At 12:30 a.m. on Dec. 2, hackers pulled off what might have been the perfect computer crime. You can expect a host of imitators during 2009.

Beginning early that morning and continuing for nine hours, customers who visited MyCheckFree.com to pay bills made an unexpected visit to computer servers in the Ukraine. The customers did nothing wrong; many followed a bookmark or even typed in the Web address manually, as security experts advise. And Checkfree didn't do anything wrong either. The company's computers weren't hacked.

Instead, criminals hijacked all traffic headed for the bill-paying service by tricking the Internet's domain name server system, which links common Web site names like msnbc.com to their numeric equivalents.
Checkfree had to send out notices to 5 million customers indicating they might have been victims of identity theft, though the number of visitors actually affected by the scam was probably closer to 160,000, according to the Wisconsin Office of Privacy Protection.

If you're wondering what computer headaches you should expect in 2009, the Checkfree attack should be high on your list, says Amit Klein, a domain name system expert at The Trusteer Security Research Group. He compared the attack to a phishing attack on steroids, and said it will probably keep security professionals up late at night. None of their fancy security tools can ward off complete interception of traffic headed to a Web site.

"(This attack) can bypass sophisticated network, authentication and end point security mechanisms," Klein said. "It is likely to become more common (next year)."

Once again, 2008 failed to bring a virus that brought the computer world to its knees. In fact, it's hard to imagine a worldwide attack on software that would have the impact of the notorious Melissa or LoveBug viruses, which stopped so many PCs that they created the equivalent of a snow day for office workers.

Targeted attacks and cell phones
The Checkfree attack serves as reminder that computer criminals favor small, targeted, profitable attacks over loud, obnoxious ones. You don't hear much anymore about "bot networks," those armies of hijacked home computers that made headlines two years ago. But experts still believe millions of home PCs are enslaved by criminal software. As evidence, they point to the continued nuisance of spam, which represents about 81 percent of all e-mail and mostly originates on hijacked PCs, according to spam-fighting firm MessageLabs.

Even the latest hacker fad -- attacks on social networking sites like Facebook – is designed to quietly gather personal information rather than noisily destroy Web sites.

Don't get me wrong: I'm not saying we'll never have another computer virus epidemic. The next big nemesis, many security experts say, will not be a virus that slays personal computers, but one that wreaks havoc with your cell phone.

For years, technology writers have penned stories predicting that the coming year will be the one in which an ominous mobile worm that destroys handsets, calls all your friends and hacks into e-wallets to purchase thousands of cans of Coke from e-pay enabled vending machines in Japan.

All these things will happen. Smartphones will one day meet their match in the virus writing community. But I'm going to side with security researcher Vincent Weafer of Symantec, who proved to have a clear crystal ball a year ago when predicting the rise of Facebook-style attacks, and say that a mobile virus epidemic this year is unlikely.

Weafer thinks a killer smartphone virus is still a ways off, particularly because smartphones still account for just 11 percent of the cellular phone market, according to research firm Gartner. He reasons that virus writers won't focus their attention on cell phones until they believe they can knock a significant portion of them offline with a single worm.

More to the point, Weafer said, mobile phone attacks won't really take off until mobile banking takes off. Criminals go where the money is. And in countries like Brazil and China, where many viruses now originate, mobile banking is still several years off.

Other mobile phone features are ripe for attack, however. Weafer warned that authentication tools like password reminders are vulnerable. Many firms now send password resets or PIN codes through text messaging to telephones. It's generally considered safe for a Web site to send a password reminder to a cell phone number stored when customers sign up, a technique that's called "out of band" authentication. But criminals have caught on to that vulnerability and are hard at work looking to intercept such messages.

COMING NEXT YEAR
In addition to flying PINs, what should you watch out for next year to stay cybersafe? The Checkfree incident points to a larger problem:

There are new reasons not to trust the Web sites you visit. Getting a virus by clicking on an infected attachment is now passé; if your computer gets sick next year, it will probably be because you visited a booby-trapped Web site.

The Checkfree attack is just one way that criminals can take advantage of well-known brand names to attack your computer. Thanks to the proliferation of Web 2.0 services, which increasingly rely on third-party content that is "sucked" into traditional sites, there are new ways for criminals to place corrupt code on otherwise trustworthy pages. Attackers have spent the better part of this year finding vulnerabilities in Web software so viruses can be injected onto Web servers, so that you'll download them even if you only visit sites you trust.

Right before Christmas, Microsoft had to rush out a patch for a vulnerability in Internet Explorer that allowed just such an attack. The firm said that 1 in 500 Net users were exposed to the flaw during its first week of exploitation.

