It may be little consolation to the victims of the online identity thefts whose Absa accounts were defrauded but they are in illustrious company. Similar things have happened to Steven Spielberg, Oprah Winfrey and George Soros, whose “identities” were stolen in what was described two years ago as “America’s fastest-growing crime wave”.
According to a survey from research house Gartner, released this week, seven million United States adults, or 3,4% of US consumers, were victims of identity theft in the 12 months ending in June this year. This is a 79% increase over the 1,9% Gartner reported in a consumer survey in February 2002. The US’s Federal Trade Commission’s (FTC) own figures show that identity theft doubled between 2001 and 2002.
“Identity theft is not necessarily a high-tech crime, and can just as easily damage the credit reputations of low-tech adults who don’t spend any time on the Internet,” says Avivah Litan, vice-president and research director of Gartner. More than half of the US crimes are committed by someone who knows the victim, Litan said, quoting FTC statistics.
In May, US Attorney General John Ashcroft said 135 people had been charged and more than $17-million seized in a crackdown on investment scams, identity theft and other forms of Internet fraud and abuse. Most of these involved the classic con tricks of selling shares in non-existent schemes or products that are never delivered.
The three Absa account holders in the Western Cape, from whom R530 000 was stolen, were victims of what is called “spyware”, or key-stroke logging software that keeps a record of all the keys pressed on the keyboard and e-mails these details back to its originator. These can then be interpreted and used to log on to a banking website, pretending to be the account holder.
The bank’s security was not compromised, says Richard Peasey, Absa’s information security officer. He told the Mail & Guardian the victims’ computers had been checked by one of the top four audit firms and found to have been compromised.
It is much like someone stealing an ATM card and obtaining its PIN number and then using these to withdraw money from the victim’s bank account.
Most of South Africa’s banks have rushed to inform their clients that their accounts are safe and that Internet banking is still secure. Many industry observers however feel that more security could be implemented.
One method is a challenge- response mechanism, which would not require any additional investment, says Arthur Goldstuck, managing director of leading independent IT research organisation World Wide Worx.
This presents visual information or cues, or an onscreen virtual keypad, that can’t be interpreted by a keystroke logger.
Goldstuck says the banks have failed to educate their customers and have been “rather arrogant in believing their fairly rudimentary user security to be adequate”.
However he notes that the standard security measures — a username, PIN code and password — are the global norm and that South Africa is following these practices.
Individual users also need to educate themselves and invest in anti-virus and firewall software that will protect their own computer’s security, and ensure that these are regularly updated, as has been stressed this week by the computer and banking industries.