How safe is your financial information?

By Liz Pulliam Weston

When you're paying bills, making investments, viewing your bank balance, checking your credit card statements, preparing your taxes and buying stuff online, are you taking a big risk with your confidential financial information?

The answer, unfortunately, is that no one really knows.

The reality is that your financial information is vulnerable to identity theft even if you don't own a computer. Some of the biggest hacking and identity theft cases have targeted business or government databases over which individuals have little control:

• Thieves posing as Ford Motor Credit Co. personnel accessed a credit bureau database and stole credit reports of more than 30,000 consumers. The U.S. Attorney's Office in New York said its investigation uncovered more than $2.7 million in financial losses.
• A hacker broke into the California state controller's computer system and gained access to the names and Social Security numbers of 265,000 state employees -- including the governor and all 120 state legislators.
• A clerk of New York state's Insurance Fund was arrested for using personal financial information from applications and other paper documents to set up credit accounts and purchase more than $100,000 worth of goods, including $70,000 in computers.
• A hacker accessed 8 million credit card numbers by breaking into the database of a company that processes transactions for Visa, MasterCard, American Express and Discover. The credit card companies said there was no evidence the numbers had been used for fraudulent purchases.

Certain online transactions may increase the chances that you'll be a victim. As several recent incidents have shown, letting a Web site store your credit card number could put you at risk. Hackers have stolen credit card numbers from online databases, including one at Amazon.com subsidiary Bibliofind.com. Incredibly, many companies still don't encrypt these databases, said attorney and computer fraud expert Nick Akerman, making them relatively easy targets for thieves.

Theoretically, just establishing a user ID and a password for a financial account could make you more vulnerable, because a hacker could conceivably break into your computer, plant a keystroke-tracking program, retrieve the data and use it to access your account. But most hackers wouldn't bother with all that work for one account, security experts said.

The reality is that it's pretty tough to quantify your risk of losing valuable personal information to a computer hacker, and even less possible to determine how vulnerable you are to a financial loss because of that crime. Why?

• Most companies keep hacking incidents under wraps. Only 30% of companies surveyed by the FBI and the Computer Security Institute said they reported such incursions to law enforcement. (Although that could soon change, thanks to a new California law; more below.) Some companies have such lax security, Akerman said, that they don't even know when they've been hacked or what information, if any, has been stolen.
• Identity-theft complaints are rising, but the source of the theft is usually unknown. Of the 161,000 identity-theft complaints reported to the Federal Trade Commission last year, 80% of the victims had no idea how their information was stolen. Most of the rest "could only guess" at how they were compromised, said FTC spokeswoman Claudia Bourne Farrell.
• Offline threats still seem to outnumber online threats. Sixty-eight percent of the law enforcement officials interviewed by the California Public Interest Research Group identified theft of snail mail as the leading threat. Thieves use purloined account statements, convenience checks, pre-approved credit card offers and even bills to take over existing accounts or establish new ones. Other offline threats include dumpster diving, stolen wallets and unscrupulous employees of banks and other lenders.

Just handing your credit or debit card to a waiter at a restaurant, says security expert Pradeep K. Khosla, is a transaction fraught with danger.

The waiter could run multiple transactions, or glean enough information from the card's magnetic strip -- thanks to a pocket-sized device called a skimmer -- to create a duplicate card.

“Somehow we don't worry about that risk,” said Khosla, director of Carnegie Mellon University's Center for Computer and Communications Security. “We're kind of used to it.”

Spoofing is no joke

Khosla, who also heads the university's electrical and computer engineering department, knows well the dangers that may lurk online. He's particularly spooked by “spoofing” -- a hacking technique that redirects customers of a financial or shopping Web site to a look-alike, so thieves can glean IDs and passwords or credit card numbers. If well done, there's little to tip off an unsuspecting user.

The real Web sites usually detect and swiftly shut down these incursions, “but in the 30 seconds or two minutes that can take,” Khosla said, “something bad can happen.”

Yet the dangers don't keep Khosla from banking, shopping, investing and paying bills on the Internet. The risks he perceives don't outweigh the convenience.

“I do everything (online),” he said.

 1 | 2 | next >