Page 2 of 3   <       >

Ubiquitous Technology, Bad Practices Drive Up Data Theft

Some critics say companies don't have enough financial incentive to safeguard sensitive data.
Some critics say companies don't have enough financial incentive to safeguard sensitive data. (By Mark Lennihan -- Associated Press)

At the same time, some hackers who used to get their kicks merely being disruptive are pooling efforts with organized criminals, said Jonathan J. Rusch, a special counsel in the fraud section of the Justice Department.

"The motivation now is money," Rusch said. In addition to using stolen data for credit card or other financial fraud, a thriving black market for the stolen data itself exists online, run in large part from Eastern Europe.

Among the most extreme examples of data for sale are offerings known in the online underground as "fulls." These reports include not only Social Security and credit card numbers, but also account passwords for Web sites that a consumer might use, such as eBay or a bank.

"There's so much information that has been leaked out over the years, it may be that there are, outside of the country, criminal elements with huge databases on American consumers," Wade said.

With more and more people getting high-speed Internet connections, and participating in online commerce and banking, the targets of opportunity for criminals only grow.

Wade and others argue that many industry players have not responded aggressively enough because they are insulated from the financial consequences of breaches.

Banks and credit card companies, for example, pay nothing when a criminal uses someone's credit card for a fraudulent charge. The same is true for credit card processing companies such as CardSystems Solutions Inc., which announced last week that it housed the 40 million credit card numbers that hackers may have obtained.

Payment processors and banks collect fees for charges that are reversed.

"They are making money on fraudulent transactions," said Brian Mortensen, head of a New Jersey company that sells telecommunications equipment. "They should not be allowed to do that."

Mortensen said that as a result of fraudulent purchases, his firm has lost $12,000 to $15,000 on equipment that will never be recovered and owes several thousand dollars more in various fees.

Although consumers generally don't have to pay for fraudulent charges on their credit cards, if their identity has been compromised it can take years and thousands of dollars to restore good credit.

Some security experts say many financial companies have been slow to adopt multiple layers of customer verification, such as requiring a password and a second identification number. Many companies also are not encrypting stored data.

<       2        >

© 2005 The Washington Post Company