As details continue to emerge about the massive data hack at TJX, this much has become clear: Hackers had the run of the place for quite some time while company officials tripped over each other trying to secure customers' personal information. The image of the "Keystone Cops" comes to mind.

Before you chuckle, know that TJX -- the parent company of T.J. Maxx, Marshall's and other stores in North America and the United Kingdom -- is hardly alone. A soon-to-be-released survey shows that fully 61 percent of company techs don't think the sensitive information in the control of their firms is safe from hackers.

TJX's SEC filing on Thursday created as many questions as it answered, but it does offer telling glimpses of how things worked inside the company.

Some files were encrypted, some weren't. Some transmissions were encrypted, some weren't. Worst of all, the encryption didn't really work, the firm admits, because "the intruder had access to the decryption tool for the encryption software." That probably occurred because the tool was stored on the same computer as the encrypted file -- a common flaw, said to Gartner security researcher Avivah Litan.

Then there's this: Company officials deleted files after they were stolen, meaning it doesn't really know how much data was taken. The files were not deleted in response to the crime, mind you, just as part of normal business operations.

For example, hackers managed to steal data from transactions that occurred between November 2003 and April 2004. Since the intrusions occurred from 2005-2006, that means the company kept the data hanging around for about two years. But those files were subsequently deleted, so there's no way to know exactly how many consumers had their data compromised.

That's ironic. Had the company just deleted the data in the first place, there'd be no hacking.

TJX deserves harsh criticism for keeping data hanging around its servers so long, particularly data such as driver's licenses produced by 455,000 consumers who sought refunds from the company. Consumers don't expect companies to hoard their credit card numbers, driver's licenses and other data infinitely.

Perhaps the only thing worse than keeping the data for years is deleting the data after it's been stolen, making a mess out of forensics efforts. What chaos! All this means we still don't really know what was taken and may never know. We also have no idea who stole the data, but we know this much. "They hit the jackpot," says Litan.

One theory: Wireless hacking

She has a theory about how the data was stolen. She believes hackers managed to penetrate TJX's computers through an exposed wireless network used to run retail operations. Hackers outside a store managed to break into the "controller" computer that manages the store's cash registers.

From there, criminals were able to connect to computers all around TJX's global network, simply by guessing their Internet addresses. "Once you get into a controller, you can get into headquarters," she said.

TJX said it had no additional details about how the hack occurred. But privacy consultant Larry Ponemon said Litan's scenario is certainly a possibility; he's consulted with other retailers who had exposed wireless networks.

Meanwhile, the notion that hacking such critical data is easy is pervasive among security professionals. Ponemon is about to publish survey results that indicate 61 percent of computer security workers say their companies are not safe from hackers. The study also offers a clue as to why.

CEOs, techies disagree

Half of all executives told Ponemon that compliance with computer security regulations, such as Visa's Payment Card Industry standards, is a critical priority for their companies. But only 10 percent of the hands-on tech workers agree. In other words, while CEOs say they take security seriously, the techies know the truth. And the truth is, your data is there for the taking.

"That's quite a gap," Ponemon said. "The average person who does … (security) day and day out knows that if you are smart enough you can hack your way into sensitive data." Why is that? "When faced with something that generates revenue, or spending on security, companies always go with the revenue generation," Ponemon said. "No one wants to spend money on security."

TJX may find it has to spend the money anyway. Until recently, companies that leaked data got off lightly because the cost of resulting credit card fraud was often borne by banks and other merchants.

Not any more. Visa USA now has a policy called Account Data Compromise Recovery that allows merchants and banks to seek compensation from the data leaker. In addition to fraud recovery, the plan allows banks to recover $1 per stolen card as reimbursement for operational costs.

If the pool of leaked cards obtained from TJX ends up at more than 45 million, as the company has stated, that would be a pretty big bill -- and a pot of money that could have funded a pretty sizable computer security effort.

Dan Clements, CEO of CardCops.com. (Photo: Jae C. Hong / AP file)

When you think of the Internet underground, you probably don't think about Burbank or Ventura, Calif.. But if you want to see what's going on in the Web's darkest corners, the Ventura Freeway is where you need to go.

About half-way between Burbank and Ventura, get off Highway 101 at Calabasas and look for a low-rise office complex. Inside is perhaps the best portal to into the world of identity thieves and credit card criminals you'll ever find: CardCops.com.

Hidden behind office cubicles and small piles of computer servers sits Dan Clements, 51, who manages a small army of researchers who spend their days masquerading as Web criminals, gathering intelligence from online chats where fraud is the only topic of conversation. Clements and his team of 10 pretend hackers (called "Netseals") scour the Internet for stolen identity information, like credit cards, Social Security numbers and other personal information.

Thieves openly trade stolen data in secret chat rooms, where the numbers and names fly by as fast as an old-fashioned stock ticker. The NetSeals slurp the information up using automated programs and enter it into a database, which now contains millions of entries.

CardCops also has deputized thousands of hackers, who anonymously send in databases of compromised information. Clements calls it the CardCops "amnesty program," but all it means is that he promises not to snitch on the informants. The data they provide is shared with all major credit card companies and federal authorities. CardCops also sells the data to banks and identity theft prevention firms like TrustedID.

CardCops has been at it for seven years, and Clements is often the first to know when identity thieves take a new tack in their craft. That's why he's been a key source for my identity theft stories since we met in 2001.

The ideal person for an on-camera sting

When "Dateline NBC" approached me last year looking for help with its planned piece titled "To Catch an ID Thief," I knew exactly where to send them. Clements has been running the kinds of sting they were envisioning – using something known as a "honeypot" -- for years. He knows just how to draw in swarms of credit card criminals, as you'll see in the Dateline piece. Here's a hint: All it takes is money.

CardCops has an interesting philosophy, born out of necessity when the firm began as online advertising sales business name AdCops.

"Our job is not putting handcuffs on script kiddies (young hackers), but rather to learn from them," Clements said. "So we engage them."

In 1999, Clements was selling online ads and suffering from affiliate and click-through fraud, where hackers set up computers to automatically generate fake clicks and collect bogus commissions. He threatened a gang of hackers one weekend. When he arrived at work the next morning, the hackers had "wiped clean" the company's servers.

"We thought, 'Wow, it isn't too smart to threaten them. So let's treat them with respect and see how far we get,'" Clements said. "That's when we really turned it around."