Mary Landesman, a virus expert at the ScanSafe security firm, said Web-delivered malicious software exploded at the end of 2008 -- in fact, more viruses were delivered this way in October than the entire year of 2007. As in the heyday of e-mail worms, she thinks Web-delivered viruses may get "out of control" during 2009 before companies reign them in. Unfortunately, in some cases the cure may be worse that the disease.

Most Web sites rely on third-party firms to place ads on their sites, and Landesman expects frustrated software designers will begin blocking all third-party connections or scripting to stop viruses.

To stay safe, Internet users must know that Web sites -- even trusted ones -- have the potential to infect their computers under certain circumstances. That means it is more important than ever to run up-to-date security software and to download the necessary patches. It's also important to know which sites the kids are visiting, as Web site attacks are more common on less popular sites like music download haunts and second-tier game sites. Users might consider turning off scripting capabilities in their Web browsers, but that means many popular Web sites won't work properly.

Criminals are becoming much more precise with identity theft-related scams. By now, it seems absurd that anyone would fall for a traditional Nigerian scam promising riches from a recently-deposed royal family. But Weafer, the Symantec expert, said con artists are compiling databases of information that allow them to personalize attacks in believable ways. New Nigerian scams come bearing the recipient's first name, perhaps their hometown and in some cases, allude to other personal information such as family members?

Where does this information come from? It's easily gleaned from social networking sites like Facebook.

"What we're talking about is much more like data mining," Weafer said. In the underground data trade, criminals now pay much more for data sets that include geographic location or employment information, Weafer said.

Criminals are using social networking sites to trick "Forgot your password?" features on many Web sites. By gleaning information such as victim's pet names, school affiliations and middle names, criminals can sometimes pass the "question" challenges provided by sites to authorize password retrievals. Then, they get their hands on login information for private e-mail, corporate networks and even online banking.

Cybercriminals will continue to hit people where they are most vulnerable, targeting the recently unemployed. Security firm McAfee warned in November that work-at-home scams have skyrocketed. Scams that offer to help victims file for unemployment benefits -- tricking them into paying for something that should be free -- also have risen.

Finally, expect more lost and stolen data next year. The year 2008 brought remarkable data breaches and thefts, including 4 million credit cards exposed to hackers by grocery chain Hannaford Brother, announced in March; 12 million customer identities lost on a backup tape by Bank of New York Mellon in March; 3.4 million motor vehicle records transmitted online by the Colorado motor vehicle department; millions of birthdays inadvertently exposed by Facebook; and 2 million identities stolen by a former Countrywide Financial employee. There's no reason to believe that depressing trend won't continue.

Calling many credit card company tactics "unfair," "unreasonable," and "deceptive," federal regulators on Thursday unveiled sweeping new rules aimed at protecting consumers. They then invited card issuers to continue those unfair tactics for the next 18 months.

A 300-page report by the Office of Thrift Supervision described bank misbehavior in great detail, at times using stinging language. It then laid out updated federal regulations that will bar many such practices.

The new rules, for example, limit card issuers' ability to raise interest rates in the first year after they issue a card. They also severely curtail banks' ability to retroactively raise interest rates on consumers' existing balances, including penalties levied when the a payment arrives a few days late.

And card issuers won't be able to toy with "grace periods," as they have in the past. Instead, banks must give consumers at least 21 days to pay their bills, and they are prohibited from double-cycle billing, which retroactively applies interest charges to purchases made after a consumer fails to pay their bill on time.

The Office of Thrift Supervision report uses the term "deceptive" more than 100 times in describing the banks' practices and "unfair" more than 200 times.

But the three agencies cooperating on the rules -- the Office of Thrift Supervision, the Federal Reserve, and the National Credit Union Administration -- also gave the banks a generous grace period. The new rules will not take effect until July 1, 2010.

Linda Sherry, director of national priorities for advocacy group Consumer Action, hailed the rules as "great" for consumers, but sharply criticized the delay in their implementation.

"The fact that they are waiting 18 months in this economy is a disaster," she said. "That will give the credit card companies time to reprice their consumers and do all kinds of tricks. (Regulators) should have made it much shorter."

No ruling on overdrafts, over-the-limit fees
The regulators also decided not to make rules inhibiting banks' ability to hit card users with over-the-limit fees -- an issue of recent concern as many issuers lower consumers' credit limits. And the agencies removed provisions in their initial proposal in May, which would have restricted banks' ability to levy overdraft fees, another thorn in the side of consumers. Both issues can be reconsidered at a later time.

