Sunday, June 03, 2007

CNN "In the Money" report updates consumer protection issues

On May 26, 2007 CNN “On the Money” presented an hour-long update on the difficulties of consumer identity protection. The show started with some advice from Betsy Broder from the Federal Trade Commission, reminding consumers that banks and brokerages do not send emails (or make phone calls) requesting personal information. These are the notorious phishing attacks that are getting more and more clever. They often use the bank’s trademark (itself illegal) but direct the visitor to a website that does not match the description in the text of the email (check this by passing the mouse over the hyperlink in the email). I’ve tested some of these (using WHOIS on the IP address), and usually found them to be overseas servers (often in China). (I like for this, but the visitor can just use the WHOIS link at ). A common ruse is to claim that the bank is testing a “system change”, and once I got that phish from several “banks” in succession in the early AM of a Sunday morning.

Visitors should report all of these as spam. Larger ISPs (like AOL) send these to CERT for investigation and sometimes prosecution.

The program recommended longer passwords (as long as 12 characters) with at least one special character, at least one number, at least one upper case letter and one lower case letter, and nonsense strings. There are tools coming into the market to assist home users with password management, such as

One of the worst problems that may occur is that an identity may be stolen and someone may be accused of the other person’s crimes. It isn’t hard to imagine how this could be attempted on the Internet in chat rooms, instant messages, and the like. The risk is much greater for a home user who is not the only user of a computer (which is one reason why experts often recommend that computers be kept in a visible area of a house and not in kids’ rooms). Generally, any transmission from a computer can be traced to the specific IP address for that computer (which may be dynamic with some dialup services like AOL but which is static with high-speed cable Internet. In the case of dialup, I’m not sure how the forensics work in mapping the temporary AOL-assigned IP address to a particular computer or network in a particular home. But the possibility of computer crime under someone else’s ID has existed for years. In the 1980s, at Chilton Corp in Dallas (a credit reporting company that is now Experian), employees were advised to always sign out before leaving their workstations (and in those days we had a “tube city”) as the employee was responsible if his logon were misused. The Lifetime film “The Michelle Brown Story” (2004) dramatized the problems. (Review)

The practice of credit reporting companies of “auto capture” – dynamic updating the address information of a consumer with a request – confounds the problem. This was common in the 1980s when I worked for Chilton, because the company wanted to use the “latest” consumer address information for bulk mailing promotional lists, a major source of revenue (and our job stability)

The concept of checking any address change against a preferred address on a secured (non public) NCOA database would confound techniques like auto capture. .