Almost everyone forgets a Web site password once in a while. When you do, you click on the familiar "Forgot your password?" link and, after entering your pet's name, identifying your high school mascot or answering some other seemingly obscure questions, you can get back into your account.

But there's a problem: A criminal can do that, too. With the help of social networking sites like Facebook and MySpace, personal trivia is getting less obscure all the time. You'd be surprised how easily someone can uncover Fido's name or your alma mater with a little creative searching.

Some security researchers are beginning to sound the alarm about "password resetting" tools, suggesting they could be the weakest link in Web security.

As an experiment, Herbert Thompson, chief security strategist of People Security, recently asked a few friends for permission to "hack" into their bank accounts. Using only information gathered from Web sites, Thompson found his way in within minutes.

"This is a serious problem. It kind of blew me away," Thompson said.

Here's what Thompson did. Using only one friend's name and place of employment, he found her blog and résumé. That provided a font of information on her grandparents, pets, hometown and more. He then visited her bank's Web site, where her user name was simply her first initial and last name. He asked for a password reset. The bank sent an e-mail with that information to her Web mail account. Thompson then asked for a password reset there, which sent a link to her old college e-mail account. There, Thompson needed only supply the woman's address, zip code, and birth date. Once successfully in the college account, Thompson hacked his way into the Web mail account – supplying her birthplace and father's middle name -- and ultimately entered her bank account by supplying her pet's name.

"I did this a couple of times. But the scariest thing would be someone doing this with some scale," Thompson said. A more detailed description of his romp through someone else's identity can be read on the Scientific American Web site.

There are no known cases in which hackers have widely exploited "forgot your password" links, but there are indications that both researchers and criminals are training their eyes in this direction. Markus Jakobsson, principal scientist at the famed Palo Alto Research Center in California, said answers to password reset questions have become so valuable that a black market has developed for personal information like dog's names. Criminals buy buckets of personal information, obviously with an eye towards foiling security systems, for about $15 per set, he said.

In most cases, such information sets are probably the result of successful phishing attempts, Jakobsson said, where a victim unwittingly supplied personal information in response to an e-mail. But he's seen demonstrations of far more sophisticated tools designed to "scrape" information off blogs and social networking pages for later use by hackers.

"It's an automatic dossier building tool," he said.

Like Paris Hilton
Questions about hacking through password resets have been raised before. When Paris Hilton's cell phone was famously hacked in 2005, some tech sites reported that criminals simply used her dog's name, easily found online, to break in. That theory was later discredited, but it likely sent criminals scurrying to find famous people's dog's names.

It also prompted researchers to study the issue, which is also known as "fallback authentication." Ariel Rabkin, a researcher at the University of California at Berkeley, is probably the first to attempt to quantify the problem. He recently published a research paper (PDF)titled in part, "Security Questions in the Era of Facebook." It examined password reset questions at 20 banks. Of the 215 questions used by the banks, he classified only 75 as secure and usable. The others were either easy for hackers to guess or obtain, or simply too hard for consumers to remember.

"Security questions are getting weaker over time," he said. Mother's maiden name, for example, continues to be asked even though it's often now available from various online sources. "We can't seem to get rid of that question. … If we do nothing this will get steadily worse."

In some situations, statistics give the criminal an advantage. For example, data published by some U.S. cities indicated about 1 percent of the nation's dogs are named "Max," making that a pretty good guess for a criminal trying to break into thousands of bank accounts. When a bank asks consumers who their favorite president was, it rarely takes more than two guesses, Rabkin said.

Even if the questions are more personal, and even if the subject doesn't have their own blog, others might blog about their dog, car or high school. And search engines can easily unearth such minutiae.

"There is an arms race here between people who trying to ask obscure questions about (us) and people who are trying to answer obscure questions about (us)," Rabkin said.

Not a bad idea
Thompson, the People Security expert, said that asking "challenge" questions with so-called "out of wallet" answers – questions that even a criminal who stole your wallet couldn't answer – once was a secure way to confirm someone's identity.

"If you think about it, 10 years ago this didn't seem like horrible idea, to ask for someone's personal information," he said. "You could say, 'It's probably unlikely that someone will know all of this information about me, or spent the time necessary to gather it.' But now it's really easy for someone who's never met you to know all this about you."