Another event in 1999 persuaded Clements to focus his company on fraud detection. At the time, Clements said, his firm was directing traffic to America Online for commissions. A number of affiliates helped his company, then known as AdCops, attract traffic, but AOL suspected they also were engaged in click fraud. So the Internet giant sent subpoenas to Clements and instructed him to serve all his affiliates. One day, after he dutifully sent them out, a tech expert with a habit of lurking in Internet Relay Chat rooms devoted to advertising fraud, urgently called Clements over to his computer.

"One kid was saying to another, 'Hey, I just got a subpoena today.' The other one answered, 'Me too. My mom's going to kill me,'" Clements recalled.

The young hackers were AdCops affiliates.

Invitation to brag bears fruit

Instead of running to authorities with the chat room log, Clements had another idea. He asked the hackers how they had done it. One of the hackers took him up on the offer and the idea of the amnesty program was born.

"We wanted them to tell us how they do things," he said. He offered only bragging rights, playing on hackers' vanity, but that was often enough. Soon, CardCops was getting all kinds of tips along with invitations into the most secretive credit card fraud chat rooms.

There were fits and starts while Clements created a new kind of business. His first idea was to create a "fraud museum" of scams and tactics. The museum could be viewed by Internet merchants so they could learn about their enemy.

"Everyone talks about Net fraud, but do you actually know how online thieves work?" Clements wrote in an announcement of the fraud museum sent to MSNBC in March 2001. "Are you curious about the tools they use? Or how they think? Now you can actually see it with your own eyes. Inside you will see zipped programs that steal, crack, encrypt and generate credit card data. You will also see actual e-mails from thieves. … The fraud museum gives you a chance to see fraud from the thief's perspective."

The fraud museum backfired, however, as some merchants maintained that criminals were using it to research fraud methods. So Clements quickly removed the site and began devoting his time to gathering "human intelligence."

Direct-to-consumer service

For a while, Clements automatically forwarded the compromised data to credit card firms. But increasingly, he had the sense that the card companies weren't acting quickly on the information. So he set up a direct-to-consumer offering called IDProtect, which allows consumers to see if their information has been shared in a chat room observed by CardCops employees. The data also is resold through a number of partner firms.

Critics point out that CardCops data contains only a tiny fraction of data stolen by hackers, and contend that a clean-bill-of-health from CardCops' service doesn't mean much.

Still, the knowledge CardCops has about the nature of the credit card criminals and identity thieves is invaluable. We're lucky CardCops agreed to take Chris Hanson, Dateline camera crews and the public on a journey through the Internet underground Tuesday night.

LEARN MORE ABOUT THIS STORY

Watch Dateline's "To Catch and ID Thief" online

What 'Dateline' learned from its phony online store

Also by Bob Sullivan: Is your computer a criminal?

Kim Carney / MSNBC.com

PART 1 OF A 3-PART SERIES

Your home computer may be committing a crime at this very moment. It might be sending out spam. It might be buying stock as part of a pump-and-dump scheme. Or it might be helping attack the Internet itself, silently and invisibly, as you read this story. And the odds your computer is a criminal are quickly rising.

The Web, some say, has been turned into an operating system for criminals. Computer viruses that hijack PCs and turn them into electronic robots, or "bots," have become the  killer app. The operation of networks of hijacked computers is so lucrative that hackers are actually fighting electronic wars over them, a story we will explore next week in part two of this series.

New hacker techniques make these virus attacks so subtle that there is no way you would know your computer is a criminal. And there is a growing sense among security experts that hackers have gained the upper hand in what was once a neck-and-neck arms race.

Bots can squirm their way onto home computers in myriad ways: a virus-laden e-mail or a booby-trapped Web site are the most common. But some viruses can attack your computer in the background, silently worming their way through networks via unprotected ports and porous firewalls, using vulnerabilities that software companies don't know about.

Earlier this year, Internet founding father Vint Cerf dramatically suggested that 150 million computers worldwide may have been hijacked by criminals. Most experts think that his estimate is high, but they still count infected computers in the millions, or tens of millions. And there is general consensus that the Internet is under assault from virus writers like never before.

Listen carefully to the words of those who are trying to help us keep our computers safe from Net criminals and you'll get a creeping sense that the boat is leaking faster than they can bail out the water. There were two-and-a-half times as many viruses released in 2006 as in 2005, and the growth rate has continued through the first quarter of 2007, said Eugene Kaspersky, chief researcher for Kaspersky Labs.

Antivirus firms "may not be able to withstand the onslaught," he said at a recent computer security conference. "This is a competition where the antivirus companies, I fear, are not in a good position."

Another antivirus executive put it more bluntly in a private conversation. "I think we've failed," said the official, speaking on condition of anonymity. Computer security firms often use hyperbole to help get attention for their products, but expressing helplessness is something new.

Serious crimes for serious money

The security firms' helplessness means more home computers than ever are being hijacked by organized criminals. Those who control the computers, known as "bot herders," have little interest in the kinds of pranks that hackers typically played with their viruses five or 10 years ago. They commit serious crimes for serious money.

How serious? Earlier this year, a bot army sent a torrent of Internet traffic at two of the Web's 13 critical domain name servers, directing the equivalent of millions of e-mails at them within a few minutes. The mysterious onslaught would have rendered the Web useless if it had succeeded in taking the domain name servers down, but after a few hours it stopped as quickly as it started.

CLICK FOR RELATED CONTENT

PART 2: VIRUS GANG WARFARE SPILLS ONTO THE NET

PART 3: WHO'S BEHIND CRIMINAL 'BOT' NETWORKS

THE LOWDOWN ON 'BOTS'

ARE YOU INFECTED? CLICK HERE

Why would an attacker perform such a show of strength? It might have been a marketing ploy.

The Internet Corporation for Assigned Names and Numbers, or ICANN, which helps run the domain name servers, speculated in a recent report that the attack was the work of a bot herder trying to close a sale by demonstrating the size and power of his army of hijacked computers.

These bot armies – often between 50,000 and 70,000 PCs strong -- are leased out for around $5,000 a day to spammers, said Howard Schmidt, former White House cyberczar. An attacker who might want to threaten a bank with denial of service and demand an extortion payment would probably have to pay more.

"These things are insidious," he said.

And sometimes they are overwhelming. Ben Mayrides, a security guru for America Online, says the firm regularly sees bot armies – or "botnets" -- of 200,000 infected computers. In 2005, Dutch authorities announced they had arrested three youths who controlled a botnet of 1.5 million computers that they assembled using a single Trojan horse program.

Big money is stock scams

Individual bots operate in complete silence, but we all see their handiwork. At this point, almost every spam e-mail is sent from a hijacked computer, according to Uriel Maimon, a researcher at security firm RSA. That means every time you receive a spam, a hijacked computer is at the other end. For evidence of a bot epidemic, researchers point to the recent resurgence of spam, which has doubled in the past 12 months.