Despite such omissions, many of the most unpopular credit card tactics will be outlawed by the new rules. For example:
• Banks will have to send bills at least 21 days before payments are due, and midday payment- due cutoff times will no longer be allowed. When due dates fall on weekends, consumers also will be granted extra days to pay.
• When multiple interest rates apply to different types of balances on the same card, banks will be prohibited from applying payments in a way that maximizes interest charges. This is a common problem for those who utilize balance transfers. Transferred balances usually incur interest at very low teaser rates, but new charges are hit with a much higher rate. Traditionally, banks apply interest to the transfer balance, maximizing their return and effectively making a consumer swap out low-priced credit for high-priced credit. The thrift supervisors said banks make an extra $930 million each year by applying payments this way. When the new rules go into effect, payments must be applied evenly across all types of balances, or in a way that's more advantageous to consumers.
• Many banks now go back to the previous billing cycle when computing interest rates, a practice called double-cycle billing. For example, a consumer who fails to pay a bill due Jan. 5 will see interest charges levied on items purchased during December, even if that was a grace period. Once the new rules are in place, interest charges on average daily balances must be computed using only a single month's transactions.
• There are also many provisions for making credit card statements and terms easier to understand.

But the main gain for consumers is a prohibition on many kinds of retroactive interest charges that are routinely charged by credit card companies. Currently, consumers who have their interest rates hiked have their entire outstanding balance subjected to the new rate. For instance, a consumer who borrowed $2,000 for auto repairs 12 months ago, and is paying that back at 9 percent, could see the interest rate on that balance rise to 29 percent "at any time for any reason," according to most card issuers' terms of service. Regulators said banks make $11 billion each year through such retroactive interest charges.

Under the new rules, interest rate increases will only apply to purchases made after the rate hike takes effect for most consumers.

"So people who just kind of miss a payment by a few days will no longer get caught in this," Sherry said.
Consumers who are 30 days late, however, are not exempt from retroactive charges, making the penalty for letting accounts become delinquent quite severe.

The provision might lead to confusion, however. Already, many consumers have three different interest rates on a single credit card – one for purchases, one for cash advances and one for balance transfers. This provision would add a fourth rate, by creating a rate for "new" purchases and a rate for "old" balances.

While consumers cheered regulators through the process -- a record 65,000 comments were filed, most of them positive -- banks resisted the changes, saying the limitations would increase interest rates on good consumers and reduce the availability of credit. Edward L. Yingling, CEO of the American Bankers Association, warned that Congress should expect unintended consequences as the new rules take effect.

"While the new rules are designed to increase protections for consumers, the Fed itself has recognized that they may result in increased costs for most card users and reduced credit availability, particularly for consumers with lower credit scores or limited credit history," he said. "With the uncertainty facing our financial system, it's absolutely vital for policymakers to understand the full impact of these regulations on consumers and the economy before judging their success or further restricting the marketplace."

'Monetary harm constitutes injury'
In its report, the Office of Thrift Supervision rejected many of the arguments put forth by the credit card issuers to try and fend off the new rules, including the suggestion that cardholders can avoid all interest and fees by simply paying their bills on time. Credit cards are designed as borrowing instruments, the agency reasoned, and consumers shouldn't be expected to avoid mistreatment only "by paying their balances in full each month."

It also rebutted one bank argument that provides some insight into credit card issuer strategies: that the agency does not have jurisdiction because no harm could be proven against consumers "merely because other, less costly allocation methods exist."

The Office of Thrift Supervision replied that "it is well established ... that monetary harm constitutes an injury."

Rep. Carolyn Maloney, D-N.Y., who has led the charge in Congress to enact similar protections through federal legislation, applauded the new rules. But she said there was still a need for her law, called the "Credit Card Users Bill of Rights." The legislation bill passed the House of Representatives earlier this year, but a companion bill stalled in the Senate.

"As one who's been working for years to bring consumers the protections they need, I'm delighted to see the regulators take substantive action," she said. "Finally, these practices have been declared what they are: 'unfair' and 'deceptive. But while these new rules are a strong first step, I'll be working with (Congress) to fill any gaps in protections for cardholders. These new rules aren't scheduled to take effect until 2010; Congress should act sooner to protect American consumers."

The questions are unsettling.

"What are some household items that you can get high off of?" "What household seasonings can you smoke to get high?" "How to make a household bomb?"

But many parents of young teens will find the answers downright disturbing.

