Microsoft opens center for reports of identity and data theft

By Byron Acohido, USA TODAY

In a major step to slow cybercrime, Microsoft on Thursday launched a coalition that will serve as a clearinghouse for reports about caches of stolen data stashed all across the Internet.

Malicious programs crafted to swipe your financial and personal data have come to saturate the Internet — so much so that security researchers routinely ferret out computer servers used by cybercrooks to hoard stolen data. Until now, there was no specific process for reporting such discoveries.

The Internet Fraud Alert center — spearheaded by Microsoft and managed by the National Cyber-Forensics & Training Alliance (NCFTA) — will serve as a reporting hub. Stolen payment card numbers and online banking account logons will be routed to the issuing banks. The institutions will then decide whether to alert customers, suspend the accounts or pursue legal remedies.

Stolen Social Security numbers, birthdates and other personal data will be archived offline by the NCFTA and made available, as needed, to law enforcement.

"This fills a big gap in the arsenal of weapons we need to fight online fraud," says Nancy Anderson, Microsoft's deputy general counsel.

The stakes are high. Phishing scams, just one method of cyberthievery, revolve around tricking Web users into divulging sensitive data. Last year, phishing gangs duped 1 million U.S. households into losses of some $650 million, according to Anti-Phishing Working Group, a consortium of banks, retailers, Internet host providers, tech-security companies and law enforcement agencies.

Data thieves routinely access compromised PCs they have set up as storage servers. They typically store small caches of stolen data on one server, then move on to the next, says James Brooks, product-management director at security firm Cyveillance. Stashing data in this way helps thieves stay ahead of anti-virus filters.

One such server recently discovered by Cyveillance contained 6,000 logons to active accounts in six social networks and 1,200 logons to financial accounts at nearly 30 banks. "We've found caches storing sensitive data for hundreds of thousands individuals," Brooks says. "Most often it's a few hundred to a few thousand."

Inaugural members of the Internet Fraud Alert group include the American Bankers Association, Anti-Phishing Working Group, Citizens Bank, eBay, the Federal Trade Commission, the National Consumers League and PayPal.

The eventual participation of Google, Yahoo and Facebook could be a key to long-run success, says Dan Clements, spokesman for Affinion Security Center's CardCops division. That's because those tech giants each day collect mountains of Internet traffic data that could be sifted to track down the major wellsprings of criminal activity.

"We've long thought private industry has to step forward with a creative solution to solve global cybercrime," Clements says.

http://www.usatoday.com/tech/news/compu ... 8_ST_N.htm