Online identity theft has become a constant concern in a world of online shopping and bill paying. In the rush to move to the internet age, many companies simply neglected security concerns and the result has luckily not been as bad as it could have been.
In 2005, I did an estimate of the amount of money that was compromised because of online identity theft and came up with $24 billion in the United States alone. With the help of Agnieszka Klus, I redid the study recently with more realistic numbers and found over $55 billion was compromised. That amount is enough to pay off the entire state debt of Illinois.
Despite this large amount of money being at risk, very little of that money actually gets stolen. What investigators have found is despite it being relatively easy to steal money online, the current fraud protections make it hard to steal a great deal of money; “The straw is only so big”, according to one government source. The running assumption is that online identity theft would be used for theft and there is a finite limit of the amount of theft that can actually take place. This has allowed financial institutions to build in this amount into their business models and simply write the cost of fraud and fraud protection into the price for their services.
The idea that we, as a society, should rely on only one layer of protection (the limitation on how much can be stolen) is absurd and violates defense in depth. Eventually someone will figure out a way around the straw. More importantly, however, earlier this month proved false the assumption that identity theft would be used solely for stealing money.
On December 1st, the Department of Homeland Security warned of an “aspirational threat” to United States banking interests by Al Qaeda. A website claiming to be affiliated with Al Qaeda encouraged the cyberattack against US financial interests using denial of service attacks and viruses. While the specific methods of attack are “low tech” and easy to prevent, it shows that terrorist groups are moving to expand their tactics to include economic warfare.
If the goal of identity theft is to make money, the incentive is to keep taking as much as you can. If the goal is economic warfare, the behavior changes dramatically. As a concrete example, Al Qaeda could use run-of-the-mill hacker techniques to build a large botnet to steal identities. It could then use those machines that they have taken over to process fake transactions in the name of that consumer.
For instance, they could use a consumer’s home PC and process transactions at amazon.com to buy a bunch of books using the credit card information and home address of the consumer. It is not clearly a case of fraud because the hacker is not getting any personal gain. Does Amazon or the credit card company believe that the consumer really didn’t make the order when the product is going to their home address?
Now repeat this attack for a thousand consumers, ten thousand consumers, or one hundred thousand consumers. What would happen with the ensuing media coverage is that consumers would think twice about shopping online if their assets can’t be protected. They would think twice about paying bills online or banking online if they’re bank accounts can’t be protected. If done correctly and on a large enough scale, it would lead to a dramatic loss of confidence in electronic commerce and could push the United States economy back ten years.
The fundamental problem with electronic commerce is that transactions are not effectively authenticated. If someone knows all the right information, they can place a transaction in your name. We’ve learned that in the digital age that stealing information from consumer PCs is remarkably easy. However, there exists technology today to fix this problem.
Two-factor authentication (something you “have” and something you “know”) would mitigate the risk of stolen information. Some banks use key chains that generate random numbers to authenticate users to their bank accounts. This must be widely applied to not only bank accounts but general financial transactions online. As another example, instead of entering credit card information with a keyboard, a user could insert a credit card with an embedded smart card into a card reader attached to their computer. The reader could have a keypad to enter a PIN to make the transaction secure and the card reader would happily give the online merchant all the information it needed to complete the transaction.
There are a variety of technologies to properly authenticate users to make purchases and these should be adopted. Al Qaeda and other groups are already on the lookout to undermine our economy. The question is will we stop them before it’s too late.
John Bambenek is the Assistant Politics Editor for Blogcritics and is an academic professional for the University of Illinois. He is a syndicated columnist who blogs at Part-Time Pundit and the executive director of The Tumaini Foundation which helps AIDS orphans and other children in Tanzania to get an education. He is the current owner of BlogSoldiers, a blog-only traffic exchange.