Coming up with secure challenge questions is no easy task. There are two problems to consider: The question must be difficult for a stranger to answer but it also must be easy enough so the customer doesn't forget. Quick: What's your kindergarten teacher's name? Was it McFadden or MacFadden or Mcfadden?

"In some cases, it's easier for an attacker with good data mining skills than the real person to answer these questions," Jakobsson said. He is hard at work developing a new solution, one which relies on the answers to "preference" questions rather than fact-based personal questions. A consumer who requests a password reset might be confronted with questions like, "Do you like antique stores?" or "Do you like opera?"

Asking 16 questions like these would provide positive identification in better than 99 percent of cases, he said. "And preferences are rarely stored in databases." (More on this idea can be found at I-Forgot-My-Password.com.)

Rabkin is all for improving the problem of forgotten passwords, but he is careful to not exaggerate the problem. In addition to the lack of proof that any widespread forgotten password hacking has occurred, he says banks have multiple systems in place to prevent thefts from online services. When a password reset is initiated, for example, banks automatically set a red flag on an account and watch it for suspicious behavior. Any large transactions following soon after would surely be stopped, he said.

"The problem is not as bad as you think," he said. "It's not so easy to match up a pet name from Facebook with another database of login names and another database of Social Security numbers," and use that to withdraw cash, he said.

Still, there is another problem associated with the importance of personal questions in security. A consumer who falls for an extensive phishing e-mail or has their blog copied by a hacker, may find it nearly impossible to navigate the digital world in the future. How would such a person ever reclaim a password or otherwise authenticate their identity?

"It would be incredibly difficult to recover from something like that," Thompson said. "You can't really change your mother's maiden name or these other things."

RED TAPE WRESTLING TIPS
Researchers like Jakobsson are looking for new ways to authenticate consumers. One obvious area of potential is biometrics. The chief criticism of this technology, which uses people's eyes, fingerprints, etc., to verify their identity, is the "doomsday" possibility that once such information is compromised, it could never be trusted again. You can't change irises, for example. But Thompson points out that the same is true for personal information such as your first pet's name or you mother's middle name. While biometrics has potential flaws, new systems will soon be necessary, Thompson said.

Of course, these security enhancements are still in the future, so for now, consumers must fend for themselves. When answering password recovery questions while registering for online banking and other Web sites, don't always pick the most obvious question. Consider what someone might be able to find about you on your blog. Better yet, consider not disclosing any personal information on your blog.

Alfred Huger, a security researcher at Symantec Corp., offers this suggestion: Some sites now allow consumers to make up their own question. While that might be a hassle, it's probably much more secure. Again, think of a question only you can answer, and something that's unlikely to be in any database. That probably means the name of your first girlfriend or boyfriend won't cut it.

I like to call them "Dear John" data letters. And just like those sad, cold notes from a lover announcing a breakup, those "We've lost your data" letters are almost always frustratingly vague.

A new study from identity theft research firm ID Analytics suggests that's both unfair and risky. The study shows that consumers victimized by insider data theft -- theft by an employee -- are 12 times more likely to be ultimately hit by fraud than victims of an accidental data loss, like a lost laptop computer.

Yet many Dear John data letters announcing security breaches offer precious few details about the circumstances of the loss. That leaves consumers completely in the dark about what to do.

While data leaks rarely make headlines now, as they've become frighteningly commonplace, the rate of leaks has steadily increased since 2005, when disclosure laws began forcing companies to fess up to them. About half of U.S. adults have received at least one such letter, according to the Ponemon Institute. And since 2005, more than 236 million pieces of data have been lost or stolen, according to the Privacy Rights Clearinghouse.

But data loss letters are often short on critical details, such as how the data was leaked or why. Such information provides important context to consumers and would help them determine how they should respond, said Mike Cook, co-founder of ID Analytics.

"Some of the letters I have seen have not been as informative as they could have been, which is a disservice to both consumers and businesses," Cook said.

Here's why the details matter. ID Analytics analyzed 5 million pieces of identity data stolen in 12 separate insider thefts. More than one-third of consumers exposed by those incidents -- 36 percent -- were ultimately hit by identity fraud. Contrast that with ID Analytics data on lost laptops and hard drives, where victims were hit with fraud only about 3 percent of the time.

