Device keeps passwords from online thieves

For $50, consumers can prevent what was on average a $5,720 crime last year.

The overall cost of identity theft has fallen 12 percent, from $55.7 billion in 2005 to $49.3 billion last year, but the percentage of fraud committed over the Internet has doubled in that time, according to data compiled by Javelin Strategy and Research.

“The criminals are so far ahead right now that it’s a little bit ridiculous,” said Jerry Thompson, chief executive officer and co-founder of GuardID Systems, based in San Mateo, Calif.

Mr. Thompson said his company’s hardware security device can protect consumers against all kinds of online identity theft and financial fraud, especially “phishing” and “pharming,” which are routinely cited as the most common forms of online identity theft.

“Phishers” send out hundreds, thousands or even millions of spam e-mails purporting to come from a trusted company, asking recipients to enter confidential information.

Losses from phishing attacks have skyrocketed. In 2006, phishing-related losses were $2.8 billion — compared with just $137 million in 2004, according to a 2006 Gartner Research study.

Lately, phishing attacks have become more insidious with the inclusion of a link to a bogus Web site that secretly installs spyware or a Trojan horse onto a victim’s computer. The victim’s information can then be captured the next time he visits the legitimate Web site of his bank or other financial institution.

Pharming is similar to phishing but harder to detect because criminals don’t need victims to respond to a fake e-mail. Through what is known as DNS cache poisoning, “pharmers” hijack servers so that victims are redirected to a bogus site even if they type the correct Web address. Thieves use a “keylogging” program that captures confidential information and then close the fake site to avoid detection.

“There’s a lot that’s happening out there that people aren’t aware of,” said Paul Bresson, a spokesman for the FBI, which tackles Internet fraud through its Cyber Investigations division. “It’s become sophisticated. A victim would have no idea how they pulled it off.”

Many financial companies have great security and anti-spyware programs, but Mr. Thompson said there’s a problem: Neither will protect consumers from all phishing and pharming attacks.

“Those kinds of programs protect your PC; they don’t protect you when you’re out on the Internet,” Mr. Thompson said. “The security at the bank is fantastic — the peril is getting from your PC to the bank’s server.”

ID Vault is a small device that connects to a user’s USB port. It comes with software that instructs users to load passwords to bank accounts and then encrypts the information on a smart-card chip inside the device. When users stick the ID Vault into their computer, they enter a personal identification (PIN) number and are automatically signed in to any of their favorite sites, which can include e-commerce sites or even social-networking hubs like MySpace.

Because a user’s sensitive data is contained in the device and not on the computer, it is immune from PC attacks, Mr. Thompson said.

“There’s no known successful attack or hack against a smart card,” he said.

GuardID Systems appears to be the first company to embed a smart card in a USB device for online security.

Story Continues →