Brian Krebs has used google maps to plot the locations of victims
of identity theft:
I based the story in part on a cache of stolen data I found online (more on how I obtained it in a bit). The data was being compiled by a password-stealing virus that had infected many thousands of computers worldwide; the particular text file that I found included personal information on 3,221 victims scattered across all 50 U.S. states.He didn’t have to look up the locations of the victims to map them; the virus had already done that for him, sometimes accurately, sometimes not. The virus cared because banks flag transactions that are from unexpected geographical locations.— Tracking the Password Thieves, Brian Krebs, Security Fix,
He says:
The victims ranged from Myspace-browsing youngsters to credentialed “security experts” who claimed to be doing everything they should to keep a Windows PC healthy and virus-free.He’s also got a nice graph of which ISPs these victims were using. Comcast leads the list, followed by SBC, Roadrunner, Verizon, and ten others. He says those 14 account for 80% of the victims. Hm, this is almost like a reputation system.
My favorite bit is this:
My analysis also turned up login information for Accurint.com, a consumer database company used by many police departments and investigators to track down individuals. Imagine the damage an identity thief could do from looking up the Social Security numbers and other sensitive data on as many Americans as he wants. Fortunately, I was able to get in touch with the gentleman who owned the Accurint credentials, an investigator with an Alabama district attorney’s office, who changed his password before the thieves had a chance to use the account.Yeah, but who else’s Accurint.com password has been compromised and who didn’t change it in time? This is the risk of massive centralized databases: they’re great targets for massive centralized identity theft.
Krebs points out that many of the victims claimed to be using every recommended anti-virus and security measure. And that he tried several virus detectors on the mail message that carries the virus, and none of them detected it.
Clearly traditional security isn’t working. Running something other than Microsoft products will help, but the first commentor on Krebs post points out:
I take a lot of precautions to keep my machine safe, including running Mac OS X instead of Windows, but how do I keep idiots at my bank from getting their computers infected and revealing my information to key loggers?How, indeed!
One answer is obvious: software vendor liability. Short of that, as many people have pointed out, don’t run anything as Windows Administrator. Of course, Windows makes it hard to do much of anything without that. So back to my first suggestion.
-jsq
I think the reason we don’t want vendor liability is that it is too brutal a tool. If we blame Microsoft, and heaven knows, that’s easy to do, how can we blame them fairly without shifting some of the blame to the bank that only provided Microsoft access tools, and the user who chose Microsoft in the first place?
Got a formula that can cope with that? In contrast, there are two approaches I like:
1. In (continental) Europe banks discussed this and settled on co-liability. They pick up 2/3 and stick the consumer for 1/3. It helps that the ECB said quietly that they had better think about this question seriously! But on the whole, this is a reasonable solution.
2. Class action suits. If you can create some sense of law that sticks it to Microsoft, then by rights you should be able to craft a class action suit. After all, the victims are the users, they bought the product, and Microsoft is right there as the most experienced class action player in the world. (Of course this also trickles over to other companies that are involved.)
The first has already happened, and the second still seems far away. But at least these methods involve a sense of feedback, a sense of judgement, instead of the blunt tool of the law. After all, if they can’t get Sarbanes-Oxley right with an entire industry to tell them how to do it, how are they going to get a security liability law right?
I think the identity thefts has become too widely spread and the authorities should do something to stop this problem because the victims are too much.