More than one in ten U.S. computers are infected by difficult-to-detect “bots” or “zombies,” which “botmasters” can use for anything from sending spam, to eavesdropping on network traffic, to stealing user passwords.
The Online Trust Alliance (OTA) joined a unanimous vote at the Federal Communications Commission’s (FCC) Communications Security, Reliability and Interoperability Council (CSRIC) meeting today, approving the voluntary U.S. Anti-Bot Code of Conduct for Internet Service Providers (ISPs), also known as the ABCs for ISPs. As a member of the CSRIC appointed by FCC Chairman Julius Genachowski, the OTA has been working with the FCC and leading ISPs to develop this voluntary Code. Under the Chairman’s leadership, this example of private and public sector collaboration is an important step forward to help protect our nation’s critical infrastructure and consumer data.
“Today is an example of the importance of self-regulatory efforts to help improve the safety and performance of the internet,” said Craig Spiezle, executive director and president, Online Trust Alliance. “Sustainable solutions to contain bots must include all stakeholders in efforts to detect, prevent, and remediate these threats.”
Chairman Genachowski said, “The recommendations approved today identify smart, practical, voluntary solutions that will materially improve the cyber security of commercial networks and bolster the broader endeavors of our federal partners.”
The development of the ABCs for ISPs was a multi-stakeholder effort over the past 12 months, with the participation of ISPs, trade associations and companies, including OTA members PayPal, Microsoft, Symantec, and Internet Identity, and leading ISPs, including ATT, Comcast and CenturyLink. Focusing on residential users, the Code includes five areas of focus for ISPs: education, detection, notification, remediation, and collaboration.
Based on OTA analysis and initial ISP self-reporting, approximately 51 percent (or 41.2 million) of the 81 million U.S. households who have broadband service are realizing added protection from ISPs who have adopted the Anti-Bot Code of Conduct. The CSRIC report cites research that ISPs also benefited – from reduced upstream traffic, spam, and helpdesk calls – when they took a proactive approach to bot remediation.
OTA as an independent organization committed to enhancing online trust and confidence, encourages ISPs to self-report to OTA. Future reports will include the adoption of similar efforts by other stakeholders and industry segments. More information including the Code and summary of ecosystem support.
“The ABCs for ISPs is a significant step forward and we applaud those ISPs who have already stepped up to the plate,” said Neal O’Farrell, executive director, Identity Theft Council. “We have a shared responsibility to help protect consumers from abuse and identity theft. Consumers should encourage their ISPs and telecommunications carriers to adopt these and other best practices.”
Summary of Public Support
Voluntary Code of Conduct Participation Requirements – To participate in this Code, an ISP is required to engage in at least one activity (i.e., take meaningful action) in each of the following general areas:
Education – an activity intended to help increase end-user education and awareness of botnet issues and how to help prevent bot infections;
Detection – an activity intended to identify botnet activity in the ISP’s network, obtain information on botnet activity in the ISP’s network, or enable end-users to self-determine potential bot infections on their end-user devices;
Notification – an activity intended to notify customers of suspected bot infections or enable customers to determine if they may be infected by a bot;
Remediation – an activity intended to provide information to end-users about how they can remediate bot infections, or to assist end-users in remediating bot infections;
Collaboration – an activity to share with other ISPs feedback and experience learned from the participating ISP’s Code activities.
About The Online Trust Alliance (OTA) https://otalliance.org
OTA’s mission is to develop and advocate best practices, public policy and self-regulation to mitigate emerging privacy, identity and security threats to online services, brands, government, organizations and consumers. By enhancing online trust and confidence, we can realize the potential of the internet, promote innovation and the vitality of commerce.
One of the biggest surprises for many victims of identity theft is the realization that many things they assumed about the crime and its aftermath were actually wrong. And by the time they realize the truth about identity theft, it’s too late.
So with that in mind, I thought I’d clear up some of the assumptions you may be making and which may be completely wrong. Let me know if any of these sound familiar:
Zero liability is a promise, not a law
It’s a mistake victims often make assuming that if they fall victim to credit card fraud the credit card company is obliged by law to make them whole. Only it’s not. There’s no zero liability law, just a promise by credit card companies not to hold victims liable for fraudulent charges. It’s self preservation really, and the cost of calming consumers and making sure they don’t worry unnecessarily about using their credit cards.
If your Social Security number is being used by 100 other people, don’t expect the Social Administration to do much
You’d think that given the Social Security number is the crown jewel for identity thieves, and loss of your number could lead to a lifelong fight for your identity, the Social Security Administration would be leading the fight against identity theft. Sadly no. Even on their own web site they don’t hesitate to explain that they don’t investigate identity theft and instead will refer you to other sites, like the FTC and Internet Crime Complaint Center, who also won’t investigate your case.
