When the movie The Net was released in 1995, the plot seemed a bit far-fetched: A young, beautiful software engineer finds herself enmeshed in a global scheme involving high-tech gimmickry, a worldwide data network, computer viruses, murder, mayhem (and the other usual trappings of big box office success). Along the way, her identity is erased, along with any evidence of her existence: no driver's license, passport, or credit cards. In short order, computerized records documenting Bennett's life are replaced with those of an international criminal in order to neutralize any effect her subsequent actions might have on the bad guys' plans.
It was intriguingly scary stuff, but in 1995 the threat seemed to be entirely in the fevered imagination of a science-fiction writer, with very little chance of it escaping into the real world.
Fast-forward a few years, and The Net seemed more a harbinger of what would become a terrifying reality for millions of people: identity theft and "cyberstalking" via a medium that rapidly became a ubiquitous and unifying convenience for the forces of both good and evil.
In October 1999, two high-profile events drew national attention to the problem:
A gang of identity bandits hacked into an Internet-enabled database containing the records of U.S. military personnel. They stole personal information about more than 175 generals and admirals and used it to open almost 1,300 credit card, bank, and investment accounts, gaining access to more than $1.4 million in available credit. A joint task force headed by the Secret Service caught the thieves, but not before they ran up a $37,000 tab on 103 accounts. The big question that was left when the dust settled: "If hackers could compromise a U.S. military database - supposedly among the most carefully guarded information in the world - what else could they snatch?"
That same month, 20-year-old Amy Boyer of Nashua, New Hampshire was shot in the head 15 times by an obsessed stranger outside her workplace. Her attacker, Liam Youens, then turned one of his guns on himself. When police investigated Youens' computer, they found two Websites documenting the 21-year-old's infatuation with a woman he'd seen in the hallways at Nashua High School but had never met. Over a period of more than two years, Youens kept diaries on the Websites that detailed his descent into madness as his unrequited "love" for Boyer became hatred, then homicidal rage. Eventually, he spent $45 to purchase information about the object of his desire - including her place of employment - from an online research firm. Three days later, both Boyer and Youens were dead.
The Numbers
Despite federal laws criminalizing cyberstalking and hacking, the problems don't seem to be abating. In part, that's because the Internet is legendary for a kind of anonymity that allows stalkers and hackers to act with impunity. The Net is also the repository of tremendous amounts of information about everyone who uses it. Whether or not a user realizes or consents to it, every time he or she logs on to a Website or responds to e-mail, s/he reveals a little more about himself or herself to the global machine - and creative cyberdetectives, both amateur and professional, can collect and use that data without breaking a virtual sweat. Some companies, in fact, like Docusearch (www.docusearch.com), US Search (www.ussearch.com), and large marketing firms, pursue their bottom lines by profiling Web users and then selling the data they collect to anyone who wants to purchase it.
Recent statistics indicate that more than 1.5 million Americans are stalked each year - four out of five of them women - and stalkers are increasingly using electronic means to track down their victims. Another 500,000 are victims of identity theft, which while it may not present a threat to life, robs Internet users of millions of dollars every year. In its 2001 Internet Fraud Report, the Internet Fraud Complaint Center (www.ifccfbi.gov), a joint project of the Federal Bureau of Investigation and the National White Collar Crime Center (NW3C) that serves as an informational clearinghouse and a contact point for victims of personal information theft, revealed some alarming trends:
* 49,711 complaints were filed during 2001. Of the 33,940 complaints that were referred to law enforcement and regulatory agencies, 16,775 involved fraudulent activities. (The remainder involved violent crime and child pornography). About 90 percent of the fraud was perpetrated via the Internet.
* Among those individuals (9,864 people) reporting a dollar loss, the second-highest median dollar loss was for identity theft (an average of $3,000 per complainant). Twenty-three percent of identity fraud complainants said they had lost money.
* Although only 11.4 percent of all referred fraud cases in 2001 involved either identity theft, credit card fraud, or check fraud, the center says the trend is growing, and it expects to see a marked increase during the next reporting period, partly because it has changed its data-collecting methods and reporting criteria, and partly because public awareness of the problem is increasing.