Forget Viagra sales: Spammers have largely graduated to manipulating stock markets. Most spam is image spam now, designed to pump up stock prices in thinly traded companies so someone can make a quick profit. In a recent e-mail apparently written by a stock spammer and examined by MSNBC.com, the author brags he can more than double a stock price within two to three weeks.

"We can increase the cost of your share and we can increase average day trading," the e-mail says. "We can increase price up to 200-260 percent in 2-3 weeks and also increase range by 10 times each trading day. … Our payment for that is 10 percent."

With increasing sophistication and deliberation, computer hackers are getting the most out of hacked computers, too. The computer crime du jour is a simple but effective stock pump-and-dump scheme that goes like this: Hackers buy a stock, then use hijacked computers and stolen brokerage accounts to buy the stock at inflated prices using other people's money. When the hackers sell their original shares, they make a killing.

In March, three Indian nationals were sued by the SEC for allegedly pocketing $121,000 after manipulating stocks and options on 14 firms, including Google and Sun Microsystems. They group managed to spend nearly $2 million in other people's money, the U.S. Securities and Exchange Commission said. One victim had $180,000 in his brokerage account, left for a vacation, and returned to find his account had a negative $200,000 balance.

The SEC is aggressively pursuing stock spam criminals, said John Reed Stark, head of Internet enforcement for the agency. But the dangerous combination of hijacked computers and global securities trading offers riches far beyond the legitimate dreams of computer experts in developing economies. As a result, cybercrime has become wonderfully profitable, and fantastically popular.

How do you count the bots?

No one knows how many infected bots there are, but there is little argument that millions of computers have been herded. If your computer isn't infected, security experts say, certainly someone on your block is part of a bot army.

No government agency counts bots; even law enforcement officials rely on private industry for estimates. Here's a few:

MessageLabs, a company that counts spam, recently stopped counting bot-infected computers because it literally could not keep up. It says it quit when the figure passed about 10 million a year ago. Symantec Corp. recently said it counted 6.7 million active bots during an Internet scan. Since all bots are not active at any given time, the number of infected computers is likely much higher. And Dave Dagon, who recently left Georgia Tech University to start a bot-fighting company named Damballa, pegs the number at closer to 30 million. The firm uses a "capture, mark, and release," strategy borrowed from environmental science to study the movement of bot armies and estimate their size.

"It's like asking how many people are on the planet, you are wrong the second you give the answer. … But the number is in the tens of millions," Dagon said.  "Had you told me five years ago that organized crime would control 1 out of every 10 home machines on the Internet, I would have not have believed that. And yet we are in an era where this is something that is happening."

That means the Internet is becoming a very rough neighborhood. So rough that many of those who fight computer crime think, in some ways, they are fighting to save cyberspace.

"This is not just a battle between manufacturers of security software and some Internet criminals. It is a war between good and evil," F-Secure researcher Mikko Hypponen said at a recent European security conference:

Why now? 1. More sophisticated viruses

It used to be that infected computers would eventually stall from the hard work of crime, stumbling over an e-mail blast involving thousands of messages and tipping off the rightful owners. Now, the organized criminals who do this work have remote-control crime down to a science. Instead of using your computer to send 5,000 spam messages in an evening, it might only be instructed to send out five. The bot herders reach the volume they need by repeating that technique with the tens of thousands of computers at their disposal.

AOL's Mayrides says he's seen bots instructed to send out only one e-mail per day.

This puts security firms at a distinct disadvantage. A few years ago, Internet service providers would notice tens of thousands of e-mails being sent from a home computer, and could easily remove it from their network. But how can an Internet provider spot five rogue e-mails sent from your machine while you sleep?

"We have a very difficult needle-haystack problem here," Dagon said.

The Storm worm, which infected more than 1 million computers in January by promising information about the deadly winter weather hitting Europe, used a variation of this tactic. A Storm-infected PC observed by Symantec researchers sent out 1,800 e-mails in a five minute span, then simply went to sleep.

Consumers are unlikely to know their computer has been hijacked because there usually are no symptoms.

"People are not going to find out about the bot because it slows down their systems," said Hypponen. "(Hackers) take great care in making sure it doesn't do anything that the users might notice. Especially with new machines with 2 gigs of RAM, people will not notice they are sending out spam while playing World of Warcraft. The computers are just powerful enough to handle that."

Why now? 2. China

But improved software is only one reason criminals appear to have gained the upper hand. Another is the sheer the size of their armies. Part of the deluge of new viruses can be attributed to a new generation of hackers from Asia, where broadband has proliferated, and particularly China, where hackers are learning fast, Hypponen said.

Asia is also a grand playground for hackers worldwide, because many home users run pirated copies of Windows and can't load security patches, according to a January report by Florida-based security firm Prolexic. Since China now boasts more Internet users than any other country, it also has more infected computers.

Why now? 3. Volume

The sheer volume of new viruses has become overwhelming. Hypponen says there is so much new malware -- malicious software – submitted every day to his firm that it has abandoned its long-standing practice of having each one analyzed by its researchers. The viruses are processed by computers now and ranked by severity.

"It's getting harder and harder for us just to keep up with the amount of new malware coming in," he said. "Right now on a typical day we receive more than two (possible new viruses) a minute. There are thousands every day. The increase in three years has been tenfold. So our lab all the other labs are rebuilding the way we handle them. You can't do it with human power."

Why now? 4. Perpetual 'zero day'

The onslaught isn't just about volume, however. Hacker techniques have improved markedly, says Dagon. It used to be that exploiting vulnerable software usually took weeks, as hackers probed software for security flaws. When they published their results, software makers would race to fix the flaws. Simultaneously, criminals would take those flaws and turn them into attacks, often by attaching them to specially crafted e-mails.

On rare occasions, criminals had both the security hole, or exploit, and the delivery tool before the software maker had any notion a flaw existed. Called a "zero-day" attack, these circumstances gave criminals a small window to mercilessly hack defenseless computers.

But this entire cycle of finding and exploiting flaws has been reduced to a few hours, Dagon said. Hackers find flaws, use them to attack, and erase all evidence so fast that software firms never even know there's a flaw. Dagon has a chilling name for this: "A perpetual zero day window."

Hackers also have learned to write viruses that mutate on their own. Because antivirus software usually catches only known viruses, mutating versions pose a major challenge for security firms. The Storm worm, for example, had 5,000 different variants within a few days of being launched.