"YES...If you take the right size dose, about 2 tablespoons," reads one. "It starts very slow, but after a while you feel warm, kinda jittery/wired, also kinda disoriented and a mild high. I like it. But, the effects last for about 24 hours, and you will probably continue to feel a little "funny" for another couple days. If you have a weekend alone, it's worth trying. The price is right, so why not?"

The appearance of dangerous information on the Web is hardly new, and teens have always swapped tips about getting high. But the appearance of such unsavory recipes on sites like Yahoo Answers raises fresh questions about what's appropriate on a mainstream Web site.

Question and answer sites have quietly become a successful category on the Web. Since their inception about two years ago, traffic as grown steadily: Yahoo's Answer site attracts more than 34 million U.S. visitors each month, according to ComScore/Media Metrix. Wiki Answers, the nearest competitor, gets about half that.

The sites have a simple formula: a curious user poses a simple, short question, like "How can I buy a GPS with free traffic reports," and the community of users attempts to answer it.

Not all the questions are so innocent, however. On Yahoo! Answers there are dozens of questions from kids looking for recipes to get high. Answers are easy to come by.

For example, there are detailed instructions on various forms of "huffing," a way of concentrating the power of typical inhalants that can be found in household products.

Inhalant use is a serious problem among younger teenagers. According to the Substance Abuse and Mental Health Services Administration, the federal agency that monitors drug use, about 1 in 20 13-year-old kids has tried inhalants in the past year -- by far the most common illicit drug used by that age group. Inhalant use, which is highly dangerous and can kill with a single use, tends to taper off as kids hit 16. By then, they have easier access to other drugs, according to Dr. H. Westley Clark, director of the federal Center for Substance Abuse Treatment.

Yahoo officials refused repeated requests for an interview in connection with this story and provided only an e-mail statement.

"Yahoo! Answers strives to make the community a safe and enriching place by encouraging our members to conduct themselves with a high degree of integrity, decency and respect," it said. "Yahoo! Answers also deploys a customer care team to address, identify and remove inappropriate content, and on a daily basis, thousands of entries are flagged and nearly half of them are fully deleted after careful review."

A review of Yahoo's site reveals that some questions are indeed off-limits. Many requests for information on illegal activity -- "How do I steal credit card numbers?" for example -- unearth only warnings from other users that such behavior is illegal.

In some cases, questions about illicit drug use have been removed from the site. Yahoo also deletes user accounts that engage in some drug-related dialog. One month ago, in an answer to the question "What household items can get you high," a user with the screen name Rum Stem replied, "I know lots of ways but last time I answered this question my account was deleted."

Still, there are hundreds of drug recipes available on Yahoo! Answers. And many have been on the site for more than one year.

At WikiAnswers, owned by New York-based Answers Corp., questionable content is handled differently.

There, a set of 500 volunteers create a list of "Catch All" questions which aren't allowed on the site. When a user asks such a question, a generic reply developed by the company is shown. The question "How do I build a bomb?" elicits the response: "WikiAnswers does not provide information that will aid or support criminal activity."

The question "How do I get high from household items" redirects the asker to the question "What household items can kill you?"

The site also publishes its list of forbidden questions.

Bruce Smith, chief strategy officer at Answers.com, says the firm is constantly adding to the list.

"There is no hard and fast rule. We have a lot of debates," he said. Certain questions, however, are unambiguous, he said.

In addition to the volunteer supervisors, individual users can also flag material as inappropriate, an option that also is available to Yahoo users.

"Nothing is perfect. But the bigger the community, the more effective the monitoring," Smith said.

Clark, who studies child drug abuse for the government, was hesitant to criticize Yahoo's more liberal policy regarding publication of drug recipes. He said that the information is widely accessible online, so suppressing it does little good. Clark also pointed out that many of the replies on Yahoo Answers warned questioners not to try drugs.

"The discussion isn't as pro drug as it might appear," Clark said, noting that some former users testify to the terrible side effects, for example. "Much of the debate is well-placed."

The site also provides information to family members who are looking for more information on indicators of drug abuse among children he said, pointing to a number of questions posed by writers identifying themselves as concerned parents.

Some "concerned parents," however, appear to be curious teens faking their identities in a quest for elusive information.

Still, Clark says the information cat-and-mouse game is unavoidable. Every drug education program finds itself in a similar dilemma -- at risk of providing too much information to kids who might otherwise not know about illicit drugs. But he said he generally believes agencies and educators should "err on the side of allowing the message to be clarified," rather than stifling dialogue.

eBay.com users are complaining that a holiday contest offered by the auction Web site has been overrun by Scrooge-like computer hackers, and that eBay's poor design for the contest is to blame.