"All data breaches are not created equal," Cook said. "It's important for consumers to understand that."

Make it a doozy
Other circumstances surrounding the breach also help predict the likelihood of fraud, Cook said. This might sound counterintuitive, but the findings suggest that the larger the data leak, the less likely a victim will be hit by fraud. Consumers who have their data stolen as part of a small, targeted incident -- say 10 identities copied by an insider -- are at greater risk than consumers who are exposed through a theft of 10 million credit cards.

"If I am a consumer, and I learn that I am part of the largest breach in history, I should be happy because the likelihood of my name being used at random is very low," Cook said. "But if I am part of an internal breach of 10 identities, I should be very concerned."

The three questions that should be answered
Consumers who are victims of data breaches should always get the answers to three critical questions, Cook said: the size of the breach, the precise data involved and the reason it was stolen or lost.

Those answers, however, are rarely forthcoming, said Gartner security researcher Avivah Litan. Many companies reveal almost nothing about a data leak, which prevents consumers from making common-sense decisions about how to react.

"The disclosure laws should be refined to give consumers this type of information," she said. "Right now these letters don't mean anything if there are no details. Consumers don't have enough information to make an educated decision about what to do."

The ID Analytics study comes at a time when Congress continues to debate a national data loss disclosure law. Currently most states require data loss disclosure, but a national law would likely supersede state laws.
Federal legislation favored by the credit industry and the Federal Trade Commission would limit disclosure to leaks when there is a great likelihood of actual fraud. That means lost laptop computers and hard drives might not trigger notices. But so far there has been little discussion of making companies offer more specifics to consumers when such disclosures are required.

It's about the intent, not the source
Alfred Huger, a researcher at security firm Symantec, said he suspects there isn't much difference between data stolen by an insider and data stolen by an outside hacker who is part of an organized crime gang. What matters most is the intent of the thief, he said.

"There are some collections of hackers who are quite precise about what they are going to steal and what they will do with the data," he said. Data stolen by such hackers is probably equally likely to result in fraud as data taken by determined insiders, he said.

But the ID Analytics study unearthed a few additional details about insider theft. In every case, the stolen data was used locally -- within 20 miles from the place of the theft, Cook said. That suggests the criminals were not part of complex international crime rings, he said.

"People are stealing the data and using it themselves, or giving it to someone they know," he said.

The report also revealed a sharp rise in mobile phone theft, with 69 percent of fake applications used to apply for a cell phone. That result follows a study earlier this year by ID Analytics that showed mobile phone theft now makes up 32 percent of all new account fraud, up from 19 percent just last year.

In the past, ID criminals routinely applied for cell phones so they'd have phone numbers to put on fraudulent applications for credit. But today, Cook said, given the rising cost of multi-function phones, criminals simply obtain discounted smart phones with two-year contracts and then sell them at high profits.

"Attacking mobile phones is a growing phenomenon," he said.

It's also a huge pain for consumers, who rarely find out about cell phones opened in their name unless they check their credit reports.

RED TAPE WRESTLING TIPS
Given the continued avalanche of data breaches and data loss letters, it is understandable that legislators might want to limit the notices to those that matter most -- those incidents where risk is ID theft is high. This would mean companies that lose laptops and hard drives accidentally would probably get a free pass. That's an undesirable result, as the public shaming of poor security practices has helped bring focus to the twin issues of privacy and data security.

If consumers are to lose the right to know every time a company loses track of their data, they should get something in return. Firms should be forced to offer far more explicit detail about data thefts and losses when they occur. Victims are entitled to know how it happened, what was taken, whether the data was used, and so on. That should be standard procedure and ultimately, would be worth much more than the pittance that is usually offered today in these Dear John data letters -- free trials to credit monitoring services. Next time you receive a letter, look for the answers to Mike Cook's three questions. If you don't get them, complain to your congressional representative.

When should you do it? On the third date? After meeting her parents? Half-way through the first date? When it just feels right? One thing is certain: you shouldn't wait until you get married.

