Some might accused them of figuring out the obvious, but when the Secret Service talks people listen—and the agency charged with protecting both the President of the United States and American financial institutions came right out and told the RSA Security Conference that it now takes only a few keystrokes to disrupt the U.S. economy.
That was the message Secret Service director Ralph Basham delivered to the conference February 17. “There is no longer any doubt,” he told the gathering, adding that several U.S. and overseas law enforcement agencies recently did a little disruption of their own—against an organized cybercrime ring in eight U.S. states and six foreign countries, involving seven million stolen credit card numbers, thirty arrests thus far, and a reported $4.3 million in losses to consumers and credit companies.
Basham said the potential losses in that case could have hit $1 billion or better.
With spyware becoming more prevalent and sophisticated and phishing attacks—faked e-mails or Web pages made to resemble legitimate companies’ properties and luring the unwitting into giving up sensitive financial information—becoming more widespread, Basham said, more cooperation and information sharing between American and foreign agencies and businesses has helped fight online and other electronic fraud.
But that isn’t stopping the cybercriminals, according to former Bush Administration cyberspace security advisor Howard Schmidt, who told the RSA conference Internet fraudsters are going more after smaller, lesser protected businesses who can’t spend millions to protect themselves.
"We're seeing the bad guys moving down the food-chain," hitting small businesses and credit unions, said Schmidt, now a security chief at eBay.
One piece of evidence: reports this week that a small Georgia-based company, ChoicePoint, an information gathering and sharing company whose clientele includes employers, landlords, marketers, and some government agencies, got hit with an electronic fraud attack—thieves posing as legitimate businessmen accessing thousands of records of U.S. consumers, including Social Security numbers and credit histories.
Various reports have suggested the total haul of stolen identity information in the ChoicePoint hit could have been 145,000 individuals.
The irony in this case: ChoicePoint is sometimes accused of privacy violations. The Electronic Privacy Information Center—which believes the 145,000 stolen records were a case of wrongful disclosure and not identity theft—in December 2004 called on the Federal Trade Commission to investigate the company as to whether their business had violated the Fair Credit Reporting Act by offering database products beyond the FCRA’s prescriptions.
“If ChoicePoint had created AutoTrackXP or its Customer Identification Programs from FCRA sources, the products should be considered ‘consumer reports’ for purposes of the FCRA,” wrote EPIC associate director Chris Hoofnagle and George Washington University Law School professor Daniel Solove in a joint letter to the FTC.
“Consumers could exercise a series of important rights with respect to their ChoicePoint reports that are not currently available,” the letter continued. “Only the FTC can determine the ‘information flows’ or sources of data used by ChoicePoint, and whether the company has leaked data from the FCRA products to AutoTrackXP and Customer Identification Programs…Even if these products are not consumer reports for purposes of the FCRA, it is incumbent on the FTC to analyze them and make recommendations to Congress concerning possible expansion of the FCRA. If these products are found not to be within the FCRA, the FTC should recommend to Congress to expand the scope of the Act.”
ChoicePoint has denied the EPIC allegations, while the FTC has yet to announce whether they will look into the ChoicePoint matter specifically.