Why now? 5. Better command and control

Hackers have more sophisticated tactics to command and control their massive bot armies – another sign that true professionals are in charge. Not long ago, remote-controlled bots used the old-fashioned Internet Relay Channel to communicate. Internet filters could pick out that traffic and disrupt their networks, at times even identifying the controlling computer and cutting off the "head" bot by removing it from the network.

Now, bot networks are increasingly peer-to-peer systems, designed to look like file and music swapping systems like eDonkey. This prevents Internet service providers from picking out bot communications from regular Web traffic. And it also means there is no head bot to cut off, so networks can only be dismantled one infected computer at a time.

Why now? 6. Competition for labor with crime rings

Adding to the challenge antivirus companies face in trying to keep up with cybercriminals is the intense competition for skilled labor. There is so much money being made in the underworld that legitimate firms have trouble recruiting.

"We are dealing more and more with a worldwide industry that employs thousands of people," Kaspersky, the researcher, told the Bangkok Post earlier this month. Said another executive with the firm, "These people are paying programmers the kind of salary that I could never afford."

What now?

For years, security experts have been repeating the same formula to consumers – update antivirus software frequently and use a firewall. But experts say that consumers can no longer trust a single antivirus product to protect them. Dagon points to a Web site named VirusTotal.com that scans potential viruses using 30 top antivirus products. The results are sobering.

On March 22, 9,408 virus-laden files were submitted. Only 28 were detected by all 30 antivirus products. Every other virus was capable of slipping past at least one of the antivirus products undetected, which means that even consumers who keep their security software up to date are at risk.

America Online deals with the problem by swarming its files and e-mail with antivirus products. Everything that's sent through AOL is scanned by 13 or 14 different products, said Mayrides, the AOL security expert.

And still, viruses get through.

"It's rough out there," he said. "One (antivirus product) is not good enough. … There are too many attack vectors these days."

So should consumers stop trusting the Internet? Yes, to a point, said F-Secure's Hypponen.

"I don't think end users should lose their trust, but they are trusting too much," he said. For example, consumers still fall for phishing e-mails and hand over passwords to brokerage accounts despite years of warning. "We should make people lose their trust, break that trust."

Experts advise computer users to scan their system with multiple antivirus products. It's not necessary to pay for all the products. A number of free Web-based security services are available to consumers. No single scan is perfect, but doing one is a worthwhile check-up.

Users also can take the energy-saving step of shutting down their computers when they aren't in use. That way, even if your machine is infected, the computer's resources won't be available to criminals all night and all day while you're at work.

COMING NEXT WEEK: BOT WARS. ONLINE CROOKS ENGAGE IN TURF BATTLES

The nuclear mushroom cloud reflected in Daisy's eyes during the 1964 campaign. The revolving doors, with men casually walking in and out of prison in 1988. Enduring images from political campaigns are sometimes credited with changing the course of an election.

Some political consultants believe each campaign produces such a video moment. But this time around, what if the image isn't produced by either campaign?

Do-it-yourself political advertisements made by amateurs are now flooding the Internet thanks to cheap digital video production equipment and free video sharing sites like YouTube. And last week, the first genuinely viral video of the 2008 campaign made the rounds: Its target was Hillary Clinton.

The one-minute spot -- posted earlier this month, it's already been seen by 170,000 viewers -- is a rip-off of Apple's famous Orwellian 1984 Macintosh commercial. But instead of showing Big Brother addressing the crowd, it places Clinton in the role of the establishment. It ends with the simple message, "Vote Different," echoing Apple's "Think Different" mantra, then promotes rival Barack Obama's Web site.

An Obama spokesman said the senator's presidential campaign had nothing to do with the ad.

So far, little is known about the ad's creator. Messages left for the person who posted the ad on YouTube, who goes by the name "ParkRidge," were not returned. Joshua Marshall, among the first to take note of the ad in on his Talking Points Memo blog, said he was assured by someone who knew the ad's creators that it was an independent effort before he linked to the video.

The Clinton 1984 ad is a "mash-up," or mixing of multiple videos into one piece. Amateur political mash-ups aren't new, and neither is their creators' taste for irony. Ned Lamont, who gave Sen. Joe Lieberman a run for his money in last year's Connecticut Senate race, was spoofed by a mash-up that mixed a real campaign ad showing a crowd of eager volunteers gathering outside the candidate's house with the jingle from the Mentos mints advertising campaign, poking fun at the toothy smiles from Lamont's supporters.

Another homemade ad married the now-infamous video of John Edwards primping before a television interview with the song "I Feel Pretty" from "West Side Story."

Homemade ads made their public debut in the last presidential election, when MoveOn.org sponsored a do-it-yourself contest. The winner, Child's Play, was a somber ad featuring children working at low-paying jobs that called attention to federal deficit spending.

Funny, but are they effective?

Homemade ads were part of the discussion Thursday at a conference for geek political practitioners at George Washington University in Washington, D.C. The keynote speaker of the "Politics Online 2007" gathering was a Google executive, an obvious sign that the union between campaigning and technology will be a strong one during the upcoming campaign.

In his address, Elliot Schrage, Google's vice president of global communications, showed the Edwards "I Feel Pretty" video and predicted that the firm's YouTube site will be a hot spot for campaigning leading up to the November 2008 election.

"Parodies can be as informative as the original video … and we're committed to making them available," he said.

But while the homemade ads are good for laughs, campaign professionals are wondering whether they could actually influence election results.

Bill Hillsman, who made the "real" Ned Lamont ad that was parodied in the mash-up isn't so sure. "I've seen a lot of things that are funny, but it's hard to say what's effective," he said, admitting he got a kick out of the Mentos mash-up. "These people don't necessarily know who they are trying to talk to. They are generally talking to people in their own age group and of their own mind-set. In other words, people who ... are already in the choir."

Cameras, cameras everywhere

But amateur video is sure to have some impact on campaigns, said Julie Germany, deputy director of the Institute for Politics, Democracy & the Internet at George Washington University.

In a sense, it already has, she said, citing Sen. George Allen's failed re-election bid in November after he was filmed describing an audience member as "macaca" during a campaign stop. It wasn't strictly speaking a homemade advertisement -- the video was shot by a campaign worker for opponent James Webb -- but it showed the power a single, grainy video shot with a cell phone and made available on the Web can play in a campaign, she said.

With the seemingly endless number of cell phone cameras following each candidate's every move, someone is sure to say something questionable before November 2008. Even in an amateur's hands, video of that moment could make for a powerful ad, Germany said.

In such a wired world, the distinction between professional and amateur ads and incriminating video snippets is increasingly becoming irrelevant, Hillsman said. "There are enough cameras out there that the image tagged to a candidate could come from anywhere," he said. "People don't distinguish between campaign-made ads on YouTube or homemade ads or a blogger following a candidate with a camera."

