ Mike Capps, on teaming up with Electronic Arts » VentureBeat said:
[...] If you liked this Q&A, please check out our others: Byron Acohido, author, “Zero Day Threat”, on who to blame for identity theft [...]
7:31 am
Q&A with Paul Sams, Blizzard Entertainment’s chief operating officer, on post-merger life » VentureBeat said:
[...] If you liked this Q&A, please check out our others: Byron Acohido, author, “Zero Day Threat”, on who to blame for identity theft [...]
10:15 am
An interview with energy expert Chris Nelder on peak oil and cleantech opportunities » VentureBeat said:
[...] If you liked this Q&A, please check out our others: Byron Acohido, author, “Zero Day Threat”, on who to blame for identity theft [...]
10:28 am
Q&A with digital arts guru Lorne Lanning: Will we learn to appreciate digital art as a profession and a business? » VentureBeat said:
[...] If you liked this Q&A, please check out our others: Byron Acohido, author, “Zero Day Threat”, on who to blame for identity theft [...]
6:48 am
Q&A with Nvidia CEO: Jen-Hsun Huang on visual computing, tension with Intel, and product bugs » VentureBeat said:
[...] If you liked this Q&A, please check out our others: Byron Acohido, author, “Zero Day Threat”, on who to blame for identity theft [...]
11:28 pm
Business Never End | Business and Technology » Q&A with Paul Sams, Blizzard Entertainment’s chief operating officer, on post-merger life said:
[...] If you liked this Q&A, please check out our others: Byron Acohido, author, “Zero Day Threat”, on who to blame for identity theft [...]