As part of its "Holiday Doorbusters" promotion, eBay is giving away about 1,000 items -- everything from jet skis to iPods to a Corvette -- for $1. The first buyer to find and bid $1 on the specially-marked items wins. But users say the contest has been overrun by "cheaters" who are implementing automated scripts to game the contest, winning hundreds of auctions before the items are even available to the public.

As evidence, the disgruntled point to a number of closed auctions where the visitor counter shows "0000," meaning no Web users visited the item's page before it was won. On Saturday, for example, a "Green Life" brand electric scooter worth $1,000 was won by a bidder before anyone visited the page, according to the counter on it. The next day, a vintage Oscar de la Renta evening gown was also won with the counter reading zero.

Forums devoted to eBay users are ablaze in complaints about the contest from disappointed would-be bidders who haven't won.

"This should have been advertised as a programming contest because those are the only people who can win," complained contestant Rich Coloyan in a note to msnbc.com. "eBay can stop this if they want to by requiring a verification screen or something, they just don't care."

The contest rules on eBay's Web site seem to suggest automation is prohibited. They say:

"Sponsor reserves the right, in its sole discretion, to cancel or suspend part or all of this Promotion at any time without notice, if in the Sponsor's opinion there is any suspected or actual evidence of electronic or non-electronic tampering with any portion of the Promotion, or if virus, bugs, non-authorized human intervention or other causes corrupt or impair the administration, security, fairness or integrity of the Promotion."

During a series of brief interviews, however, eBay representatives were unable to provide a clear explanation of what kind of automation is allowed and what is prohibited.

In one interview, a spokesman said the use of automated tools to find Doorbusters items as they come up for sale is not prohibited. He said the rules quoted above were designed to prohibit the creation of multiple fake eBay user accounts that could be used to gain an advantage in the contest.

But later, the spokesman – who asked not to be named – said the rules might prohibit automation of Doorbuster prize purchases.

When asked for clarification, eBay could not provide it, and instead offered only an e-mail statement from spokesman Usher Lieberman.

"We can not discuss the specifics of how we are monitoring this promotion as it speaks to how we prevent fraud across the site. Rest assured that we are doing everything in our power to ensure that all eBay users have an equal opportunity to search for and win these hot holiday items," he said.

'eBay will not do anything'
Many eBay users don't think the firm is doing nearly enough to make the contest fair.

"Since the beginning of this promotion I have been trying to win something, but it seems to be impossible with all the so-called fake accounts out there that have scripts and bots doing automatic bidding for them ," said Melissa Henlsey. "This is terrible and it seems as if eBay will not do anything to prevent this from happening."

Programmers have long used automated scripts as part of both bidding and listing items on eBay. But the widespread script application in the Doorbusters contest has frustrated many contestants who now feel they have no chance to win.

"Unfortunately, scripters have taken over and almost 100 percent of the prize auctions are 'won' with 0000 on the counter, meaning that the auction page was never even seen by mortals and the scripter stole the auction by jumping straight to a 'buy' with a hacking program," said eBay user Victor Ireland. "eBay has done nothing to mitigate the fraud even though it's within their means to do so."

eBay did not provide an explanation for how a contestant could win an auction without at least registering a single hit on the items auction page. Ireland suggested that programmers may have found a way to access listings before they are posted to the eBay site, but an eBay spokesman said that was impossible.

All items are listed on the site by an outside firm, New York-based Strobe Promotions, which is helping eBay administer the contest. Soon after it began on Sept. 24, programmers figured out they could gain an advantage over manual bidders and began using automated tools to search for and win the special $1 auctions. In fact, one eBay users actually posted a solicitation on the RentACoder.com Web site asking to hire a professional free-lance programmer to create such an automated tool.

Bids placed by scripting tools are now so widespread that some eBay auction sellers pulled pranks in recent days and began inserting the word "Holiday Doorbusters" into their descriptions so automated tools would be tricked into purchasing them. In one case, a member sold several $1 pictures of his pet with this warning:

"This is picture I took of my cat with my Cannon Powershot Camera after she overheard that people where using scripting to purchase HOLIDAY DOORBUSTERS items on eBay. Not responsible for poor scripting techniques."

Rosalinda Baldwin, who runs eBay watchdog group The Auction Guild, said she didn't believe that programmers who were winning auctions had done anything illegal.

"eBay made it so a decent programmer could monopolize the searches, that does not make such a programmer a scammer, just someone with the skills to take legal advantage of eBay's system," she said. "eBay is responsible for the way they set this promotion up, and it is up to them to decide if it is equitable or not, and change the code and rules accordingly."