No regulation

There is a troubling aspect to the blurring of that line, however. The Federal Election Commission regulates formal political advertisements, but has so far declined to regulate blogs or homemade ads. Germany thinks some campaigns might take advantage of that loophole in election regulations. For example, she said, a campaign donor could give an amateur video-creator free editing equipment to create ads targeting an opponent or campaigns could use bloggers or YouTube to post negative advertisements anonymously.

"We haven't seen it yet, but we anticipate that," she said.

Schrage, the Google official, said the lack of regulation wouldn't necessarily turn Web ads into a free-for-all, however. He stressed the Internet's "self-policing," qualities and suggested that misleading ads could quickly be beaten back by an army of fact-checking bloggers. And of course, candidates can quickly post their own responses on YouTube, as Mitt Romney did recently after a blogger dug up a video of the former Massachusetts governor suggesting in a 1994 debate that he supported abortion rights.

Such balancing acts might blunt the impact of homemade ads. But even if an amateur ad doesn't manage to tag a candidate like the nuclear bomb or revolving door ads of other campaigns, Germany thinks they will have a more-subtle impact during the 2008 election cycle by offering a creative outlet for fully engaged campaign volunteers.

"When was the last time you heard of someone doing something creative for a campaign?" she said, referring to mundane tasks like door-to-door canvassing or manning phone banks that campaign volunteers have traditionally been given. "(Now) people are getting involved outside the campaign sphere."

MORE FROM MSNBC.COM

• Plame: I felt like I had been hit in the gut
• Man found alive 8 hours after jumping off cruise ship
• Wal-Mart abandons plans to become a bank
• Probe of fired U.S. attorneys heats up

We've become a nation of digital scarlet letters.

Nearly every crime is now entered into massive databases that track transgressions nationwide. Increasingly, these databases are available to almost anyone for the asking -- law enforcement, border agents, foreign governments, future employers, even nosy neighbors.

Because of these perpetually available records, there is sometimes no way to put a crime behind you, even after you've paid your debt to society. A short prison sentence for a felony assault -- or for throwing a cup of soda at a passing car – can become a lifetime criminal record, complete with public disgrace in our era's town square, the Internet.

Computers know no gray areas. In the digital world, bits are either on or off. So it is with digital justice. To a database, if you've ever been a criminal, you are a criminal.

Last month, Jessica Hall was freed from jail after serving one month in a Virginia jail for throwing a cup of McDonald's soda at a driver who cut her off on the highway. The crime was throwing a "missile" from a moving vehicle, a felony in Virginia. Hall, a 25-year-old mother of three, is caring for the children by herself while her husband serves his third tour of duty in Iraq.

She won a legal victory in February when a judge reduced her sentence – originally slated for two to five years -- to time served and freed her from jail. Activists cried victory. But Hall, who aspires to attend nursing school, knows her fight is long from over. She has been tagged with a digital scarlet letter, and faces potentially perpetual challenges getting jobs, licenses, and applying to any school.

"Now people are going to see me as an angry, road-rage convicted felon," she told the Washington Post.

Trouble for the 'Clean Slate Clinic'
Margaret Richardson sees this problem every day. As director of the "Clean Slate Clinic" at the East Bay Community Law Center near San Francisco, Richardson helps former criminals clear their records so they can rejoin the work force and become productive members of society. She said the center has helped 2,500 clear their records in the past 18 months.

Getting criminal records expunged from court records is often easy. Multiple programs allow convicts to clear their names after proving they've cleaned up their act. But clearing the digital mess left behind can be much harder, she said. Commercial background database vendors gobble up criminal records, but many are not nearly as efficient at deleting records that have been expunged by the court system, she said.

"These databases take a snapshot of someone's record, then put it out in perpetuity," she said. "There's little oversight of the databases, and even less interest in updating people's information in them."

Richardson spends most of her time helping "wobblers." In California, some crimes can be charged either as felonies or misdemeanors. On that list: possession of firearms, driving while intoxicated, domestic violence, even petty theft with prior convictions. Those convicted of such "wobbler" felonies can appeal to have their record reduced to a misdemeanor after completing probation.

The reduction is hardly trivial. Many firms won't hire a person with a felony record. Richardson, who represents 30 to 40 clients a week, says judges often find room for mercy when her clients show they've cleaned up their act. Databases are far less forgiving.

"There is no requirement in the law that databases be updated in a certain amount of time," she said. "The person has to follow through and make sure the database is updated."

Richardson's clients are reluctant to discuss their cases, as a story about their situation would also create a permanent electronic record of their felony conviction on the Internet. But she relayed the story of a client named Rachel who was convicted of a sex offense for public exposure years ago. Rachel was a drug addict at the time, and working as a prostitute to pay for her drug habit. Rachel, now clean, is stuck with minimum-wage jobs while trying to clear her sex offense record.

'Information can never be bad'
Firms that provide background checks say they have a duty to provide the maximum amount of information in their reports. Naveen Jain, who co-founded the information broker Intelius.com, says simply that "information can never be bad." Clients who order background reports deserve the maximum amount of information available, he argues.

Ed Peterson, also an Intelius co-founder, rejects the idea that, in this database era, it's harder for reformed criminals to escape their past and begin a new life.

"When we lived in smaller communities, 100 years ago, the whole community knew about (crimes)," he said. "Now we live in a transient society. ... It's easier to get away from your record now."

Intelius updates its records constantly, he said, removing felony convictions when notified by courts to do so. But he admits keeping the data up to date is a challenge because "every jurisdiction does things differently."

Consumers with erroneous records can appeal to the firm for corrections, he said. Generally, such errors originate with the jurisdiction that sells the data to his company, he said, and those seeking corrections must appeal to the original provider.

Firms like Intelius provide a critical tool that prevents criminals from simply moving around and getting away with the same crimes again and again, he said. Even after criminals serve their sentences, employers should know if prospective employees have a record.

"Employers have a right to ask those questions," he said.

No second chance
But others worry that electronic criminal records are making America a society that has abandoned the notion of forgiveness. Daniel Solove, a law processor at George Washington University and privacy expert, says "online shaming" cuts at the very heart of a founding principle of America.

"The original settlers of America were people who wanted a second chance, to start anew," he said. "That is evaporating because of all the transfer of information."

Congress planned for this very problem long ago, Solove said, and in the 1970s enacted limitations on reporting of criminal records for employment background purposes. The Fair Credit Reporting Act forbids listing of most felonies on employment background reports after seven years from the end of the sentence.

