Building an Online Bulwark to Fend Off Identity Fraud

Riva Richmond|The New York Times

A clotheshorse racked up thousands of dollars in mystery charges on a friend’s credit card. Phantoms emptied your uncle’s bank account. Someone took out a car loan in your colleague’s name and stuck her with the bill.

Why,Terry | Getty Images

Identity fraud has been on the rise, as criminal cunning may be mixing with desperation during the downturn. Schemes seem to multiply daily, as scammers often half a world away dream up new ways to steal data to enrich themselves. According to Javelin Strategy and Research, 9.9 million Americans were victims of identity theft in 2008, up from 8.1 million in 2007.

With all kinds of private information residing in all kinds of places, vigilance can be difficult. Using caution when surfing the Internet and keeping antivirus software up to date are vital steps, experts say, but they are not enough. And most tools for fighting identity fraud — credit-monitoring services, fraud alerts and credit freezes — are reactive, not proactive, and they primarily address abuse of financial accounts, not other types of identity fraud.

But a new breed of products is tackling the trickier matter of preventing identity theft. New approaches include scouring the Internet in search of signs that criminals have your information, so you can move to block them. Others focus on keeping your data away from criminals in the first place, locking it down while you bank, shop or do other personal tasks online. Here are some ways to keep your information yours.

ASSESSING RISK The Internet is awash in personal data, which means yours may never be found. Several services look for signs of sticky fingers, to know when data reaches the hands of criminals so people can act quickly.

With the help of partners like the United States Postal Service, Discover Card and companies that perform background checks, LifeLock monitors change-of-address filings and applications for credit cards and jobs made in the names of its customers, so it can alert them. TrustedID, a LifeLock competitor, recently introduced a service that analyzes both public and proprietary data to assess a person’s risk of identity theft — for example, the risk would increase if a person’s Social Security number was found to be associated with a different address — and recommends actions to lower your risk score.

LifeLock and CardCops, among others, scour the Internet and hacker chat rooms and warn customers if their data is spotted. LifeLock, for one, also tries to infiltrate hacker communities.

Perhaps the most interesting new arrival in this space is, a site operated by TrustedID, which uses a database created by Colin Holder, a 30-year veteran of Scotland Yard, that contains stolen records gathered from longtime, trusted informants.

The database holds about 138 million records tied to an estimated 54 million people, about 98 percent of whom live in the United States, and searching it is free. “It shows you who the bad guys are looking for: the rich Americans,” said Scott Mitic, TrustedID’s chief.

If any personal information — e-mail address and password, credit card number, Social Security number, bank account login details — is there, the site will describe, generically, what it has. It costs $15 to see the records, which Mr. Holder says covers administrative costs and helps ensure that only people entitled to the information receive it. (He also provides the data to banks and law enforcement agencies.)

SIDESTEPPING MALWARE Other products focus on outmaneuvering malicious programs that infiltrate PCs. Such malware has mushroomed recently, and antivirus companies have struggled to catch every new attack. SafeCentral ($40 for up to three computers; Windows only), a product from the security software company Authentium, protects users even if there’s malware on the computer. It includes a stripped-down and secure browser to use when banking, trading stocks, viewing health information or shopping online.

When a user visits such a site, SafeCentral asks if the user wants to proceed securely. If the answer is yes, a background resembling armor plating appears. In this safe room of sorts, certain Windows features regularly abused by attackers have been disabled.

Computer programming interfaces known as A.P.I.’s, which game makers can use to turn keyboards into controllers, for example, are turned off because “keylogger” programs use them to capture information. SafeCentral also turns screenshots of Web pages blank to defeat these programs. Also off are A.P.I.’s that programmers use for browser plug-ins. This stops malicious plug-ins that monitor encrypted Web sessions — the ones where the URL changes from “http” to “https” — in case credit card numbers are transmitted.

And because so-called phishing scams use fake Web sites to collect username and password information, SafeCentral takes an extra step to verify the authenticity of the sites it visits.

GIVE OUT NOTHING Another alternative is to avoid sharing information online in the first place. Kemesa, a software company, has created a shopping-safety product called Shop Shield that starts with a familiar browser-based tool for managing passwords and auto-filling Web forms — which helps defend against keyloggers (which can record every keystroke made on a keyboard). In addition, Shop Shield users can give online merchants anonymous personal data, like single-use credit card numbers and specialized e-mail addresses.

Of course, you have to trust Kemesa with your personal information. “They become a target. They’re very tempting now,” Mr. Vamosi of Javelin said.

Kemesa says it has created a “digital fortress.” To start, the product (which uses an add-on for the Internet Explorer and Firefox browsers and a Web site), puts an encrypted token on the computer, which makes it extremely difficult for a remote attacker to gain access to personal records. This also means the user must authorize each computer to run the program.

At Kemesa, customer information is not just encrypted, it’s broken up into tiny pieces that are then stored in different databases on different networks, making reassembly by an attacker grueling. It also monitors for intrusions, regularly tests its defenses, keeps its physical location in lockdown and otherwise sticks to Defense Department security standards.

Shop Shield offers three pricing plans: a scaled-back service that’s free if payments to merchants are tied to a checking account; one that charges $2 each time you use a credit card and small fees for other features; and an unlimited, full-service plan for $10 a month or $99 a year. Kemesa also profits from interchange fees that credit card companies collect on purchases.

Shop Shield is “a phenomenal concept,” said Jay Foley, co-founder of the Identity Theft Resource Center, a nonprofit consumer advocacy group. He brought up the case of theft involving a DSW Shoe Warehouse database in 2005, in which hackers obtained 1.4 million credit card numbers and the names on those accounts. “Imagine if with DSW, all the data that they had was from Shop Shield: one-time-use credit card numbers, no home addresses, no phone numbers.”

The chief executive of Kemesa, Steve Bachenheimer, would agree. “Thieves can’t steal what isn’t there,” he said.