Several California-based companies have been in the news recently over thefts of personal and financial information. In one incident, a laptop containing personal data was stolen from an office at the University of California, Berkeley; in another, a food service machine with information on 15,000 students was hacked into at California State University, Chico. But information theft is not a problem isolated to the Golden State-in truth, the only reason California is in the news is because the state has a law requiring companies to own up to any compromises of personal or financial data. You can assume the same crimes are happening elsewhere-the companies involved just aren't required to report them. Information theft is a growing problem for both consumers and businesses everywhere. Fraud is expensive, and so is the attendant negative publicity businesses receive when they fail to protect consumers' information.

How is it done?

Old fashioned identify theft was easy and straightforward: You signed a credit card slip and handed it over, unsuspecting, to the clerk at the cash register; they, in turn, pocketed the slip and went shopping on your account. But technology has given thieves many more ways to separate you from your money. Here are a few of the more popular or interesting methods of information theft (some of which have been covered in more detail in earlier Web Works articles).

Evil twins

Public WiFi access points (wireless Internet connections) have become commonplace and are offered at many caf , libraries, schools, hotels, and other public gathering places. An "evil twin" is a fake WiFi access point set up close to a legitimate one; by sending out a strong enough signal, the evil twin can overwhelm the legitimate signal and trick users into using the wrong connection.

Any data the victim then sends to the Internet via the evil twin becomes available to the person running the scam; this data includes user names, passwords, credit card numbers, and pin numbers. To make matters worse, an evil twin is easy to set up and easy to hide, and a victim might not discover the theft until a much later date.

Google hacking

Google and other search engines get their data by sending automatic programs called "spiders" out to search through the websites on the Internet and record the information they find. This collection of data is what you search through when you use a search engine. Google hackers use search engines to find personal data such as credit card numbers, social security numbers, password information, and the like.

Google and other search engines are not at fault here-all they do is gather information from publicly available websites. The problem is with the owners of these websites-they often lack the security measures needed to ensure that private information remains private and does not become readily available over the Internet.

"Phishing"

Phishing is a scam in which a perpetrator creates a website or sends out an email that appears to be from a legitimate company. By logging into the fraudulent site, victims unsuspectingly give away their user names, passwords, and any other personal or financial information they submit. To make matters wqrse, many of these fraudulent emails and websites look legitimate.

The problem is severe enough that many respectable businesses have stopped providing website links in the emails they send to customers to get them to sign in and carry out online transactions. If you're going make a transaction that involves sensitive information, you should always type in the address of the website, or use a bookmark that you created after having typed in the address of the website originally. That'll help ensure that you reach the legitimate site, and not an impostor.

Social engineering

Social engineering is the art of conning a person out of user names, passwords, and other sensitive information. It's an old technique, and still a very successful one. Studies have shown that people are surprisingly nonchalant about giving up their personal information. A case in point: Infosecurity Europe (a European conference on information security) ran an experiment in London's theatre district to see how much personal information people would be willing to provide in exchange for the opportunity to win theatre tickets. Many people "surveyed" offered up their names, dates of birth, mothers' maiden names, and addresses-information that could easily use to open a bank account.

Viruses and trojans

There are plenty of viruses, trojans, and other malware that can steal your information. If you go on the Internet without having the latest updates for your operating system and an up-to-date virus protection program, you're almost guaranteed to have some kind of malicious program worm its way onto your computer. And the problem isn't just with your own computer: There's no guarantee that somebody hasn't installed a key logger (a program that steals your user name and password) on the computers in the Internet café you use to check your email.

The old-fashioned techniques

New-fangled con artist techniques like evil twins, phishing, trojans, and the like, seem to get a lot of press, but old-fashioned techniques still work just as well. The laptop that was recently stolen from the Berkeley campus, for instance, contained personal information from almost 100,000 alumni, students, and applicants.

Protecting yourself

Bad news sells, so of course identity theft is a popular news item. Some people question, however, how much more likely you are to get your credit card number stolen while paying online, than while paying in person to a store clerk or restaurant server. On the other hand, the going price for a million stolen credit card numbers has apparently dropped sharply. Could that be because they're so readily available?

Whatever you believe, the best thing to do is protect yourself, and your business. After all, you don't want to become the unlucky winner in the identity theft sweepstakes.

Some tips

1. Keep your operating system and virus protection software updated.

2. Don't click on links in an email or on a website to access another website to which you plan on submitting personal or financial information. Instead, type the address into the browser, or use a bookmark that you created from an address you previously typed into the browser.

3. Don't keep important information on a laptop you travel or commute with unless you password protect and encrypt it (one possible source for encryption software is PGP at www. pgp.com).

4. Don't use important passwords on public computers, and don't use those public computers to submit personal or financial information.

5. Be careful with wireless connections, as they're very easily compromised. Use a VPN (virtual private network) if you log into a work account using a wireless connection.

6. By extremely careful about giving out your personal or financial information.

7. Use an obscure or complex password. Don't use information that somebody can easily get from you, like the name of a child or pet, or a phone number.

8. If it's vital that you use a wireless network at work, have a security expert set it up for you.

9. Check your credit card statements and make sure all the purchases listed were made by you. If you use your credit card over the Internet frequently, consider getting a card specifically for use in online transactions.

10. Do use credit cards instead of debit cards. Credit cards have fraud protection, debit cards don't. You will be held responsible for all charges put through on a debit card... even if they weren't made by you.

The best advice is to talk to somebody with expertise in computer security. The kinds of theft mentioned in this article are just a few of the many ways a thief could "break into" your business or home network.

Resources:

New identity theft kit and checklist

The Consumer Measures Committee launched new identity theft kits and checklists for consumers and businesses in February 2005 as part of Fraud Awareness Month. The kits and checklists were jointly developed by federal, provincial, and territorial consumer ministries in consultation with banks, business associations, privacy commissioners, credit-reporting agencies, credit card companies, law enforcement officials, and consumer groups. Consumers and business owners can link to the kits and checklists at: http://cmcweb.ca/epic/internet/incmc-cmc.nsf/en/fe00084e.html.

Office of the Information and Privacy Commissioner for BC

The Office has made a document available that lists resources for both consumers and businesses. These resources include whom to talk to if you have a problem, as well as advice on how to protect yourself and your business. The document is available at the following link in Adobe Acrobat (PDF) format: www.oipcbc.org/sector_private/public_info/ IDtheftresources09Feb05.pdf.

© 2005 Institute of Chartered Accountants of British Columbia Provided by ProQuest LLC. All Rights Reserved.