Most states also recognize the problem of perpetual felony records, and offer various processes to give reformed criminals a chance at a clean slate, he said. But crime databases can make that largely impossible. While federal law limits the time criminal records can be revealed to future employers, no law limits the access members of the general public can have. Your new neighbor can pay $50 to Intelius and see your criminal past at any time, reaching as far back as your teen-age years.

"Increasingly convictions are really becoming these permanent anchors preventing people from basically starting anew … data forever affixed to someone's identity like a digital scarlet letter," Solove said.

The Web of scarlet letters may be wider than you think.

Smoked pot? You could be barred from Canada
Legal experts believe the sharing of crime data will pop up in more places as time passes and create unexpected problems. Those with long-ago crime records have always been legally prohibited from entering Canada, for example. Our northern neighbor, however, had few tools for enforcing the rule. Until recently, that is. The San Francisco Chronicle last month revealed that tourists are now frequently stopped at the border and turned back for convictions dating back to the 1970s -- for crimes as trivial as marijuana possession.

"With a (criminal) record, you have no right of entry (into Canada). They do not have to give you a reason for rejecting you or tell you the source of the information," said Chris Hoofnagle, a research fellow at Stanford University's Center for Internet and Society. "When you look at the percentage of Americans who have interaction with law enforcement, it's a huge percentage of the population and the problem is getting bigger and bigger."

If Nathaniel Hawthorne were alive today, perhaps the author of the novel "The Scarlet Letter" would be writing about companies like Intelius rather than Puritan New England. His heroine, Hester Prynne, managed to win a reprieve after being found guilty of adultery by impressing her community through consistent works of charity. One wonders if she would be able to repair her reputation as effectively today.

"The legal apparatus has systems in place that were set up centuries ago ... part of those processes is that somebody's status can change," Richardson said. "But the way these (databases) were set up, the opportunity for people to change status is not accommodated."

America's credit card companies: Champions of the poor? Apologizing to indebted consumers? Someone check the thermostat in hell.

What to make of this sudden, very public about-face by America's credit card companies since January in which they seem to be abandoning many of the outrageous penalty fees that have confused consumers and fattened bank bottom lines for years. Why the sudden change of heart? Were they visited by the ghost of Christmas past during the holidays, or at least, the ghost of Democratic-controlled Congress future?

Or are they just playing possum?

In recent months, Chase and CitiGroup both have announced they will abandon what were clearly among the most egregious fee practices by credit card issuers. But look closely, and you'll see a pattern.

In January, Sen. Chris Dodd, D-Conn., hosted a banking committee hearing on credit card fees. On the eve of that hearing, Chase announced it would discontinue two-cycle billing. That practice is so diabolical and complicated I can't really explain it here. But suffice to say that the moment you don't pay your bill in full, the card issuer will not only assess high interest rate charges on new purchases, it will actually reach one month into the past and charge interest on past purchases too. Instead of being embarrassed during the hearing by this practice, Chase was able to piously say, "We don't do that any more."

This week, card issuers were again hauled before the Senate, this time in front of an investigative subcommittee. Critics were licking their chops, ready to dig into a government report from last year that found heartbreaking stories of indebtedness – such as that of an Ohio man who charged $3,200 on his cards and then saw the debt mushroom to $10,700 because of fees, penalties and interest.

But just as critics began to sharpen their verbal knives, Citigroup announced it would abandon "universal default," a means of raising credit card interest rates that has universally been decried as unfair. Card companies often pull your credit report every month. Under universal default, they reserve the right to raise your rate if you are late paying any monthly bill. Being late on your car payment shouldn't have anything to do with your credit standing with your credit card issuer, but universal default drew that connection anyway.

Credit goes to the fee-creation team

In truth, universal default was simply another excuse dreamed up by card issuers' fee-creation teams to trip consumers into the lucrative, high-interest-rate bin.

But late last week, Citigroup announced it had seen the light and was abandoning the practice.

Chase also offered another giveback before the hearing. It said it would stop charging over-limit fees. What are those? Remember when your card would be declined if you didn't have enough credit balance remaining to make a purchase? Fee-creation teams realized the firms weren't making any money doing that, so they quietly changed policies to allow consumers to exceed their credit limit and began tacking on a $40 fee for each month the limit was exceeded.

After that Ohio man mentioned that he was charged 47 over-limit fees on his $3,200 balance, Chase now says is will stop levying the fees after 90 days.

Of course, consumers should welcome such changes. It's good to have the big boys abandon these outrageous fees. Perhaps they have seen the light.

Or perhaps something else is going on.

Notice the timing of the announcements -- each one right before a potentially embarrassing congressional hearing. Having sat at such hearings, I can tell you that nothing blunts a good verbal bloodbath more effectively than a witness telling Congress, "Yep, we did that; we were wrong, and we don't do that any more."

Pre-hearing spin muddies story line

News stories following both hearings also were blunted. Instead of stories focused solely on egregious lending practices, journalists had to spend precious paragraphs (as I just did) explaining the card company fee polices and the recent largesse.

The message was now effectively muddied. The original message of these Senate hearings was: Half of American consumers are entangled in terrible loan arrangements with credit card firms that charge usurious interest rates, bury contractual agreements in incomprehensible small print and change those agreements at any time. The message instead became: Card companies might be coming around. Maybe they're not so bad!

Reaction to all this was mixed. Elizabeth Warren, a Harvard Law School professor, author of "The Two-Income Trap" and a perpetual thorn in the industry's side, was decidedly optimistic about the developments.

"This small change is important," Warren wrote on her blog on TPMCafe.com. She congratulated Congress on winning immediate concessions from the industry. "It is a powerful reminder that leadership in Congress makes a real difference."

But Robert Manning, author of Credit Card Nation, took the contrary view.

"It's a pre-emptive strike," he said. He thinks the industry has a plan: Make small concessions now to avoid big new regulations later. "They sacrificed the least-defensible policies to demonstrate that they don't need regulatory oversight. But it will be business as usual."

'Good without negative consequences'

Greg McBride, a senior analyst with Bankrate.com, offered a more down-the-middle assessment.

"I think it's a bold step but not one they are taking blindly," he said. "Lost in the shuffle is how competitive the credit card business is. ... (The new policies) could foster good will without negative consequences for the issuer."

Also lost in the shuffle is Citigroup's rejection of its long-standing policy allowing it to raise interest rates or penalty fees "any time for any reason."

Any time for any reason? Could they really do that? They can. In fact, it's standard credit card issuer policy. You can read about that in Citigroup's release.

