- The Washington Times - Saturday, February 2, 2002

The Internet has made it easier for scam artists to trick consumers into giving out personal information such as Social Security and credit-card numbers.
"Scams like that are unfortunately prevalent on the Internet," said Nicholas Graham, spokesman for America Online.
Recently, a scam artist sent e-mail messages to AOL users claiming to be the AOL billing department and asking for credit card information.
"Our records indicate that the credit card information on file for your AOL account is not up-to-date. Therefore, you will need to replace it with another or newer credit card information," it said. "Outdated information on your AOL account may cause bill processing problems which in some cases could lead to service interruptions and termination of your account."
Those who gave it out found thousands of dollars billed to their credit cards.
Mr. Graham said the world's largest Internet-service provider, with 33 million members, frequently encounters such scams. When such an incident occurs, it asks the Web host to shut down the scam artist's access.
AOL urges customers to never give out passwords or account numbers. Yet customers often fall into traps and there's little AOL can do, as Internet-savvy scammers find ways to steal personal information online.
This is particularly true with financial institutions, which store billions of Americans' dollars.
Financial institutions "understand if a person walks in through the door with a gun and says 'Hand me your money,' but they don't understand how an attacker from the Internet could hurt them," said Tim Bates, managing director of Web security firm Advanced Computing Technologies Inc.
Security breaches have happened to companies of all sizes, resulting in the exposure of the personal data of thousands of consumers and numerous cases of fraud and identity theft. Incidents like these increase as more people use the Internet for shopping and personal finance, observers say.
"Security and privacy are major concerns online," said Tena Friery, research director for the Privacy Rights Clearinghouse. "People just do not feel secure in entering personal information online."
More than 70 percent of companies have sites that are vulnerable to breaches, and little can be done to ensure security, analysts say.
"Caution is always the buzzword," Miss Friery said. "Because no Web site is immune from hacking or being intercepted generally we give the same advice we'd give someone who is doing business over the phone, which is deal with a known entity."
Consumers should read a company's privacy policy if it is posted on the site, she said. They also should look for endorsements by regulatory agencies or consumer groups. A seal of approval from the Better Businesss Bureau, for example, is recommended.
Setting up a privacy policy is the first step a company should take to secure its site, Mr. Bates said. Then come technological issues, such as encryption, which scrambles customer information so nobody else can view it, or firewalls, which keep intruders out of a secure site with passwords.
Financial institutions say they have sound security practices.
"We've put in place a pretty elaborate security system that can basically detect if any customer names are trying to get out of our firewall or if someone is trying to get into our system," said Marc Loewenthal, chief privacy officer at Providian Financial.
The company also hires consultants to try and hack into its network, seeking potential holes; it's a practice employed by most financial institutions.
Bank of America's network has not been broken into, said spokesman Brad Russell.
Occasional viruses have invaded the system, but that is typical for all computer systems, he added.
Mr. Russell said he would be surprised if most larger financial institutions did not have the proper security in place.
Citibank and American Express both said they have state-of-the-art security systems.
"Safeguarding consumers' privacy is part of our brand," said Tony Mitchell, spokesman for American Express.
But even as Citibank, for instance, says it has the necessary security, the credit-card issuer has had problems over the years: The most high-profile case was in 1994, when a group of Russian hackers broke into the bank's network and transferred some $10 million to bank accounts around the world. The criminals were caught and jailed, but the bank still lost about $400,000.
Ben Venzke, chief executive of Tempest Publishing and its intelligence group, IntelCenter, which specializes in terrorism, national security and cyber-threats, listed several problems that result in poor Web site security.
The main flaw is that often companies design their site and think of security afterward, rather than thinking of the two together. In cases in which security is eventually installed, it is not good and tends to be a "feel-good-marketing component," Mr. Venzke said.
Even with larger companies "you'd be surprised" by the lack of security, he added. "There are still new systems being deployed by big corporations that have holes big enough to drive a truck through them."
Another problem is the high cost of updating security. Mr. Venzke said he has worked with security directors at large companies who are constantly fighting to get funding.
Another problem is that often smaller companies don't create privacy policies while larger companies often don't enforce their policies, Mr. Bates said.
Security becomes a Catch-22: "If you do everything right and nothing goes wrong, then they say, 'We're spending too much money on security.' Or nothing happens and they say, 'We don't need to spend that much.' You can't win either way," Mr. Venzke said.
To prove how easily a banking institution's Web site could be penetrated, for instance, a Texas man broke into his own bank's network in December. The man, a software company employee from Texas, penetrated security on the site mycard.fleet.com allowing visitors to view the personal information of hundreds of cardholders at FleetBoston Financial.
The bank corrected the problem in less than 12 hours and did not file charges against the man because he was trying to make a point about the site's security.
In November, the Web site of Playboy magazine, Playboy.com, was broken into by a hacker who stole customer details, including credit-card numbers. And just last week, Sherman Honeycutt, of Burke, became the latest victim of the AOL scam.
Thinking that he was updating his credit-card information for AOL's billing services, Mr. Honeycutt gave his information to a scam artist in South Florida, who promptly charged some $2,200 on his credit card.
"I had given out [credit-card information] many times and this is the first time I got hurt," Mr. Honeycutt said. "I would still do it, but next time I'll be a little more careful."

Copyright © 2018 The Washington Times, LLC. Click here for reprint permission.

The Washington Times Comment Policy

The Washington Times is switching its third-party commenting system from Disqus to Spot.IM. You will need to either create an account with Spot.im or if you wish to use your Disqus account look under the Conversation for the link "Have a Disqus Account?". Please read our Comment Policy before commenting.

 

Click to Read More and View Comments

Click to Hide