The idea of asking a new significant other about his or her credit score probably makes you squeamish, but it's a subject that ultimately unavoidable. Just as you inherit in-laws when you tie the knot, you inherit credit history too. But unlike family ties, it can be nearly impossible to sever yourself from bad credit.

This column could quickly begin to sound like an overbearing parent. (Did you ask about his grandparents? You want to make sure you're marrying into good genes!) Or the meddlesome advice of a nosy friend. (You know she has emotional baggage, right?)

To avoid that, I will offer no specific advice about the exact timing for this uncomfortable conversation. Instead, I'll separate some myth from fact and discuss the consequences of blindly going into a relationship with someone who has spotty past with credit.

We'll start with the obvious observation that the time to find out about your lover's splotchy credit report is not during the honeymoon. Having the conversation about money and debt is just as important as the conversation about having children, or any of those other tricky topics.

Helen Popkin's Ode to FreeCreditReport.com last week set off a firestorm of discussion on the topic, inspired by the TV ad where the heroic male character blames his dismal basement dwelling on his girlfriend's bad credit -- or rather their failure to use FreeCreditReport.com before they shacked up. While it is a great idea to talk about credit scores, it's a terrible idea to do what the ad hints at: to invade your significant other's privacy by ogling their credit score online. Let's be clear about this: It's illegal to look at anyone's credit report without their permission. The best place to look up your own is AnnualCreditReport.com, the only place where you can get credit reports for free.

'The least romantic date'

The message you should be getting from what those FreeCreditReport.com ads is this: At a certain point in a relationship, you should have the credit conversation. Or as personal finance author Liz Weston calls it, "the least romantic date."

"You both print out your credit reports, bring them to dinner and share them," says Weston, not a hint of sarcasm in her voice. Author of numerous books on personal finance, including "Your Credit Score," Weston fields questions every day on her Web site AskLizWeston.com. It's uncanny how many questions she gets from couples who never had the credit conversation while dating.

"I regularly hear from readers that they married someone they found out afterwards had tens of thousands of dollars in debt," she said.

It's human nature to root for things to work out, particularly in the early stages of a relationship. So it's also human nature to want to avoid the "credit score" conversation, which really can throw a monkey wrench into an otherwise happy pairing. Let me ease that burden for you. According to John Ulzheimer of Credit.Com, one of the nation's leading experts on credit scores, the FreeCreditReport.com advertisements are a bit of an exaggeration. Marrying a man with a bad credit score doesn't automatically doom you to a dark basement apartment, he says. In fact, even after marriage, the two of you will maintain separate credit reports and credit scores, he says.

"Your credit reports never co-mingle. You always maintain your own credit report. Your scores will never bleed over," Ulzheimer said.

Only co-signed loans and joint credit cards will appear on both credit reports, meanings it's perfectly possible to maintain a good credit score while living with or marrying someone with a lot of bad debt.

Notice I didn't say that wouldn't impact your life; only that it won't impact your credit score if there is no mingling of debt. That's a big if, however. In most cases, couples apply for large loans together, because they need both incomes to qualify for the loan. In that situation, the bank will pull both spouses' credit scores and the low-score partner could severely impact the couple's ability to get a good home loan.

"Technically, you can keep your finances separate and your scores separate, but if you are dealing with a bad credit scores it will affect your life," Weston said. "You'll be getting the collections calls, too."

Often, couples will open joint credit cards so the low-score partner can get better interest rate and terms. That sounds sensible, but it can lead to a disaster because late payments on joint cards bring down both parties' credit scores. In fact, a spouse with a perfect payment history can take a 100-point hit from a single late joint credit card payment by the other spouse.

Divorce easier than a financial separation

Thing get even more sticky if the marriage goes sour. Joint debt remains the responsibility of both spouses even after the divorce, and even after a judge assigns it to a single party. Many divorce lawyers miss this important fact, Weston says: Contractual agreements with lenders supersede divorce decrees. So if an ex stops making payments on a credit card, the other spouse is legally responsible. Even after the debt is paid, the late payments can impact both spouses for years.

One victim I've spoken to had $3,000 in credit card debt on a joint card at the time of divorce, but several years later, the debt had ballooned to $18,000. He was responsible for paying it all, every though he hadn't spent any of it.

"It's harder to get out of a co-signed loan than it is to get out of a marriage," observed his new girlfriend. They requested anonymity for obvious reasons.