If you’re a victim of identity theft, you could be blacklisted by your bank
This is a growing trend, where victims of identity theft are not held liable for any losses but instead suffer the humiliation of being told by their bank or credit union that they must close their accounts and take their business elsewhere.
Talk about insensitivity, but I can only assume that banks regard victims as an ongoing liability likely to be victimized again and again. So rather than carry that risk they’d prefer to push it on to their competitors.
Don’t expect the thief to be caught or prosecuted
One of the many facts that set identity theft apart from most crimes is the lack of any real satisfactory resolution. If you’re ever a victim, don’t expect to get your day in court to watch your thief face justice and head to prison for the next decade. Identity theft is not a priority for law enforcement, and most police departments investigate less than 1% of identity theft cases. Of those investigated, only a tiny minority is ever prosecuted, and in those very few cases the thief is often allowed to strike a deal that results in little real punishment.
Why zero liability could be meaningless
I’m pretty sure that you’ve heard of zero liability by now – that promise by your credit card company that in the event of a fraud using your credit card, you won’t be liable for any losses. It was a concept introduced years ago by the credit card industry to allay fears consumers had about using their credit cards and shopping online.
Banks were just as quick to jump on the bank wagon and start throwing about similar promises, which unfortunately led consumers to believe that their ATM/debit cards and their bank accounts were covered by zero liability too.
Victims of fraud, however, are finding out the hard way that they were wrong. The truth is, most banks don’t offer zero liability in the case of ATM or debit card fraud, or unauthorized transfers from your bank account. Instead, they’re covered by something known as the Electronic Fund Transfer Act, which has much looser rules when it comes to reimbursing defrauded customers.
For starters, even if you report the theft or scam within 48 hours of discovering it, you’re still on the hook for $50. If you report the fraud outside the 48 hour window, you’re on the hook for the first $500 in losses. And for many victims that’s a month’s rent or a month’s worth of groceries.
And as banks face a tough economy and limits on the fees they can charge their customers, they’re getting tougher on victims of fraud and identity theft. As head of the Identity Theft Council, I’m seeing an increasing number of victims being told by their bank that for a variety of reasons their claim for fraud has been denied and they will not be reimbursed their losses.
Some of the banks rely on outdated security advice that doesn’t seem to take into consideration threats like skimming. Banks will often deny a claim for fraud if both the victim’s card and PIN were used in the transaction and if the victim did not previously report the card as missing. The banks are assuming that if the card and PIN were used, and the victim did not report the card missing, then the transaction could not have been conducted by anyone other than the victim.
But in skimming cases, especially those using compromised card readers, the thieves are able to steal the victim’s card and PIN to make new cards, and start withdrawing money on the other side of the country. So either fraud help desks are not aware of frauds that can capture both the card and PIN, or are simply using that as an excuse to avoid liability.
And is if that were not bad enough, I’m also hearing from victims who, after they’ve notified their bank that they have been a victim of identity theft, are told to close their accounts and take their business elsewhere. It’s as though the banks regard victims of identity theft as a greater liability and would rather push that liability to a competitor.
If you’re still looking for a reason to get more serious about protecting against identity theft, then do it for your country. In a series of recent hacks on customers of AT&T, attackers were apparently able to steal more than $2 million by making fake calls to premium call services.
It now appears that the money made from the attack was funneled to a Saudi-based militant group that is also believed to have helped fund the deadly 2008 terror attacks in Mumbai India where the coordinated series of attacks claimed more than 160 lives.
Identity theft for terrorism is nothing new. According to a report by MSNBC as far back as 2004, the 911 Commission raised the troubling reality that stolen identities are aiding terrorists. The Millennium Plot, which consisted of a number of planned attacks around the world back in 2000, was organized by a terror cell that used credit card fraud to fund its activities, and there are even claims the terrorists planned to invest in a gas station to make it easier to steal multiple identities.
The MSNBC report also claimed that Ali Saleh Kahlah al-Marri, suspected of being connected to the 9/11 attacks, had a laptop in his possession that contained 1,000 stolen credit cards when he was arrested.
And an expert on identity theft at the University of Michigan claims that al Qaida manuals she has seen include instructions on how to commit fraud and steal identities, to live off stolen identities when in hiding, and even requires students to leave their training camps with at least five fake identities.
Yet another reason to take identity more seriously. It’s about much more than zero liability, and the impact the crime can have on you personally. If you’re careless with your identity and it makes it into the wrong hands, who knows what horrors could be committed in your good name.
