In-Depth

Hackers Using Time-Tested Methods, Not Fancy Technology

ID theft usually involves time-tested methods such as telephone fraud than blockbuster data breaches

• By Stephen Swoyer
• 02/19/2008

In hacking, as in economics, efficiency is king. If the cumulative cost of an activity -- such as the time and effort involved in probing, testing, and circumventing the information security perimeter -- proves to be prohibitively expensive, crackers will employ other cheats to obtain the results they're after.

The upshot for enterprise IT organizations, says Javelin Strategy & Research, is that ID theft is more likely to involve time-tested methods -- such as telephone fraud -- than blockbuster data breaches.

Every year, Javelin -- which specializes in research geared toward the financial services industry -- conducts what it claims is the industry's most comprehensive study of identity theft or identity-related fraud, annually surveying 5,000 or more respondents to assess the overall state of severity.

Surprisingly, the researcher says, ID theft continues to decline in the United States -- even as the cost to consumers (on a per-incident basis) rises. In 2006, for example, identity fraud was down by 12 percent over its year-ago total -- representative of a total fraud reduction of $6 billion. The per-incident cost to consumers, however, was $691 -- a 25 percent increase over the previous year.

While information security breaches dominate the headlines -- thanks to a number of high-profile data breaches or cases in which sensitive data has quite simply been lost -- most fraudsters are using lower-tech methods to pull off their exploits.

In fact, Javelin Research says, a startling number of ID thieves are turning to telephone fraud: access through mail and telephone transactions grew from just 3 percent of all ID theft incidences in 2006 to 40 percent last year.

This is part of a technique that researchers dub "vishing" -- using telecommunications, voice over Internet protocol (VoIP), and other technologies to obtain information from consumers. What's driving the vishing shift? To a degree, the success enterprises have had in locking down their information security assets. As consumers shift more financial transactions to secure online arenas, fraudsters have become more creative in utilizing telecommunications (both traditional landlines and wireless) to access information.

The typical scheme involves a phone call to an unsuspecting consumer from fraudulent non-profit organizations, billing institutions, or other financial institutions. While telephone fraud itself is nothing new, the increasing use of wireless communications to perpetrate vishing exploits is noteworthy, according to Javelin Research. Last year, wireless phone accounts accounted for 32 percent of new account fraud last year -- up from 19 percent the year before.