Believe it or not, there really is no way out of a co-signed debt arrangement. Divorcing parties can ask their bank for release from joint credit cards, but banks are under no obligation to grant such release, and why would they? They'd be less likely to be repaid. Co-signing means what is says: You are responsible for the other party's debt -- no matter what.

The only way out of this divorce quagmire is to close all joint accounts and have the debt -- all credit card debt, car loans, home loans, etc. -- moved to individual accounts before the divorce is final, says Weston. That can be costly (for a home loan, a refinance is usually required; for credit card debt, pay off balances with balance transfer checks from new cards). But it's the only sure way to truly straighten out all debt obligations.

"The stunning part is the horrible advice some people get," said Steve Bucci, author of "Credit Repair Kit for Dummies." "For someone to go through a divorce and leave an account open is amazing. … You're paying a lawyer a lot for advice, and they should know better."

I hope I've convinced you of the importance of that boring date involving credit report disclosure. But if I haven't, Ulzheimer offers another incentive. People almost always follow the same spending and debt habits before and after marriage. Rare is the undisciplined spender who suddenly acquires good money habits during the wedding ceremony. So a credit report peek will be a pretty good predictor of how money issues will go during the marriage. Disputes over money are among the leading causes of divorce, so it's best to get spending and payment styles out on the table as early as possible.

Opposites attract, and this often holds true for money issues. Spenders and savers frequently end up together, notes Weston, an arrangement which inevitably means the fiscally conservative partner learn more than they ever wanted to about collection letters and finance charges.

Predictably, it's usually the partner with good credit who is more anxious to a have the debt talk. It is also true, says Weston, is that the indebted partner often sugarcoats their financial situation.

That's why it's best to have that boring date, Weston says. Just talking about debt in vague ways might not unearth the real issues.

"And actually, pulling a credit report is really a neutral thing, in black and white," she said. "It's not like you can fudge the stuff."

How to bring it up

Obviously, inviting someone to share the most intimate details of their financial life will not be the easiest conversation in the world to start. Ulzheimer suggests a light-hearted tone, to avoid giving the conversation a flavor that might make it sound like a discussion of a pre-nuptial agreement.

"Say, 'hey, how funny would it be to compare our credit scores,' " he said. And since regular credit checkups are highly recommended anyway, the credit report swap is a great learning opportunity.

Weston also says it's important for the financially stronger partner to avoid using a 'holier-than-thou' tone.
"You've got to get off your high horse a little bit. ... Keep in mind that the goal is not to make the other person feel bad, it's to make sure your financial life is as harmonious as possible," she said. "You don't want any surprises that could threaten the relationship later."

Many couples in their 20s and even their 30s will find they have common ground, anyway, when the subject of student loans arise.

RED TAPE WRESTLING TIPS

As for the original question of when to ask about your beau's credit history, there is no rule of thumb. Weston suggests it should come immediately after any conversation that will lead to a financial commitment to each other -- marriage or cohabitation, for example.

"First discuss commitment, then this should be your next discussion," she said.

Of course, having the talk even earlier wouldn't hurt. If you are the less-indebted partner and you find yourself really dreading the debt talk, that's important information right there. Maybe you aren't good at confrontation, or maybe the relationship just isn't strong enough to handle serious discussions.

If you are the indebted partner, you'll demonstrate sincerity by devising a plan for dealing with the debt before your partner even asks about it. For example, have a spreadsheet showing how you'll be debt free in three, four or five years. Now would be a good time to come up with that plan to rebuild your financial life and show you are ready for other commitments.

Spammers have upped the ante in their efforts to trick news consumers, switching from e-mails with tabloid-style headlines to impersonating major online news services. On Wednesday, e-mails that appeared to be from msnbc.com landed in inboxes worldwide, promising breaking news and confusing some recipients.

The spam unleashed Wednesday follows a massive campaign last week in which spammers impersonated CNN.com. That campaign saw 250 million spam messages sent in one intense 24 hour period, according to spam-fighting firm MX Logic Inc. Those e-mails appeared to include links to CNN's top 10 stories, but Internet users who were tricked into clicking on those links were sent instead to Web sites overseas that were booby-trapped with malicious software.