In light of an increase in the number and sophistication of skimming scams around the country, the Identity Theft Council (www.identitytheftcouncil.org) is warning consumers and business owners to be especially careful and selective when using an ATM or debit card to make purchases.
While a credit card fraud can be an inconvenience, consumers should realize that it’s the bank’s money that is being stolen, and it should not affect the funds the consumer has in their bank or credit union account.
If an ATM or debit card is stolen however, the funds will be taken directly from the victim’s bank account. And while victims should get their money back eventually, it may not be in time to pay important bills like rent, mortgage, and even groceries. In the case of the recent skimming breach that affected 24 Lucky Supermarkets in Northern California, some victims are reporting that they’re unable to buy groceries because of delays with their bank either in replacing compromised debit cards or in accessing their accounts.
And the nation’s 27 million small businesses are also vulnerable because many are not aware that zero liability does not apply to business accounts. Which means that a small business owner’s cash reserves could be wiped out by a single card theft, and the money will not be reimbursed by their financial institution.
The Identity Theft Council recommends the following precautions:
- The easiest way to avoid skimming is to use cash, especially in places where it’s easy for thieves to tamper with a device.
- Be vigilant and do a cursory inspection of the card reader, ATM, or gas pump for anything that looks unusual. However, don’t rely on a visual inspection because many skimmers are hidden inside the card reader or gas pump where a consumer will never spot them.
- Use a credit card instead of a debit card. A debit or ATM card takes money directly from your bank account, and while you should get it all back, it may not be in time to pay important bills like rent. If you use a credit card (and pay it off fully each month) it’s the bank’s money that’s at risk.
- Resist offers by merchants, especially gas stations, to give a discount for using a debit card instead of a credit card. The small savings at the pump may not be worth the price of an emptied bank account.
- If you’re a small business owner, don’t use an ATM or debit card at all because if thieves do manage to steal from your account, you don’t have zero liability and will not be compensated.
- Always check your bank and credit card statements carefully each month for any unusual charges, and challenge them immediately.
- If account alerts are an option, use them. Many financial institutions offer free alerts by email or text if there are any transactions on your account, allowing you to challenge or dispute them quickly.
- If you do fall victim and money is removed from your account, contact your financial institution immediately, cancel the card, and have a new one issued with a new PIN. It shouldn’t be necessary to close your account completely, which can be a big inconvenience, but you should ask your bank for their advice on this.
- If you’re notified or suspect that your card has been compromised in a breach, and you don’t close the account, monitor your accounts closely for the next few months. Thieves often wait until media coverage of an incident blows over and guards are down before using stolen information.
- Don’t share ATM or debit cards with other family members or employees because it only increases the chances that someone will ignore your rules and expose you to theft.
- Be on the alert for bogus calls pretending to be from your bank, credit union, or credit card company, claiming to be in connection with a recent breach, and asking you to confirm account or personal information. If in doubt, contact your financial institution through the customer service or fraud number provided on the card or their web site.
Thieves are more determined than ever to attack point-of-sale systems because of the financial returns. In early December the Department of Justice announced the indictment of four Romanian nationals accused of compromising point-of-sale devices at more than 200 different businesses and stealing the card information of more than 80,000 customers. The losses are believed to be in the millions of dollars and the scam may have gone undetected for nearly three years.
In one of the most bizarre and creative identity thefts I’ve come across recently, a Florida car salesman was recently arrested and charged with a multi-million dollar identity theft scheme that helped fund his car business.
The alleged thief had somehow managed to steal the identities of hundreds and perhaps thousands of victims. According to authorities, the Florida man used information stolen from the State Department of Children and Families and Department of Juvenile Justice. How he got that information is unclear, although assistance from insiders in cases like this is not unusual.
Armed with the new identities, the alleged thief then filed more than 1,500 tax returns in the names of his victims, and had the money deposited in a network of bank accounts he had set up. But here’s the twist. Rather than pocket the money like most thieves, instead the suspect used the money to purchase cars which he then sold on his car lot.
Apart from being a very creative way to fund a business and buy stock, it’s also a great way to launder money and make the money look like it legitimately came through car sales. The scheme may have netted the thief more than $5 million, which has yet to be recovered. And once again, the scam was discovered only by the vigilance of a postal worker who reported an unusual amount of IRS-related mail going to the one address.
And it’s not the first time thieves in Florida have exploited huge holes in the tax refund system to make money. A few weeks ago I wrote about Operation Rainmaker, a Florida-wide law enforcement that took down a massive identity theft scam that netter local drug dealers an estimated $130 million by filing bogus tax refunds using stolen identities.