According to the 2007 study conducted by Javelin Strategy & Research, the average loss of a victim of identity theft through spyware installs, viruses, different hacks, etc increased from $5,981 last year to $7,561 this year.

So we’d better learn all possible ways to protect our bank accounts…

In the previous article about anti-identity theft measures I mentioned that you can employ the credit card monitoring services that will alert you when fraudster will try to steal money from your credit card.

Today let’s explore 2 more methods that can help you to protect your money from identity thieves.

Those measures are specific for the USA, but I’m sure there are similar services in other
countries too.

Method 1: Opt-Out from Pre-Approved Credit Card Offers

Ok, so what can you do to sleep better at night? Well, you can get rid of all those
pre-approved credit card offers that pile up in your mailbox. If you need new credit card,
it’s better to apply to a specific credit card, and not the random one you found in your
mailbox. Keep in mind that the credit cards that are sent to you have the advertisement and mailing cost included in the rate they are offering, so you might be better of making your own research first, and to apply to a card with good APR (don’t pay too much attention to initial offer, look at the real rate. When initial offer is over, you’ll still have to live with that credit card.)

If you want a new credit card with low rates, etc, here is a good place to start your credit card research:
http://www.1ezhost.biz/creditcards.html

If you doesn’t plan to apply for a new credit card in the nearest future then the mounts of pre-approved offers in your mailbox are not only unnecessary, they could be quite
dangerous. Substantial percentage of identity theft frauds is possible because of the
stolen paper mail.

You can stop vendors from sending you all those offers by calling
888-5OPTOUT (in the USA). I’m sure there are similar services in other countries too, just look on the Internet for the “opt-out option for pre-approved credit cards” (or similar) and add the name of your country to a search string.

Method 2: Freeze Your Credit

When identity theft became a massive phenomenon, banks and government tried to work out the solution that would help people whose identity was already stolen.

One of the worst things with identity theft is not when somebody got access to victim’s credit card number and made several purchases through this card. After all, credit card
balances are usually rather limited.

The worst thing is when fraudsters gather enough information about the victim to be able to apply for new credit cards on this person’s name, and provide different mailing address. So it could be a long period until the victim realizes that he has many more open credit cards that he actually applied for. Quite often it’s happens when person tries to apply for a loan, and bank declines his request, states that victim’s credit score is way below the acceptable minimum and shows him and outstanding balances for all the credit cards he “used”.

To help victims, credit agencies suggested to implement credit freez. Basically, this means that no one with the credentials of identity theft victim would be able to apply for any credit card or loan until credit freeze is raised.

Of course, the worst case scenario wouldn’t happen if a person use credit monitoring
services I mentioned earlier, many people still don’t use it.

Credit freeze is convenient, it could be raised for a small fee for a limited time, and
then applied again. The only problem is, in most states it was unavailable to a general
public, this law was only applied to identity theft victims.

Kudos to California. It was the first state that implemented credit freeze (in 2003).And
double Kudos to California for allowing general public also use this law to their advantage.

Other states agreed to apply this law for identity theft victims, but were not so quick to
apply it to the rest of consumers. Many states implemented this law in 2007.

At the beginning of 2008, several more states (Arkansas, Massachusetts, Maryland,
Tennessee and Utah) will join the group. The latest will be Washington, it will allow
credit freeze at September 1, 2008. Overall, by 2008 credit freeze will be implemented in
40 states.

Here is the how you can find information whether credit freeze is available in your state
or not, and if it’s available, how to apply.

Go to http://consumersunion.org/securityfreeze.htm

I’m not sure whether credit freeze is available in other countries or not. If it’s not
available, then contact your politicians. It’s one of the most efficient measures to
prevent identity theft. Hackers will always be several steps ahead of any online security
system that could be invented. So it’s better to pay a few bucks to lift a credit freeze
when you actually need a credit card or loan, and then apply it again than leave your
credit unprotected.

The old school for hacking websites pretty much concentrates on finding [tag]security vulnerabilities[/tag] either in a code of the website (i.e dynamic urls are not properly validated, or functions/ procedures used in web application contain a possibility for buffer overflow, or form’s data entries allow to execute SQL injections, etc).

There are 3 main purposes for such attacks:

1) steal products/ services offered on a website,

2) steal information stored in the databases (both personal information and credit card details)

3) proceed further and use initial vulnerability to gain additional privileges on a server and ultimately, to obtain root access to the server.

Let’s talk today about second purpose of website hacking - obtaining both physical mailing
address, and credit card records that could be used for Identity Theft or simply re-sold on
the Internet.

When hacker tests different methods to get unauthorized access to the website or web application, he most likely use slave computers for this purpose (also called slave bots) or proxy servers or the combination of two.

Granted, it might be difficult for investigators to establish the real source of attack, such as ip that was used for the attack execution, but still it could be potentially risky for hackers.

So the easiest way to get their foot in the door of the target system would be for hackers to obtain the login details of a legitimate user, and use those details to perform their further operations.

And it looks like this approach, combined with advanced fishing scams, became very popular lately. In addition to malware, spyware, viruses and worms we now have rather new phenomenon called ransomware.

Ransomware is what the name implies it is - a type of malware that could be used to take hostages and demand a ransom for a victim.

Only in this case “a hostage” is not a person, it’s a computer. Ransomware encrypts all the files on a victim’s machine, so average computer user is not able to decrypt them, and have to pay a ransom to get access to his/her own files again.

Of course if a person performs regular backups of his machine, this scheme won’t work.

Computer user would be able to easily restore all the files from a backup. But this scheme is very successful, so it’s just gives to show you that only a few people regularly backup computer files.

This exact scheme was used in a Monster.com ransom scam that became well-known lately.

Intruders first obtained access to the employer accounts on Monster. How they did it, is not important now - may be they tricked the account holders to open emails with malicious
attachments and installed Trojans on their computers, and then sniffed all the information

that was exchanged between that machine and the other ones. May be they sniffed out the
packets (note that Monster uses http for login screens, not https, hence login data are
past as a plain text) or they might use any other of the numerous hacking methods. The point is, they obtained unauthorized access to the employers’ accounts.

And people who contacted those employers were looking for the job, so they readily provided all their contact details to those employers including phone numbers, mailing addresses, etc.

After collecting approximately 1.6 million records of job applicants, attackers crafted very well written personalized emails to those applicants and tricked victims to open those emails. When email was open, a Trojan was installed on the victim’s machine. Financial information was stolen or files were encrypted and ransom demanded to “free up” the files.

And there is an evidence that similar scheme is now used at another website for job seekers – CareerBuilder.com.

What is the point of this story? It looks like pure hacking has been slowly replaced by the wholesale approach that doesn’t require too much skills – it’s enough to find the way to get millions of records, trick the recipients, install malware or ransomware, steal credit cards or bank accounts data or just encrypt the files on the victims computer– and voila – attackers got some serious cash in their bank accounts.

Be aware of this new wave of data stealing – I would call it “web hacking without hacking”,
and be extremely careful while opening emails from “employer” or any email from un-known
recipient, for that matter.