Recipients should immediately delete any unexpected e-mails purportedly from CNN, msnbc.com or any other firm that they haven't done business with and authorized to contact them.

Users who open the fake CNN or msnbc.com e-mails and click on a link are in for a bad day if they fall for the ruse. Those who do are sent to Web sites that attempt to trick them into downloading what is described as a video player plug-in. Instead, the malicious software will infect the user's computer, ultimately giving hackers complete control over the machine. Infected computers are then used to send out even more spam.

"This new tactic is likely to be more successful than recent 'single-line spam' campaigns because it looks like a legitimate e-mail news update," said Sam Masiello, director of threat management at MX Logic.

After the initial top 10 headline spam, the campaign morphed into more focused e-mails purporting to come from "CNN Alerts," which included links to what appeared to be a single news story – with an actual headline lifted from the news site -- but was actually a booby-trapped link. In one such e-mail reviewed by msnbc.com, the e-mail was sent from a domain in Australia, and the links took clickers back to Australian Web sites.

MX Logic says it captured 850 million CNN spam messages since Aug. 4, and that the volume has steadily increased, suggesting that recipients have fallen for the ploy and their infected computers have been used to send out even more spam.

So far, MX Logic says, it's catching about 2 million msnbc.com spam messages per hour, but the rate is steadily increasing. Security firm Sophos said the msnbc.com spam spiked at one point on Wednesday morning and equaled the total amount of all other spam the firm was trapping.

The first msnbc.com spam was sent around 4 a.m. ET, MX Logic said.

Masiello said he believes the same criminal gang is responsible for both the CNN and the msnbc.com spam campaigns.

One of the msnbc.com spam messages, with the subject line "BREAKING NEWS: Americans love law suits for breakfast," appeared to come from a computer in Spain. The realistic-looking e-mail includes some actual links to msnbc.com in an attempt to confuse the recipient.

Spammers have impersonated major Internet sites -- including news sites -- for years. In 2006, a widespread spam campaign impersonated the BBC Web site, promising news about Russian president Vladimir Putin.

It's unclear why there's a sudden surge of fake news spam, but security firm Message Labs speculates that it's related to a cat-and-mouse game currently being played out between spammers and security companies. Most spam is sent out from hijacked computers known as "bots" that are connected in large networks called "botnets."

The largest is called the "Storm" botnet, created by a virus known as the Storm worm. Recently, researchers enjoyed a small victory against the worm, and shrunk the size of the botnet by about two-thirds, said Message Labs' Paul Wood. The aggressive news headline campaign is an attempt to reconstitute the network, he said.

"They are trying to do something to regain their power," Wood said.

RED TAPE WRESTLING TIPS
Spam campaigns like these are a real headache for companies that want to maintain e-mail relationships with their customers, as there are no foolproof tools for helping consumers tell real corporate e-mails from fake messages. Msnbc.com, CNN, and most news outlets maintain newsletters that readers use to receive timely bulletins. Such services are threatened by the widespread spam campaigns, which inevitably prompt IT departments to advise users to aggressively delete all e-mails that aren't personal.

The best advice: Think before you click. If you have any doubts at all about an e-mail, simply delete it. Also, keep track of your e-mails subscriptions and know when messages are expected to arrive.

Persistent internet users can check e-mail headers for signs that a message is suspicious, but that can require moderately advanced computer skills. Microsoft Outlook users can do this by right-clicking on an e-mail in inbox view, and then selecting "Message Options."

E-mail readers can also, in most cases, hover over a link before they click and see a pop-up showing where they will be directed if they click. If the link doesn't match the written link that's a good reason to question its legitimacy, but it's not fool-proof. Also, if you try this method, be careful not to accidentally click your mouse.

"Of course we all know that spam exists, but we certainly don't like it to invoke the brand name that is so meaningful to us and our readers," said Catherine Captain, vice president of marketing for msnbc.com. "We send out hundreds of thousands of legitimate email newsletters requested by our consumers every week. The key is not falling for the trickery of spammers and being able to discern what is real and what is fake."

CNN.com spokeswoman Jennifer Martin said that the company received phone calls and e-mails from viewers and users who received the fake e-mails and posted a notice on its Web site on Friday warning customers not to be fooled.

