Interesting Facts
  Is your financial data really safe?
By Liz Pulliam Weston
http://moneycentral.msn.com/content/Banking/FinancialPrivacy/P50924.asp

The threat is remote but real. With a world of hackers, hijackers and spoofers out there waiting to steal your stuff, a little caution is in order -- online and off

When you’re paying bills, making investments, viewing your bank balance, checking your credit card statements, preparing your taxes and buying stuff online, are you taking a big risk?

The answer, unfortunately, is that no one really knows.
The reality is that you’re vulnerable to identity theft even if you don't own a computer. Some of the biggest hacking and identity theft cases have targeted business or government databases over which individuals have little control:

  • Thieves posing as Ford Motor Credit Co. personnel accessed a credit bureau database and stole credit reports of more than 30,000 consumers. The U.S. Attorney’s Office in New York said its investigation uncovered more than $2.7 million in financial losses.
  • A hacker broke into the California state controller’s computer system and gained access to the names and Social Security numbers of 265,000 state employees -- including the governor and all 120 state legislators.
  • A clerk of New York state’s Insurance Fund was arrested for using personal financial information from applications and other paper documents to set up credit accounts and purchase more than $100,000 worth of goods, including $70,000 in computers.
  • In February, a hacker accessed 8 million credit card numbers by breaking into the database of a company that processes transactions for Visa, MasterCard, American Express and Discover. The credit card companies said there was no evidence the numbers had been used for fraudulent purchases.
Certain online transactions may increase the chances that you'll be a victim. As several recent incidents have shown, letting a Web site store your credit card number could put you at risk. Hackers have stolen credit card numbers from online databases, including one at Amazon.com subsidiary Bibliofind.com. Incredibly, many companies still don’t encrypt these databases, said attorney and computer fraud expert Nick Akerman, making them relatively easy targets for thieves. Check out your options. .

Theoretically, just establishing a user ID and a password for a financial account could make you more vulnerable, because a hacker could conceivably break into your computer, plant a keystroke-tracking program, retrieve the data and use it to access your account. But most hackers wouldn't bother with all that work for one account, security experts said. The reality is that it’s pretty tough to quantify your risk of losing valuable personal information to a computer hacker, and even less possible to determine how vulnerable you are to a financial loss because of that crime. Why?
  • Most companies keep hacking incidents under wraps. Only 30% of companies surveyed by the FBI and the Computer Security Institute said they reported such incursions to law enforcement. (Although that could soon change, thanks to a new California law; more below.) Some companies have such lax security, Akerman said, that they don't even know when they've been hacked or what information, if any, has been stolen.
  • Identity-theft complaints are rising, but the source of the theft is usually unknown. Of the 161,000 identity-theft complaints reported to the Federal Trade Commission last year, 80% of the victims had no idea how their information was stolen. Most of the rest "could only guess" at how they were compromised, said FTC spokeswoman Claudia Bourne Farrell.
  • Offline threats still seem to outnumber online threats. Sixty-eight percent of the law enforcement officials interviewed by the California Public Interest Research Group identified theft of snail mail as the leading threat. Thieves use purloined account statements, convenience checks, pre-approved credit card offers and even bills to take over existing accounts or establish new ones. Other offline threats include dumpster diving, stolen wallets and unscrupulous employees of banks and other lenders.
    Just handing your credit or debit card to a waiter at a restaurant, says security expert Pradeep K. Khosla, is a transaction fraught with danger.
    The waiter could run multiple transactions, or glean enough information from the card’s magnetic strip -- thanks to a pocket-sized device called a skimmer -- to create a duplicate card.
"Somehow we don’t worry about that risk," said Khosla, director of Carnegie Mellon University’s Center for Computer and Communications Security. "We’re kind of used to it."

Spoofing is no joke
Khosla, who also heads the university’s electrical and computer engineering department, knows well the dangers that may lurk online. He’s particularly spooked by "spoofing" -- a hacking technique that redirects customers of a financial or shopping Web site to a look-alike, so thieves can glean IDs and passwords or credit card numbers. If well done, there’s little to tip off an unsuspecting user.

The real Web sites usually detect and swiftly shut down these incursions, "but in the 30 seconds or two minutes that can take," Khosla said, "something bad can happen."
Yet the dangers don’t keep Khosla from banking, shopping, investing and paying bills on the Internet. The risks he perceives don’t outweigh the convenience.
"I do everything (online)," he said.

So do I -- and have for years. I pay bills, rebalance my investment portfolio and shop for clothes and books. Every day, I download our bank, investment and credit card transactions into my personal finance software -- an exercise that simultaneously helps me stay in control of my finances and allows me to spot any problems immediately. So far, so good: the only unauthorized transactions have turned out to be of the "oh, sweetheart, I forgot to tell you" variety.

Don't ignore the risks
There’s nothing like a long history of good experiences to make you comfortable transacting business on the Web. But understanding where the biggest risks lie might help you decide how much of your financial life you want to conduct online.
Computer security experts say the databases at either end of the Internet transaction -- the one at the financial institution and the one in your computer -- are usually the most vulnerable. The information that flies between these databases is typically encrypted (you can tell by the little yellow padlock in the lower right hand side of your browser) and difficult to hack.

One expert likens an Internet financial transaction to driving an armored car between two cardboard boxes -- the car could be targeted, but it’s far more likely hackers will go after the more vulnerable boxes.

Where are you stored?
That’s why many security experts who use credit cards to buy stuff on the Web are nervous about storing their credit card numbers on the same site. It's also why you may be fine e-filing your taxes, but reluctant to actually prepare them online if they’re stored at a Web site.

Of course, you can’t always tell when a Web site is hanging on to the information you give it. Many reputable sites offer to "remember" your card number for you, but others may simple snatch and keep the information without consulting you, said online financial services analyst Chris Musto, of research firm Gomez Advisors. That’s why it’s important to deal with reputable sites and to review privacy policies.

We may soon get a better idea of the risks we’re actually taking, thanks to a California law that takes effect July 1. The law requires companies to alert their California customers if hackers or employees steal information that could be used for identity theft.

(The bill was undoubtedly helped by the fact that the lawmakers had just gotten a dose of what it feels like to have their information stolen, thanks to the hacking incident noted above. "It made the issue real and immediate for the 120 lawmakers who were obliged to vote on the issue," is the way sponsoring Assemblyman Joe Simitian, D-Palo Alto, put it.)

Law could force action
Because companies are required to comply regardless of where they’re headquartered, computer security experts believe the California law will lead to a nationwide increase in firms reporting hacking incidents. They also hope it will inspire companies to take additional security measures to avoid the hassle and publicity of such disclosures.

"It’s forcing companies to take the medicine that they should have been taking a long time ago," said Akerman.

Consumers should be taking that medicine as well. Firewalls, anti-virus software and the simple act of changing passwords once in a while can help reduce your vulnerability. Also:
  • Hunt for spyware. This nasty software tracks where you go and what you do and reports it back -- sometimes to companies that sell the information to marketers, sometimes to crooks. Wall Street Journal columnist Jeremy Wagstaff recommends Ad-aware from Lavasoft or Spybot Search and Destroy. (See links at left under Related Sites.)
  • Be careful with wi-fi. Wireless Internet is hot, it’s cool -- and it’s about as secure as a cell phone conversation. If you’re worried about security, don’t conduct your financial transactions online while at your corner Starbucks.
TOP