Friday, February 13, 2009

Javeline Spins an Identity Theft Survey

Kevin Poulsen at Wired Debunked Javeline's Identity Theft Report already, but I can't help myself from lending an outraged voice to the matter.

I'm not sure if I've ever seen such a blatant spinning of the facts to meet the desires of a research sponsor. Read this statement from Javelin's report, which was funded by Wells Fargo and Intersections, Inc., an online identity protection company:

Despite the hefty blame - largely perpetuated by the media - placed on the Internet and cyber-crime, online identity theft methods (phishing, hacking and malware) only accounted for 11% of fraud cases in 2008.

How did they reach that absolutely amazing and so absolutely inaccurate statement?

Let's look at the methodology. First, they did a survey of 4,784 people. Among them they found roughly 10% who called themselves a victim of identity fraud. 487 people.

Next they asked those 487 people if they knew where their fraud originated? 157 people said they did, and the other 330 people said they did not. Then they asked those 157 people how it occurred, and 11% of them said it had occurred "online" while another 11% said it had occurred via a "data breach".

According to the Pie Chart javeline then presents 43% of identity fraud victims had their wallet stolen while 19% had their data stolen during a transaction, and 13% of them had their data stolen through "friendly" identity theft - such as a family member using their knowledge of you to take out a loan using your credit.

What is their recommendation then?

Preventing theft of your information doesn't require spending money on security products or even a whole lot of effort. Practicing safe habits in your day-to-day activities can go far in reducing your risk of becoming a victim. Covering the keypad as you enter your PIN at the ATM, keeping sensitive documents in a locked drawer at home, or shredding old financial statements -- these are all considered basic precautionary measures that are easy and work to your benefit.

Really? Didn't you just say my three highest risks are having my wallet stolen, a transaction (which I would think of as a clerk or waiter stealing my credit card data) or a family member stealing my data? How does covering the ATM, and shredding old financial statements help with that? In fact NONE of the methods reported involved stealing my trash!

But let's get back to the big fallacy of the report -- the elephant in the room that Javelin chooses not to talk about.


I can answer that one for you. It was stolen through Data breaches, Malware, Phishing, and Online. It was stolen by the waitress with the skimmer in her apron pocket, and it was stolen by the gas pump that silently reads your credit card data and sends it to the criminal. It was stolen by the website that you bought your kids Christmas present from, that used an insecure shopping cart and gave all its credit card and order data to criminals. It was stolen in the TJX Breach where more than 90 million credit cards were picked up, and it was stolen by the keylogger that is STILL on your computer that you can't find because no antivirus product can detect it.

According to Microsoft's Security Intelligence Report 5, which we coverend in this blog November 11th -- more than 11 million American computers had malicious trojans, backdoors, spyware, or password stealers on them in the first half of 2008!

Some security researchers are reporting that just ONE banking trojan -- Torpig -- stole the bank accounts of More than 300,000 people!. Since Torpig is almost impossible for the average computer user to detect and remove thanks to the "Mebroot" root kit, those people would all be examples of the folks who had no idea how their data was stolen.

WAKE UP, Javelin! Just because people notice their wallet is missing and don't notice the keylogger on their computer does not mean that there is not a risk online!

Although I'm sure your online identity protection survey sponsor had a big smile on their face as they handed you the check for your unbiased report.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.