Stock brokers ETrade and Ameritrade recently announced that over the last three months hackers managed to steal more than $22 million by hacking into user accounts and conducting numerous unauthorized stock trades.

What makes the crime a little unusual is that the hackers didn't use the attack to directly steal information or money, but instead hijacked legitimate customer accounts to conduct multiple "pump and dump" trades - trading in a little known stock in order to push up the price and then sell previously-held stock for an inflated profit.

And the hackers were able to bypass the extensive security measures of both brokerages by targeting the weakest link - installing password stealing keyloggers on the PCs of brokerage customers. The best security measures can always be undone by careless computer users. And when hackers break into your computer it doesn't really matter if your computer is the target or simply used as a tool in another scam, someone's always going to pay.

Just down the road from where I live a research firm called Javelin Strategy and Research produces some great insights into identity theft and who commits it. For example, according to a 2005 study by the company the vast majority of identity thefts are not internet-based and the thief is much more likely to be much closer to home.

For example, 35% of reported identity thefts were committed by a family member or friend, 18% by a neighbor, and 23% by dishonest employees or co-workers. This doesn't eliminate the threat of online attacks, whether it's a hacker using spyware or keyloggers to grab your personal information from your computer or an organized crime gang stealing your information from an online database. But it should be yet another reminder that technology alone won't defeat identity theft, and that personal vigilance and planning are still the best free security defenses available.

While online predators were quick to recognize the power and reach of social networking to commit their crimes, phishers and identity thieves have not been far behind. In the last few months there's been a surge in things like toxic blogs (fake blogs that try to trick you into visiting a bogus web site), poisened banners (banner ads loaded with spyware), and phishing schemes masquerading as photos from friends on your network.

One recent report found that when it comes to social networking web sites, 1 in every 600 pages is infected with some kind of malware.

It shouldn't come as a surprise that identity thieves have begun targeting sites like MySpace and Facebook. Just like the real-life communities they imitate, targeting members of social networking sites is all a numbers game. Create a variety of attack strategies (they call them intrusion vectors), socially engineer your way into member comfort zones, and hope that if only one or two percent of targets actually fall for the scam, it's still a good days work.

A new type of Trojan has emerged that appears very territorial about what other malware it shares your computer with. Dubbed SpamThru, one of the first things this Trojan does when it sneaks on to your computer is to install a real and functioning copy of Kaspersky Labs' anti-virus software. The goal is to search for and remove any other viruses or Troajns that may already be on your computer and competing for space.

I guess it takes one to know one, but not the best way to do a virus scan. So far SpamThru focuses on turning infected computers into spam engines that will combine with other infected computers to send millions of spam emails. Safe to assume that identity theft is not far behind.

Maybe you should do a thorough virus scan, before someone else does.

I happen to believe that most identity thefts are a matter of choice, by the victim, and not just some random criminal act. One thing we've learned about this crime spree is that most identity thefts can be thwarted by choices made by consumers, and that most consumers make poor or no choices.

Part of the problem is the wealth of inaccurate advice being offered. It seems like every web site offers the same advice on identity theft - follow these ten simple tips, from checking your credit report annually to protecting your mail - yet if identity theft could be defeated by just a handful of well-known security precautions then why is it still a global epidemic?

If you're really serious about aoviding identity theft you have to take a more hands-on approach, and just like your health you need to think about it more than once a year, or just when something goes wrong. I'm a big advocate for personal security planning, which I'll talk more about later. But at its most fundamental it means (1) taking the time to learn a little more about identity theft than you already do, (2) creating a checklist of good security choices that you refer to constantly, and (3) creating a response plan so that if you do fall victim, recovery will be much quicker and far less painful.

Or you could continue to cross your fingers until cramp sets in. It's your choice.