ID Theft and Phishing Converge to Pose New Threat

By Cameron
May 16, 2005 has a rather troubling article today about how ID theft and phishing are converging to create a new very active threat to electronic commerce. Here is the key excerpt:

According to Cyota, the phishing e-mails arrive at bank customers’ in-boxes featuring accurate account information, including the customer’s name, e-mail address and full account number. The messages are crafted to appear as if they have been sent by the banks in order to verify other account information, such as an ATM personal-identification number or a credit card CVD code, a series of digits printed on the back of most cards as an extra form of identification.

While we normally post policy-related stories and this one isn’t policy per se, it struck us as particularly troubling for couple of reasons. First, both identity theft and phishing seem to be growing threats to consumers. While Congress has held numerous hearings on the deluge of identity theft incidents since the start of the year (here is one we covered on ChoicePoint), it has yet to move any of various pieces of legislation to regulate data brokers or increase privacy protection. Further, little attention has been paid to phishing. We doubt that Congress is looking into how the issues may be converging. In fairness, Congress does move rather slowly, particularly on issues that overlap so many different committees such as this one.

Second, Congress just passed, and the President signed, the Real ID Act as part of the emergency supplemental appropriations bill. In USACM’s view, this act will significantly increase the risk of identity theft by linking each state’s drivers license databases to one another without any security mandates or clearly identifying who has access to what data.

Since Congress is generally a strong supporter of fostering electronic commerce, it would seem it should balk at things that can directly undermine this goal. This article would also seem to strengthen security expert Bruce Schneier’s arguments that new threats can undermine two-factor security strategies.