Sunday, March 11, 2007

Who Pays When Your Identity Is Stolen Online?

By STEPHEN J. DUBNER and STEVEN D. LEVITT

Counting the Cost of a ‘Chargeback’

Steven Peisner stabbed excitedly at his computer keyboard, trolling through a chat room where identity fraudsters buy and sell names, addresses, Social Security numbers and PINs. Some of the hustlers are American, but others are from Russia, India, the Philippines, Nigeria, Vietnam, Iran — any place, really, where young men and computers cohabit.

How does this market work? If someone has just hacked a hospital database and come away with 10,000 “fulls” (a full set of personal information, down to your mother’s maiden name), he’ll post his asking price (typically $10 to $30 per full, depending on the freshness), along with a sampling of the data to prove its legitimacy. Fraudsters also post specific queries. “Here’s one,” Peisner said, reading from his screen: “ ‘Need female WU confirmer. Your share: 40 percent.’ That means they need someone to go to the Western Union office in some coffee shop in Romania to pick up the cash — because Vlad can do a lot of things, but he can’t be Amy Weiss from Manhattan Beach, Calif.”

There are as many varieties of identity theft today as there are varieties of, say, mushrooms. And there are nearly as many misconceptions — about the scope of the problem, the incentives to stop it and how its costs are borne. For starters, there are indications that identity theft has peaked. A recent study by Javelin Strategy and Research claimed that 8.4 million U.S. adults suffered some form of identity fraud in 2006, down from 10.1 million in 2002. Bear in mind that the Javelin study was paid for in part by three financial-services institutions, which certainly have an incentive to alleviate customer fears. But the Federal Trade Commission also reports a leveling off, as does the Los Angeles County Sheriff’s Department, which runs one of the most aggressive identity-theft task forces in the country.

Still, for those so inclined, identity theft remains an extraordinarily appealing crime. In his new book, “Stealing Your Life,” the reformed fraudster Frank Abagnale calls identity theft an “elementary” crime with “enormous” upside and a “minuscule” chance of being caught. Most police departments don’t have the staffing or know-how to even pursue the perpetrators; the F.B.I., meanwhile, usually won’t get involved unless the fraud reaches $100,000.

Which raises an obvious question: If law enforcement doesn’t care about identity theft, who does?

The answer would also seem obvious: You, the potential victim. But according to the Javelin data, people probably worry way too much about identity theft. Seventy-three percent of victims incur no out-of-pocket expenses whatsoever; the unlucky minority loses, on average, $2,000 — hardly chump change but far less than the scare stories would have us believe. And in more than half the cases of identity theft, the thief is not a stranger at all but rather a relative, friend or co-worker.

So while you were being frightened into never again using a credit card, and perhaps shredding your child’s report card, most of the cost of identity theft was actually being paid by someone else.

Surely, then, it is the banks and credit-card companies that are desperate to stop the problem? Sgt. Robert Berardi, who runs the Los Angeles County Sheriff Department’s ID Theft Task Force, has found otherwise. “The banks are in conflict between security and making a profit,” he says. In an industry that is reluctant to add even an ounce of friction to a customer’s purchase, Berardi says identity theft is seen as simply the cost of doing business. Indeed, a recent report by TowerGroup, a research firm owned by MasterCard Worldwide, noted that “banks are not yet ready to dedicate resources to solving any ID theft problem.”

So if the banks, the consumer and the police aren’t sufficiently incentivized to stop identity theft, who is?

The merchant. That is what Peisner, a 44-year-old veteran of the credit-card business, has discovered. “Let’s say one of these hackers takes the information they find in a chat room,” he says. “He goes to the Sony Web site, buys a laptop computer for $1,000, and a month later the actual cardholder gets the billing statement. He calls up his bank and says, ‘I didn’t order a computer from Sony.’ At that point, the credit-card issuer, let’s say Citibank, sends a ‘chargeback’ through the interchange system to the acquiring bank, and that $1,000 is taken right out of Sony’s bank account, and they also get hit with a $25 chargeback fee.” So the merchant has lost the money from the sale (as well as the laptop) while paying the chargeback fee, other bank fees and processing and shipping costs. “If you’re a merchant,” Peisner says, “you have all the liability.”

And, therefore, all the incentive to stop the crime. That is why Peisner recently started a company, Sell It Safe, which aims to help merchants and banks screen their customers in online and telephone transactions. His main weapon is a massive live database of stolen personal information, which a merchant can instantaneously check to learn whether Amy Weiss is really Amy Weiss or if perhaps she is really Vlad. In an era when information flows like water, Peisner is hoping to add a filter onto a few million faucets.

Along the way, he has become a good Samaritan. When he comes upon stolen data in a hacker chat room, Social Security numbers and passwords strewn about like underwear after a burglary, he often personally calls the victims. He reads off enough information to convince them of their misfortune and advises them to notify the police and the bank. Usually, they assume at first that he is a hustler himself, or at least a nut. But ultimately they are grateful. Peisner is helping them out, after all, and he doesn’t gloat.

This may be because Peisner himself recently responded to a phony e-mail message, commonly known as a phish, that supposedly came from eBay. He was in the throes of bidding on a Jack Nicklaus personal credit card — Peisner collects credit-card memorabilia with a passion bordering on mania — when he received the eBay phish telling him that his account would be suspended if he didn’t update his personal information. “I thought, It expires in 10 minutes — I better go in and turn my account back on,” he recalls.

If it could happen to Peisner, it could happen to anyone. In a recent academic paper called “Why Phishing Works,” three computer scientists (one from Harvard and two from Berkeley) ran a study and found that “the best phishing site was able to fool more than 90 percent of participants.”

Fortunately, most phishing sites are not designed by top-tier computer scientists with good English skills. One day recently, Peisner discovered a fake Bank of America Web site that asked for a customer’s account number, online ID, PIN, Social Security number and address. Only at the end of the form was the site’s illegitimacy — and the creator’s foreign origin — revealed, when it asked for information that should have baffled any American customer: “Father Maiden Name.”

NYTimes.Com

Biology student arrested in theft of Nobel Prize