I find this the most promising piece of news. The most egregious aspect of the credit card industry's behavior is the arbitrary nature of fees and interest rates. One-sided contracts with consumers essentially gave these firms a license to change the terms at any time, which was effectively a license to print money. Citigroup says it will no longer do that. Terms will only change when a new card is issued, the firm said.

One can only hope other credit card issuers will also decide to honor their original contracts with consumers and abide by their agreements. But if past behavior is any indication of future behavior, I wouldn't count on it. What I would count on is this: War rooms full of hidden fee visionaries are right now dreaming up new ways to hit cardholders with new and even more creative tack-on charges that don't run afoul of these recent concessions.

Will those fees make it out of the war room and harm consumers? Only time will tell.
But I would bet my credit card balance on this: If Congress stops here, if consumer outrage over abusive credit card practice simmers down, these hidden fees will be back soon. And they will be bigger than ever. Credit card companies don't deserve the privilege of voluntary compliance any more. They've shown reckless disregard for consumers and should face the consequences of that. Congress must pass meaningful reforms for the industry that commit this newfound fairness to law. Congress must also consider caps on interest rates and fees, strict rules on marketing to younger Americans and the deeply indebted, and mandatory transparency for penalty charge structures. Anything less will land us right back where we are today.

More business news from MSNBC.com

Pricey place for sawing logs: A $50,000 bed

Special report: How Female bosses juggle job, child-care

Ready your tech gear for early Daylight Savings Time change

Lost in the intriguing story of a Wal-Mart employee who allegedly spied on a New York Times reporter was this tidbit: The "technician" managed to pluck text messages out of the air and read them, according to the company. And these messages weren't just communications between Wal-Mart employees and a professional journalist covering the firm; innocent bystanders and their messages also were swept up in the spying, it said.

Wal-Mart spokeswoman Mona Williams offered scant details of the spying activities by the fired employee on Monday, but she stated that the text messages were intercepted by the employee using a radio device, then scanned for certain keywords. She declined to elaborate on the technology used to pluck the messages out of thin air, other than to say the radio device pulled down messages within "a mile or so" of the company's headquarters.

She also wouldn't say how many innocent people had their messages read, other than to say there were only "a handful" of other victims.

On Tuesday, Wal-Mart spokesman David Tovar confirmed that the text-message prying occurred, but said the company couldn't reveal any additional details about the incident.

Wal-Mart said on Monday that it believed the employee's recording of telephone conversations between the New York Times reporter and members of the company's media relations department broke no laws because it's legal in Arkansas for telephone conversations to be recorded as long as one of the parties involved is aware of the recording.

It is illegal to surreptitiously intercept electronic communications without a warrant under the federal wiretap statues enacted in 1968. In 1986, the Electronic Communications Privacy Act clarified wiretaps laws to extend to interception of signals from modern radio-based devices, explicitly prohibiting the monitoring of cellular phone transmissions by third parties without a court order.

The U.S. Attorney's Office for the Western District of Arkansas is investigating the incident.

The company's description of the privacy breach begs the question of whether it is possible to intercept and read text messages flying around a certain area. The experts that MSNBC.com spoke with Tuesday agreed that it would be possible. The only point of contention was how much it would cost.

Cellular interceptor technology that could pluck text messages from the sky is readily available on the Internet -- for those who have $500,000 or more to burn and can prove they work for a law enforcement agency.

Companies like Global Security Solutions and Home Land Security Strategies Inc. offer such text-message-sniffing products for sale.

Reserved for G-men and -women

Home Land brags on its site -- CellularIntercept.com -- about the powers of the "G-Com 2066," saying it will "capture SMS (short message service) data. It is a passive system -- no signal is transmitted from the system and the cell phone network receives no electromagnetic interference." The site says that all devices sold there are "restricted and reserved for authorized agents of Government."

Global-Security-Solutions.com

The G-Com 2066 comes in its own silver suitcase.

Global Security Solutions offers a similar product called the "GSS ProA - GSM Interceptor." It costs close to $1 million, says owner John Demeter. He said the U.S. Defense Department is among the company's clients.

But he also stated that a determined hacker who wanted to grab all the text messages floating around in a certain area wouldn't have to spend that kind of coin to do so. A teenager could build a radio kit to do it from parts purchased at an electronics store, he said.

"There are many different ways to do it," he said. "Whatever is in the air can be intercepted and listened to."

Former White House cybersecurity adviser Howard Schmidt echoed Demeter's claim. He was even more specific, saying a few parts purchased for about $100 at a local Radio Shack would do the trick. In fact, he said, he helped build such a kit as part of a security assessment for a company only a few years ago.

"Text messages are transmitting over radio frequencies ... unencrypted. You can intercept them and pull the pieces back together," Schmidt said. "There are schematics all over to do this."

Cue up the James Bond track

But Joe Farren, a spokesman for mobile phone industry group CTIA, rejected the idea that amateurs with inexpensive equipment could intercept text messages, saying that would be limited to the realm of highly specialized hackers and government spooks.

"I'm waiting for the James Bond theme to start playing here," he said. "Minus the James Bond, NSA-type capability, that kind of thing doesn't happen. If messages are sent on a modern, digital network, they are encrypted. You need serious NSA-type capability to do that."

Even that might not be an impossible barrier at a large company like Wal-Mart. Like most Fortune 500 firms, Wal-Mart employs former FBI and CIA agents to work in its corporate security department.

Read previous story by Bob Sullivan on the Wal-Mart privacy breach

Privacy Lost: MSNBC.com's special report on the erosion of Americans' right to privacy

Text messages are sent using SMS (short message service) protocols, and available with nearly all digital cell phones. There are many ways for a spy to surreptitiously peek at them.

In 2002, a Gartner Group report warned companies not to trust SMS, saying that clever hackers could simply befriend cell phone employees and get them to obtain copies of text messages. The report followed the conviction of a student in the U.K. who persuaded two mobile phone employees to release text messages sent by his ex-girlfriend.

Some companies sell what are effectively Trojan horse programs for cell phones, which cause them to forward messages received by the phone to a third party. Implanting such programs requires physical access to the phone that's being spied on, however, said one maker of the tools who asked not to be identified.

Cell phones and pagers also can be "cloned," meaning the clone will receive a copy of every text message sent to the original device. In the most famous case of pager cloning, alleged Israeli organized crime figure Assaf Waknine obtained a clone of the pager carried by a Los Angeles police detective who was investigating him.

But intercepting all text messages sent within a one-mile area -- which is what Williams alleged the Wal-Mart employee did – would require a much more sophisticated surveillance system. And it would constitute a more outrageous violation of privacy.

