Those who get caught stealing personal identity information to committheft or fraud — whether by sifting through trash or posting bogus Websites on the Internet to trick users into divulging data — will befacing more time in jail thanks to a new federal law.
The Identity Theft Penalty Enhancement Act (ITPEA), signed by President Bush this week, adds two to five years in prison onto the punishment for identity theft convictions, lengthening the sentence most for perpetrators who use identity theft in committing terrorist acts. It also prevents judges from sentencing perpetrators to probation, adding another layer of penalty for such crimes that are already illegal under many state laws.
“When a person takes out an insurance policy, or makes an onlinepurchase, or opens a savings account, he or she must have confidencethat personal financial information will be protected and treated with care,”President Bush said while signing the bill into law. “Identity theftharms not only its direct victims, but also many businesses and customerswhose confidence is shaken,” Bush said.
Technology industry analysts said the law, as well as innovativetechnology, will be required to battle the growing threat of online andoffline identity theft crimes that are being fueled by a hot market forcredit card numbers and similar information, and the reach of theInternet, which is being used increasingly and is viewed as less risky byfraudsters.
“People are turning to the Internet as an easy way to get a lot backand not get arrested,” iDefense director of malicious code intelligence KenDunham told TechNewsWorld. “There is very little accountability, it iseasy to do, and it doesn’t take much effort.”
Dunham said there has been a dramatic increase in the last 18 monthsof identity theft cases that involve online hacking, phishing — the use offake sites to fool users into entering data — and the use of maliciouscode, such as viruses and worms.
Market for Malice
Dunham said while some of the increase in ID scams can be attributedto more comprehensive and central reporting of such activity, it also comeswith a motivational shift in the underground hacking community fromnotoriety and fun to profit. Dunham reported that credit card numberscan be sold for between US$1 and $3 each in an identity market that is beingcommodotized and grown. In addition to social engineering tricks, IDthieves are also benefiting from more tools and collaboration, Dunham said.
Gartner Vice President Richard Stiennon said financialmotivation was the reason that new computer threats are developing soquickly, and he compared the growing criminal activity to the Gold Rush.
“Phishing attacks are the low-hanging fruit for hackers,” Stiennontold TechNewsWorld, adding that brute force and other attacks can alsodisclose passwords on the Internet. “Once again, they are attacks that needusers’ participation, but there’s a sucker born every minute,” he said.
International Cooperation Needed
Dunham praised the federal legislation, indicating it will put someteeth behind accountability laws and that attackers are aware of and sometimesdeterred by legal consequences. However, Dunham said that withlegislation comes the need for proper training, real-life testing and prosecution.
“It’s a step in the right direction, but it’s a long-term process,”he said of the ITPEA.
Stiennon, who said technology and security will soon catch up toperpetrators, argued that legislation cannot keep up with attackerinnovation, particularly when it is limited by jurisdiction. He saidwith the involvement now of worldwide, organized crime groups andprofessional identity criminals, it will take international cooperation — as ishappening against spam — to truly deter identity crimes.