Good piece today by my WSJ colleague Cassell Bryan-Low on the Douglas Havard case which I mentioned a week or so back: As Identity Theft Moves Online, Crime Rings Mimic Big Business (subscription only, I suspect):
Most identity theft still occurs offline, through stolen cards or rings of rogue waiters and shop clerks in cahoots with credit-card forgers. But as Carderplanet shows, the Web offers criminals more efficient tools to harvest personal data and to communicate easily with large groups on multiple continents. The big change behind the expansion of identity theft, law-enforcement agencies say, is the growth of online scams.
Police are finding well-run, hierarchical groups that are structured like businesses. With names such as Carderplanet, Darkprofits and Shadowcrew, these sites act as online bazaars for stolen personal information. The sites are often password-protected and ask new members to prove their criminal credentials by offering samples of stolen data.
Shadowcrew members stole more than $4 million between August 2002 and October 2004, according to an indictment of 19 of the site’s members returned last October by a federal grand jury in Newark, N.J. The organization comprised some 4,000 members who traded at least 1.5 million stolen credit-card numbers, the indictment says.
The organizations often are dominated by Eastern European and Russian members. With their abundance of technical skills and dearth of jobs, police say, those countries provide a rich breeding ground for identity thieves. One of Carderplanet’s founders was an accomplished Ukrainian hacker who went by the online alias “Script,” a law-enforcement official says. As with many of its peers, the Carderplanet site was mainly in Russian but had a dedicated forum for English speakers.
Well worth a read as it details how Havard’s UK operation worked.
Could RFID tags be used by shoplifters?
Robert Lemos of CNET’s News.com writes from Las Vegas that a German technology consultant believes the Radio Frequency Identification tags “could be abused by hackers and tech-savvy shoplifters”. He quotes Lukas Grunwald, a senior consultant with DN-Systems Enterprise Internet Solutions GmbH, as telling a discussion at the Black Hat Security Briefings that thieves could fool merchants by changing the identity of goods, he said.In time-honored fashion, Grunwald had the tools to prove it, unveiling during the session “a new software tool that he helped create that can be used to read and reprogram radio tags”.
The basic idea, it seems, is that such software — called RFDump, or sometimes RF-Dump — could be used on a PDA or laptop to mark expensive goods as cheaper items, allow underage folk to bypass age restrictions on alcoholic drinks and adult movies or create confusion in shops by randomly swapping tags.
How much of a threat is this to RFID? On first flush it sounds major. But I suspect that if it is going to be an issue it’s going to be more closely related to security than shoplifting. How many doors are already being opened by RFID? How many security passes are RFID? Luggage tags in airports? Of course these are probably encrypted but could these be reprogrammed?
Well, actually the article, from research and advisory firm Gartner, Inc., doesn’t say that. But it does say Identity Theft Is Up Nearly 80 Percent, and that 7 Million U.S. Adults Were Identity Theft Victims in the Past 12 Months. Which seems to be a lot. That’s 3.4 percent of U.S. consumers, I can’t help feeling.
With identity theft, a thief takes over a consumer’s entire identity by stealing critical private information, such as the Social Security number, driver’s license number, address, credit card number or bank account number. The thief can then use the stolen information to obtain illegal loans or credit lines to buy goods and services under the stolen name. Identity thieves typically change the consumer’s mailing address to hide their activities.
The sick bit is this: “More than half of all identity theft – where the method of theft is documented – is committed by criminals that have established relationships with their victims, such as family members, roommates, neighbors, or co-workers,” said Avivah Litan, vice president and research director for Gartner. I can’t believe my own mother might do this kind of thing.