* One enforcement action undertaken by federal agencies as the result of cases referred by the center resulted in charges against 90 individuals who had bilked 56,000 victims out of more than $117 million. According to the NW3C, this is just the proverbial tip of the iceberg: NW3C research indicates that although one in three U.S. households are victims of some sort of high-tech white-collar crime, only one in 10 incidents ever makes its way to the attention of law enforcement or regulatory agencies.
* Nearly 75 percent of fraud perpetrators are individuals (as opposed to businesses); 81 percent are male, and more than half reside in California, Florida, New York, Texas, and Illinois. Per capita, Nevada, Florida, New York, California, and the District of Columbia have the highest percentage of perpetrators in the U.S.
* International perpetrators come predominantly from Canada, Nigeria, Romania, and the United Kingdom, and their involvement in Internet-based fraud is growing exponentially. They're also becoming more widespread, with significant populations developing in the former Soviet republics, the Middle East, and South America.
* Victims often are completely unaware of the real identities of those who prey upon them, because it's easy for perpetrators to hide their identities. Only about half of the IFCC's complainants were able to provide any personally identifying information about their attackers.
* E-mail and Web pages are the two primary mechanisms by which fraudulent contact takes place, but database abuse is gaining ground.
User, Protect Thyself
There are many ways for personally identifying information to make its way from your computer into someone else's hands. Anyone who uses e-mail or surfs the Web should be aware that information submitted voluntarily by hitting a "send" button in an e-mail client or on a Web page is up for grabs unless it's encrypted by the sender or being transmitted between secure servers. It doesn't happen all that often, but "packet sniffers" and other spying devices can snag information while it's in transit between non-secure appliances.
Computer malware is a more intrusive information thief. Viruses, worms, and Trojan horses not only can destroy hard drives in a matter of minutes, but it's also becoming more and more common for their authors to design them as surreptitious information gatherers. Recent outbreaks have caused infected machines to e-mail address books and IP addresses to the malware's author (Badtrans) and caused the dissemination of confidential documents as attachments to unplanned mass mailings (Sircam). Trojan horses can open "back doors" on infected machines, allowing their authors free access to information stored thereon. The best way to protect information from malware is to install and regularly update good anti-virus software [see "A Most Deadly Game," July 2002 - Ed. ].
In addition, Web browser "cookies" remain a notorious source of information leak. Cookies are tiny little packages containing information about your machine and how you interact with Websites, and most current-generation browsers are set to accept all of them by default. First-party and "per-session" cookies generally aren't too disruptive: They tend to store things like usernames and passwords so you don't have to re-enter them each time you visit a site. Third-party and "persistent" cookies, on the other hand, generally represent an advertiser's attempt to gather information about you, if only for demographic research. It's very seldom necessary to accept third-party cookies in order to enjoy your online experience: Just say "no." To keep cookies from gossiping about you behind your back, see the sections of your browser's "help" documentation that deal with privacy and security.
Other safe surfing habits include:
* Establishing two e-mail accounts: a primary one for messages to and from people you know and trust, and a secondary one to use for online shopping, posting to newsgroups, subscribing to e-mail newsletters, and other interactions with the anonymous Web. Attach as little personal information as possible to the secondary address.
* Select chat and e-mail usernames that are gender-neutral and not descriptive of you, your residence, your profession, or other personal details. Don't use your real name unless it's unavoidable.
* Never, ever, fill out profiles for free e-mail accounts, chat rooms, message boards, or instant messaging programs unless you're certain the information you provide is stored securely and can't be accessed by the general public. Even then, think twice about it.
* Block contact from all users in chat and IM clients except for those on your buddy list.
* Never respond to unsolicited e-mail, and never use the "unsubscribe" link at the bottom (if there is one). Those actions only validate that your e-mail address is a viable one and ensure you'll receive even more "spam." In addition, they virtually guarantee that your e-mail address will end up on a widely disseminated list, as most spammers also sell their lists of valid e-mails to other spammers.
* Consider investing in encryption software if you frequently send e-mail containing sensitive information.
