- The Washington Times - Monday, May 28, 2007

For $50, consumers can prevent what was on average a $5,720 crime last year.

The overall cost of identity theft has fallen 12 percent, from $55.7 billion in 2005 to $49.3 billion last year, but the percentage of fraud committed over the Internet has doubled in that time, according to data compiled by Javelin Strategy and Research.

“The criminals are so far ahead right now that it’s a little bit ridiculous,” said Jerry Thompson, chief executive officer and co-founder of GuardID Systems, based in San Mateo, Calif.

Mr. Thompson said his company’s hardware security device can protect consumers against all kinds of online identity theft and financial fraud, especially “phishing” and “pharming,” which are routinely cited as the most common forms of online identity theft.

“Phishers” send out hundreds, thousands or even millions of spam e-mails purporting to come from a trusted company, asking recipients to enter confidential information.

Losses from phishing attacks have skyrocketed. In 2006, phishing-related losses were $2.8 billion — compared with just $137 million in 2004, according to a 2006 Gartner Research study.

Lately, phishing attacks have become more insidious with the inclusion of a link to a bogus Web site that secretly installs spyware or a Trojan horse onto a victim’s computer. The victim’s information can then be captured the next time he visits the legitimate Web site of his bank or other financial institution.

Pharming is similar to phishing but harder to detect because criminals don’t need victims to respond to a fake e-mail. Through what is known as DNS cache poisoning, “pharmers” hijack servers so that victims are redirected to a bogus site even if they type the correct Web address. Thieves use a “keylogging” program that captures confidential information and then close the fake site to avoid detection.

“There’s a lot that’s happening out there that people aren’t aware of,” said Paul Bresson, a spokesman for the FBI, which tackles Internet fraud through its Cyber Investigations division. “It’s become sophisticated. A victim would have no idea how they pulled it off.”

Many financial companies have great security and anti-spyware programs, but Mr. Thompson said there’s a problem: Neither will protect consumers from all phishing and pharming attacks.

“Those kinds of programs protect your PC; they don’t protect you when you’re out on the Internet,” Mr. Thompson said. “The security at the bank is fantastic — the peril is getting from your PC to the bank’s server.”

ID Vault is a small device that connects to a user’s USB port. It comes with software that instructs users to load passwords to bank accounts and then encrypts the information on a smart-card chip inside the device. When users stick the ID Vault into their computer, they enter a personal identification (PIN) number and are automatically signed in to any of their favorite sites, which can include e-commerce sites or even social-networking hubs like MySpace.

Because a user’s sensitive data is contained in the device and not on the computer, it is immune from PC attacks, Mr. Thompson said.

“There’s no known successful attack or hack against a smart card,” he said.

GuardID Systems appears to be the first company to embed a smart card in a USB device for online security.

The product rolled out nationwide in major retail stores in July.

In addition to the purchase price of $49.95, the company charges an annual subscription fee of $19.95 for monitoring financial sites.

So far about 140,000 ID Vaults have been sold, Mr. Thompson said.

Anti-spyware programs, even when updated regularly, are not an effective safeguard, Mr. Thompson said, because by the time a look-alike Web site is identified, chances are the thieves have shut it down and started another one.

GuardID Systems continuously monitors a network of 7,700 financial institutions, storing each Internet Protocol address and server address in a database.

Each day, institutions’ addresses and sign-in protocols are validated in case a bank changes them.

“You’re not typing any kind of URL or password, so you can’t be keylogged,” Mr. Thompson said.

If a DNS server has been hacked, ID Vault will recognize that the end address is different and will not pass a user’s credentials to the site.

Like a debit card, if a user loses his or her ID Vault, a thief will be unable to access it without a PIN and the software.

As for GuardID Systems, the company keeps no records of user names and PINs, just serial numbers of the devices, so it is not subject to attack, Mr. Thompson said.

A review of ID Vault in March’s Laptop Magazine gave the device 3 out of five stars.

The magazine praised the product overall, but advised buyers to make sure that it is compatible with their financial institutions — the authors said the device did not properly log one of the banking sites they tested.

Likewise, PC World described the annual fee as expensive and noted that the device does not yet work with the Firefox Web browser, although the company plans to roll out a compatible version soon.

GuardID Systems has so much confidence in ID Vault that it guarantees each user up to $1 million in lost funds for as many as 10 accounts if its product fails to protect him or her against online fraud.

LOAD COMMENTS ()

 

Click to Read More

Click to Hide