"It makes you wonder how big can this problem really be," said privacy auditor Larry Ponenmon, who runs The Ponemon Institute. "Does it touch every large company?"

There is no disputing that a hacker who goes by the name Vladuz has at the very least become a public nuisance to eBay. But some observers think the hacks Vladuz has pulled off reveal a much deeper problem at the auction giant.

Vladuz claims to have broken into eBay's computers, imperiling the integrity of auction site's entire system of buying and selling. And the hacker has provided some evidence, last week posting messages to eBay's Web site while posing as employees of the site.

Vladuz demonstrated the hack by posting notes on the customer service bulletin board using the same bold pink background used by actual eBay employees.

Vladuz, who is believed to be Romanian, taunted the company in one of the notes. In response to a post where eBay spokesman Hani Durzy said that Vladuz didn't have access to eBay's internal systems, the hacker wrote: "Durzy … lies all the time." Later, responding to a complaint that Vladuz had been tardy with a reply, the hacker wrote "I was very busy. Being hunted by eBay doesn't leave you much free time."

The Vladuz incident comes amid what some longtime eBay observers say is a sharp spike in account hijacking on the site. In "hijacking," a trusted seller's account is taken over and buyers are tricked into handing over money for nonexistent auction wins. EBay denies account takeovers have increased recently.

Adding to the intrigue: The reported spike occurred shortly after eBay instituted broad new anti-counterfeit measures. The new rules, which sharply limit cross-border selling, are aimed largely at Asian- and Eastern European-based con artists who sell fake jewelry and other high-ticket items. EBay observers say the rule changes have forced those con artists to find more creative ways to sell their knock-offs on the site, such as impersonating U.S. sellers.

'Tracking him very closely'
EBay officials deny Vladuz has infiltrated any of its critical systems, and say fraud remains a tiny fraction of the million or so transactions the firm facilitates each day. But they acknowledge Vladuz is on their radar.

"We are tracking him very closely," said company spokeswoman Catherine England. "We are working closely with Romanian law enforcement. ... He's a well-known fraudster there."

EBay concedes that Vladuz's attacks are noteworthy. The company confirms, for example, that Vladuz was able to pose as a customer service agent on site bulletin boards during late February after stealing agent login codes. But England said Vladuz's hacking stopped there.

"Vladuz did not get into our site, or into customer accounts," she said. "Our corporate e-mail system operates on an entirely different system. ... At no point did he have access to any of our corporate tools, and no user information has been exposed."

Attempts to contact Vladuz at the many e-mail addresses the hacker has left around the Internet were unsuccessful.

The bulletin board incident is not the first time Vladuz has taunted eBay. Earlier this year, he posted on a hacker Web site a screen shot that he said was from eBay's internal computer systems. The image appeared to show about 30 names, email accounts, and passwords for eBay employees, displayed in what looked like an employee database tool. The e-mail addresses listed on the image all ended in "eBay.com," as do regular eBay employee e-mails.

Atop the screen shot, Vladuz scrawled his name in big letters, using the computer equivalent of a purple crayon.

Just a stolen e-mail attachment, eBay says
England confirmed that eBay was aware of that incident, but said it did not indicate that Vladuz had gained access to any employee database. Rather, she said, it was a screen shot stolen from an employee's customer support e-mail account. She said that the e-mail account that had been accessed was not part of eBay's internal, corporate e-mail system.

England said she did not know how Vladuz obtained access on either occasion, but said the hacker is a skilled identity thief and long-time eBay "phisher" – a crook who sends out fake e-mail to eBay users intending to trick them into divulging personal information. Customer service agents might have fallen for such phishing, too, and responded with information for their e-mail accounts, she theorized.

England said she believed the recent taunting episodes were a function of Vladuz's frustration after many of his "most profitable" schemes were foiled by stepped-up security. Vladuz "took it personally" and set about to embarrass the company, she said.

Online auction activist Rosalinda Baldwin doesn't believe Vladuz's hacking is just a prank, however. She thinks Vladuz has provided plenty of proof that the hacker -- or the organization behind the name -- has managed to penetrate deep into eBay's computer systems.

"What level of access does this guy need to convince someone that he has a free hand?" she said.

Baldwin, who closely tracks fraudulent activity on the site, said she's seen a sharp rise in fake auctions in recent months. Scammers seem to be able to post fraudulent listings, impersonating legitimate sellers, faster than eBay can remove them, she said.

"Even if eBay ends them, they are re-listed within an hour or so," she said. The only logical answer, she argued, is that someone can raid eBay identities at will.

In some cases, hijacked accounts observed by MSNBC.com appeared to follow a sequential order, as if plucked from an ordered database.

England disputed Baldwin's assertion that a hacker or hackers gained access to the company's computers, saying that phishing schemes remain very successful and provide criminals with a ready supply of eBay logins. She also said automated phishing tools have become are so sophisticated that they appear to be capable of stealing accounts in sequential order.

'Something changed'
Baldwin and others who follow eBay fraud closely find that explanation hard to believe. Genie Livingstone, who runs Internet host Dotyou.Com, said there has been a recent spike in fraud on eBay so large that something else must be going on.

"The scammers seem to have unlimited supply of eBay user IDs and passwords ... but in February the numbers of hijacked sellers increased exponentially," she said. "Something changed. There seems to be an unusual availability of stolen eBay user IDs and passwords."

Baldwin and others say the crackdown on the sale of counterfeit goods provides the most likely explanation for the surge.

Counterfeiting -- of coins, purses, jewelry, stamps and many other items -- has long been a problem on the site. Two years ago, Tiffany & Co. sued eBay over the prevalence of counterfeit Tiffany items for sale on eBay.

Related coverage: Is eBay stamp racket the stickiest scam on the Net?

Recently, eBay took a serious swipe at the trade in fake goods -- at least trade from overseas to U.S. sellers. In late December, England said, the Web site began limiting cross-border auctions on certain items where incidence of counterfeiting is high. The firm has not published a list of these items, so as to not tip off the con artists, she said, but sellers in China or Romania can no longer trade certain items with buyers in the U.S.

England denied there is any connection between the anti-counterfeiting steps and Vladuz's incursion or account takeovers, and said that eBay fraud fighters have spotted no increase in the latter.

But Baldwin insisted the connection is obvious. Beginning in late December, for example, she began chronicling thousands of daily fake auctions involving counterfeit clothing under the popular brand name BAPE. She has showed MSNBC hundreds of DVD movie auctions that were obvious fakes.

"Can anyone believe that counterfeiters using phished accounts could list this many items, using all new accounts each time, three or four times a day? Day after day?" she said. "There are thousands of them ... EBay is completely at the mercy of the scammers."