Could a hacker steal enough information from a store you've shopped at to print up fake debit cards in your name and withdraw cash from your checking account at an ATM? Even if you've never told a soul your PIN code?

In fact, said the Justice Department last week, it's already happened, possibly to millions of people.

Buried in last week's indictments of 11 alleged international computer hackers accused of stealing 40 million credit and debit account numbers from U.S. retailers was something far more unsettling: At at least one retail chain, the indictments accuse the group of swiping encrypted versions of debit card PINs, decrypting them, then using the information to print debit cards and get cash from ATMs.

If proven true, that could mean criminals have crossed a new threshold in the pursuit of plastic card fraud -- PIN hacking.

For decades, the only security layer standing between criminals and cash from stolen debit cards has been the secret PIN code, which has proven surprisingly robust. When hackers steal a large set of debit cards numbers, there is generally no way to obtain their corresponding PINs, limiting the value of the stolen data.

Criminals have stolen small numbers of PINs in old fashioned ways, such as installing tiny cameras on ATMs that record PINs while they are entered.

But uncovering a way to obtain PINs from a stolen batch of debit card account data would give hackers the ability to withdraw thousands of dollars at a time from any ATM in the world – a holy grail of sorts for card thieves. That's precisely what the U.S. government says some of the suspects did as part of their five-year scheme, detailed last week.

In the indictment of alleged ringleader Albert Gonzalez, the Department of Justice accuses him of:
• Downloading "tens of millions of credit and debit cards and PIN blocks associated with millions of debit cards."
• Obtaining "technical assistance from criminal associates in decrypting encrypted PIN numbers."
• Cashing out "by encoding the data on magnetic stripes of blank credit/debit cards and using these cards to obtain tens of thousands of dollars at a time from ATMs."

The Justice Department would not comment on the indictments or on the specific methods that might have been used to perform the decryption. A spokeswoman would only confirm that the agency is indeed accusing some of the suspects of decrypting PINs.

Speculation for years
Encrypted PIN codes are supposed to be impenetrable. After a consumer enters their code into a PIN pad at a store, or at an ATM, the data is immediately converted into an unintelligible string of text called a "PIN block." That block of text is then sent along the payment processing network, ultimately back to the cardholders' bank, where the PIN is verified.

There has been speculation for years that criminals had found some way around the PIN encryption. In 2006, after a spate of fraudulent ATM withdrawals, Citibank began cutting off ATM cash access to some overseas travelers. Consumers around the country reported phantom withdrawals from their checking accounts of $1,500 or more from far-flung places like Bulgaria.

At the time Citibank, Bank of America, Wells Fargo, and Washington Mutual all reissued some debit cards. There was conjecture that criminals might have stolen PIN information that was accidentally left "in the clear," or unencrypted, by a retailer.

Earlier this year, Wired News reported that a Citibank server that processes transactions initiated at 7-11 stores ATMs had been "breached," according to an affidavit filed by an FBI investigator. The affidavit claims a single suspect, who has now been arrested and charged with theft, stole $750,000 from ATMs in a single month during early 2008.

But last week's indictment accuses the criminals of taking everything they need to print fake debit cards and steal money directly from retailers. The specific case outlined in the indictments involved downloading PIN blocks from a Florida OfficeMax store in 2004 through a vulnerable wireless network, then later decrypting them. The indictments also accuse the group of downloading PIN blocks associated with millions of debit cards," hinting that the PIN problem might be even wider.

The scheme was apparently so successful that at several times the suspects allegedly sent boxes full of cash through express mail services to make payments to one another.

How it might have happened
PIN blocks are transmitted from retailers to credit card processors and are sometimes stored on computers along the way, where they would be available for the taking by criminals who knew how to decrypt the secret codes. This is sometimes called stealing data "at rest." Retailers have no need to keep PIN blocks in the stores, but poorly configured systems sometimes store this information anyway.

The hacking gang indicted last week also was capable of stealing data on the move, according to the indictments. The group is accused of using various methods to install "sniffer" programs that grabbed account numbers and PIN blocks as they flew by on computer networks. Initially the suspects sat in parking lots and used insecure wireless networks to gain unauthorized access, the government charges. For example, in July 2005, while sitting in a Miami TJ Maxx parking lot, the criminals are accused of worming their way into the firm's central credit card server in Framingham, Mass.