* If you're worried about your online movements being tracked, cloak your identity with the aid of a service like that available from Anonymizer.com (www.anonymizer.com). Be aware, though, that if you threaten violence or otherwise break the law, providers of anonymization services are required to reveal your identity to law enforcement.
* If you participate in discussion groups or chat boards, remember that your posts can live on for years after you've forgotten about them - and they're usually easily searched. Be careful how much personal information you include in those things: One message's contents might not give you away, but a collection of them, each containing a different bit of personally identifiable information, can paint a pretty complete picture.
* While shopping online is safer than shopping by phone - especially if you use a cellular phone for the purpose - only dispense credit card and other financial or personal information when interacting with a secure server. Most Web browsers announce when you're about to load a secure page, and secure Web page addresses always begin with "https" instead of "http" (the "s" stands for "secure").
* When you shop online, make sure you only make purchases from reputable, legitimate sources. Don't buy from e-tailers that won't reveal their physical address, phone number, and a working e-mail address for contact.
* Ensure any Web browser you use to conduct online transactions incorporates the most stringent encryption available.
* Be extremely wary of sharing any information over a wireless network. Best estimates are that only about 25 percent of them have installed the proper safeguards to ensure they can't be breached with little more than a Pringles potato chip can and a coat hanger. Seriously [see "TechBits," last issue - Ed. ].
* The only information a thief needs to wreak havoc with your life is your name, social security number, address, and birthday. Guard that information fiercely. Never supply your social security number on an insecure Web form or in unencrypted e-mail, and if your bank, brokerage firm, insurance company, or other supplier of financial services uses it to identify you via the Web, insist they change the identifier to something else immediately.
* Research yourself occasionally. The average victim of identity theft doesn't realize he or she has been targeted until 14 months after irreversible damage has been done. To stay on top of what's publicly available about you, once a month or so type your name into Internet search engines just to see what, if anything, pops up. If you're listed in the phone book, chances are good that you'll find the same listing at sites like Yahoo! (www.yahoo.com) and Switchboard.com (www.switchboard.com) that offer "people search" functions. You can have your information removed by contacting the engine on which it is listed. If you find references to you - or worse, to someone else pretending to be you - at other sites, contact the sites' owners about having the information removed. You can obtain a copy of your credit report once a year for a nominal fee from the credit reporting agencies. Check it to see if any activity you don't recognize appears.
Fighting Back
If you become the victim of a cyberstalker or identity thief, there are several things you can do minimize the ill effects and protect yourself:
* Don't engage in any kind of communication with the harasser or thief, especially if you think you are being stalked. Even negative communication can be seen as encouragement by someone bent on doing physical or financial harm.
* Save all communication as evidence. Print out the communication and save it electronically. Make sure that copies of e-mail contain complete "headers," as this information is invaluable when authorities attempt to track the bad guys.
* File a complaint with the Internet service provider and e-mail provider of the person causing the problem. In most cases, this can be done by sending an e-mail to postmaster@[nameofprovider.com] or abuse@[nameofprovider.com]. Forward any messages you receive from the troublemaker as evidence of the problem.
* Contact the authorities and provide them with as much detail as you can. If you think you're being stalked and the local police can't or won't help, try the state police, the district attorney's office, or the state attorney general's office. Do not contact the FBI unless you receive a death threat or have been physically harmed. If the problem is a financial one, contact the IFCC (www.ifccfbi.gov).
* Contact the major credit reporting agencies if you believe your identity has been stolen or your financial information has been compromised. By law, they must red-flag your record with a "suspected fraud" tag:
Equifax: www.equifax.com
Experian: www.experian.com
Trans Union: www.transunion.com
* Seek help from victims rights groups like Working to Halt Online Abuse (www.haltabuse.org), the National Center for Victims of Crime (www.ncvc.org), or CyberAngels (www.cyberangels.org).
* The following Websites also provide excellent information and resources about cybercrime and victims' rights:
U. S. Federal Trade Commission: www.ftc.gov
Privacy Rights Clearinghouse: www.privacyrights.org
Public Interest Research Groups: www.pirg.org
Identity Theft Prevention and Survival: www.identityrheft.org
Future Crime Prevention Association: www.futurecrime.com
