New Law Boosts Prison Time for ID Theft

Those who get caught stealing personal identity information to commit theft or fraud -- whether by sifting through trash or posting bogus Web sites on the Internet to trick users into divulging data -- will be facing more time in jail thanks to a new federal law.

The Identity Theft Penalty Enhancement Act (ITPEA), signed by President Bush this week, adds two to five years in prison onto the punishment for identity theft convictions, lengthening the sentence most for perpetrators who use identity theft in committing terrorist acts. It also prevents judges from sentencing perpetrators to probation, adding another layer of penalty for such crimes that are already illegal under many state laws.

"When a person takes out an insurance policy, or makes an online purchase, or opens a savings account, he or she must have confidence that personal financial information will be protected and treated with care," President Bush said while signing the bill into law. "Identity theft harms not only its direct victims, but also many businesses and customers whose confidence is shaken," Bush said.

Easy Pickings

Technology industry analysts said the law, as well as innovative technology, will be required to battle the growing threat of online and offline identity theft crimes that are being fueled by a hot market for credit card numbers and similar information, and the reach of the Internet, which is being used increasingly and is viewed as less risky by fraudsters.

"People are turning to the Internet as an easy way to get a lot back and not get arrested," iDefense director of malicious code intelligence Ken Dunham told TechNewsWorld. "There is very little accountability, it is easy to do, and it doesn't take much effort."

Dunham said there has been a dramatic increase in the last 18 months of identity theft cases that involve online hacking, phishing -- the use of fake sites to fool users into entering data -- and the use of malicious code, such as viruses and worms.

Market for Malice

Dunham said while some of the increase in ID scams can be attributed to more comprehensive and central reporting of such activity, it also comes with a motivational shift in the underground hacking community from notoriety and fun to profit. Dunham reported that credit card numbers can be sold for between US$1 and $3 each in an identity market that is being commodotized and grown. In addition to social engineering tricks, ID thieves are also benefiting from more tools and collaboration, Dunham said.

Gartner (NYSE: IT) Vice President Richard Stiennon said financial motivation was the reason that new computer threats are developing so quickly, and he compared the growing criminal activity to the Gold Rush.

"Phishing attacks are the low-hanging fruit for hackers," Stiennon told TechNewsWorld, adding that brute force and other attacks can also disclose passwords on the Internet. "Once again, they are attacks that need users' participation, but there's a sucker born every minute," he said.

International Cooperation Needed

Dunham praised the federal legislation, indicating it will put some teeth behind accountability laws and that attackers are aware of and sometimes deterred by legal consequences. However, Dunham said that with legislation comes the need for proper training, real-life testing and prosecution.

"It's a step in the right direction, but it's a long-term process," he said of the ITPEA.

Stiennon, who said technology and security will soon catch up to perpetrators, argued that legislation cannot keep up with attacker innovation, particularly when it is limited by jurisdiction. He said with the involvement now of worldwide, organized crime groups and professional identity criminals, it will take international cooperation -- as is happening against spam -- to truly deter identity crimes.