A Michigan software engineer was just sentenced to five years in prison after being convicted of stealing and trying to sell the personal records of more than 100,000 people.

He stole the information while working as a software consultant for a Wisconsin insurance firm and then tried to sell the records on the internet under an assumed name. Too bad one of his customers turned out to be an undercover Secret Service agent.

The stolen information included everything need to launch a massive identity theft, including names, addresses, and social security numbers. So how much was each stolen identity worth to this thief? Less than 70 cents.

The thief was convicted of identity theft, wire fraud and other charges, and also required to repay the breach notification costs of the insurance company, more than half a million dollars.

What I'd like to know is how he was caught. Did the insurance company detect the breach and report it to police, or did the Secret Service come across this thief as he tried to sell the information?

It’s very easy to find someone to blame when it comes to identity theft (apart from the thieves).

We can blame the credit bureaus for buying and selling our personal information without permission. Or we can blame the government and our legislators who refused to regulate the lucrative trade in our financial information.

We can even blame ourselves, as consumers, for not taking enough responsibility for our own security and protection against identity theft.

But much of the blame has to fall upon the businesses, both large and small, that are failing to protect the confidential customer and employee identity information in their care.

Click to read more ...

Stock brokers ETrade and Ameritrade recently announced that over the last three months hackers managed to steal more than $22 million by hacking into user accounts and conducting numerous unauthorized stock trades.

What makes the crime a little unusual is that the hackers didn't use the attack to directly steal information or money, but instead hijacked legitimate customer accounts to conduct multiple "pump and dump" trades - trading in a little known stock in order to push up the price and then sell previously-held stock for an inflated profit.

And the hackers were able to bypass the extensive security measures of both brokerages by targeting the weakest link - installing password stealing keyloggers on the PCs of brokerage customers. The best security measures can always be undone by careless computer users. And when hackers break into your computer it doesn't really matter if your computer is the target or simply used as a tool in another scam, someone's always going to pay.

Consumers could be forgiven for feeling they're fighting identity theft with one arm tied behind their back. Fast fooders McDonalds just announced the recall of thousands of MP3 players from the Japanese market when it was discovered that as many as 10,000 customer computers were infected with a password-grabbing spyware Trojan pre-loaded on the player.

Turns out the spyware probably made its way on to the players because of sloppy security at the manufacturers. And it also turns out that McDonalds is not alone. In 2005 hard drive maker I-O systems had to recall hard drives contaminated with the Tompai-A worm, and as far back as 2001 HP was accused of distributing multiple viruses packaged with its printer drivers. And just a couple of months ago a security expert I work with discovered that the recovery CD he received from Gateway Computers to help recover his virus infected computer was itself contaminated with multiple viruses.

Surprised? You shouldn't be. Sloppy security practices by big companies continue to create some of the biggest security incidents, yet most of these companies skate through unscathed while we all lose a little more confidence in the brands we're expected to trust.

If you have yet to hear about the “pretexting” scandal that has had computer giant HP in the media spotlight for nearly a month, then welcome to Planet Earth and sorry about all the mess. But you’re probably at least a little aware of the allegations that a number of private investigation firms hired by HP to get to the bottom of boardroom business leaks used deceptive and possibly illegal tactics to trick phone companies into providing them with the private phone records of journalists, HP employees, and even other board members.

So what does this have to do with identity theft? Well, besides the fact that some of the tactics use in pretexting are technically considered identity theft under recent California laws, the whole concept of pretexting is based on something called social engineering, which is also the key ingredient in phishing, one of the most potent and effective forms of identity theft.

Social engineering is essentially about using some form of deception or coercion to trick others in believing that you are somebody you’re not, so that these people will do something they shouldn’t – in the case of identity theft it’s to hand over personal information to the wrong people. Famed former hacker Kevin Mitnick is regarded as the king of social engineering and claims that he used charm and deception far more often than his computer in the legion of computer hacks that finally earned him a five-year prison sentence.

Apart from the legal and ethical issues, the HP case demonstrated how easy it can be to trick otherwise wary people – in this case employees of the telephone companies – into handing over private personal information to somebody just because they claim to be the rightful owner.

Identity theft by phishing uses exactly the same principles, using emails or even phone calls pretending to be from a bank, credit card company, or other trusted brand in order to trick you into offering up your most sensitive financial information. The irony is that phishing is one of the few known crimes that requires the willing, albeit unwitting participation of the victim, in order to succeed. If you don’t respond to a phisher’s request for your information, the phish won’t work and the crime can’t occur.

Which reminds us that the best defense against identity theft is our own vigilance, and not just the ability but the urge to simply say no. If the employees at the telephone companies has just said no, or at least asked for greater verification from the private investigator at the other end of the line, then pretexting might still be HP’s dirty little secret.

Maybe the telephone companies need to send their employees to one of Kevin Mitnick’s courses on how to spot and avoid social engineering. But like most of us you probably can’t afford that luxury, so you’ll just have to rely instead on your ability to just say no the next time someone you don’t know asks you for information your instincts say you shouldn’t provide.. That way you won’t make it into the headlines and the next call won’t come from your bank or credit card company wanting to know who spent all your hard-earned money.