Talking trash: Chatting up identity theft

Chat rooms have always had a lot of appeal for Web surfers. They provide anonymity and allow people to share hobbies and other special interests.

So what are hackers doing in chat rooms these days? Computer experts tell us they're also sharing their special interests. And for some hackers, that means swapping and selling personal information -- information that may have been stolen from you.

Renay San Miguel discussed the problem with Chad Harrington of Entercept Security Technology.

Q: OK, we're talking about identity theft and we're particularly talking about how people's information, their identity, is bought or traded in chat rooms on the Web. What are we talking about here?

A: First of all, people have to, hackers have to obtain the identity and those can be obtained by taking advantage of weak passwords or security vulnerabilities, either by watching transactions go as they go across the Web or by attacking servers directly.

Q: OK, then they're traded. Once hackers have the information how does that happen?

A: Once the hacker or someone in the underworld has personal information, credit card numbers, social security numbers, address, whatever it may be ... often they'll go to a hacker chat room. A place on the Web using an Internet Relay Chat, which provides them some anonymity and allows them to mention that they have this personal information and they want to trade them.

Q: Let's talk a little more about how this is facilitated. What venues on the Web allow this sort of thing to happen?

A: Hackers obviously want anonymity when they're looking to trade personal information that they've obtained via identity theft, so Internet Relay Chat is a commonly-used mechanism. Also, just social networks, people that they know, people that they know use those networks in order to transact these things. Other venues might be just e-mail or other Web forms.

Q: How prevalent is this?

A: Unfortunately, identity theft is very prevalent. The government (has) documented tens of thousands of cases of identity theft in the last year and it actually strikes close to home. I've had personal information compromised as well as other people that I know. I've been touched by this.

Q: How long has it been going on?

A: Identity theft has become more popular as the value of your identity has become more important with credit cards and doing online transactions, so it's kind of something that's been tracked by the government over the last 10 years.

Q: What is the motivation behind this?

A: Well, hackers are probably motivated by two things when they do identity theft. One, is obviously profit, the opportunity to make a buck, and the other is just to show that they can do it.

Q: Is this a fairly isolated kind of thing?

A: The market for dealing in stolen identities isn't gigantic, but it's not small either. Certainly, we've seen ... prosecutions levied against people trying to sell hundreds of thousands of dollars worth of personal information. So, that figure may reach into the billions each year as far as nefarious trading of identities.

Q: Let's talk about the kinds of information that's being traded.

A: Well, when we talk about someone's identity being stolen, typically you're talking about credit card number, address and personally identifiable information which might be your mother's maiden name, any passwords related to you, things that would allow someone to open a line of credit under your name or to make a transaction online under your name, to charge something to your credit card or maybe to charge something to your phone bill, that type of information.

Q: What is the obstacle in terms of enforcement cracking down on this?

A: Unfortunately, identity theft is all too easy today. Between all the security vulnerabilities that exist in the servers that store data and the fact that many users don't choose strong passwords or don't sufficiently protect themselves, it's all too easy for hackers to obtain this information. And the forms that they're doing this identity theft on are not easily policed by the law enforcement community.

Q: Which leads me to my next question. What makes it so tough to crack for law enforcement?

A: In the electronic world of the Internet, it's such a vast landscape and there's no way that the FBI or the CIA or any law enforcement agency can be involved in watching over the shoulder of every Internet user. Unfortunately that's probably what it would have to take to prevent this sort of fraud.

Q: Why do you think this has become the private sector's as opposed to the government's responsibility?

A: Well, the amount that the government can do to prevent identity theft is not large. Companies themselves and individuals themselves have to take it upon themselves to protect themselves and the way they do that is typically through using security software or good security practices. The government can enforce things, but they can't protect you in the first place.