Later, some of the suspects brazenly walked into stores and physically installed sniffer software onto computers in other stores, the indictments say.

In May 2007, for example, they entered a Dave & Buster's restaurant in Islandia, N.Y., and installed sniffer software. Afterward they re-entered the store every month to empty the catch from their virtual net, eventually stealing 5,000 account numbers from that store alone and using those numbers to steal $600,000. In that case, they are accused of stealing only debit and credit card numbers.

Still, even with data stolen using such hands-on methods, stolen PIN blocks should be useless to criminals -- unless they can be unscrambled.

Encryption expert Ross Anderson, a professor at Cambridge University in England, has testified before about the possibility of "phantom withdrawals" involving PIN codes stolen from British banks. He says potential vulnerabilities in bank encryption software have been known by researchers for years. In 2003, a British court imposed a gag order on Anderson, preventing him from revealing some elements of his research.

He called this week's indictment "the first documented recent case" of PIN hacking, but added that it was "not surprising."

"The banks have encryption boxes that are claimed to be 'secure' but the claim is of course untrue," he said. "

Not so alarming
Mike Urban, who runs a debit card fraud-fighting service called CardAlert at Fair Isaac Corp., counters such talk by saying the most likely explanation for the crime is also the least alarming: Hackers didn't reverse engineer PINs; they simply managed to steal encryption keys from the same retailers where they stole the data, he said.

"I'm speculating here, but more than likely, to compromise that many PIN blocks they would have to have gotten the encryption keys somehow," he said. "More than likely there was a breakdown in management of keys wherever the keys were compromised. " Armed with the keys and a little know-how, he said, criminals could readily discern PIN codes from PIN blocks.

Urban said it would not be terribly alarming if the hackers obtained PINs that way, noting that retailers routinely secure keys carefully and that PIN compromises are "extremely rare." He also said that while the government's case against the hackers mentions theft of PIN blocks from several retailers, evidence of actual PIN-block decryption is offered in only one case – the one involving OfficeMax. He said he believed that could be an isolated incident.

"Fraud on PIN-based transactions is much lower than signature-based debit or credit transactions," he said.
Gonzalez, the alleged ringleader of the hacking ring, who also went by the moniker soupnazi -- apparently a reference to the "Seinfeld" character -- is being held in New York while awaiting trial. He faces life in prison if he is convicted of all charges. Only two other suspects out of the 11 indicted are in custody. Ukranian national Maksym Yastremskiy is being held in Turkey, and Aleksandr Suvorov is in Germany. Both are facing extradition.

RED TAPE WRESTLING TIPS
There's no need to panic over the possibility that hackers could steal PINs from places you shop. Consumers who are hit with fraud related to debit cards have strong legal protections. Losses reported within two days of discovery are limited to $50, and most banks give full refunds to consumers. Still, debit fraud can be a huge hassle, because consumers who are victims may find their bank accounts emptied and their ability to access cash severely limited until the money is replaced. The hassle factor is much higher than with standard credit card fraud.

But possible PIN theft is another incentive to use debit cards only to withdraw cash at ATMs – not for purchasing. There are already plenty of other good arguments for keeping your debit card in your wallet. We've written about the case for credit here; so has Consumer Reports.

If you really want to buy things with your debit card, perhaps as part of a monthly budgeting plan, consider signing the sales slip instead of entering your PIN, to keep your PIN a secret. And if you really want to enter your PIN, consider setting up a separate checking account, isolated from your standard account, for your purchases. That way, if your account is hacked, the criminals won't have access to all your money. But be sure to keep that fully stocked with cash; overdrawing your debit account can lead to costly overdraft fees.
Also, resist the urge to use the same PIN code for all your accounts.

Feeling fleeced by hidden fees, surcharges, fine print and other "Gotchas"? That's because you are getting fleeced. Sneaky pricing has become the American way of doing business in the past decade. But don't look now -- things are going to get much worse before they get better. Tough times and shrinking profits will spur on cash grabs the likes of which we've never seen. Like a wounded animal, I expect many a desperate corporate boardroom to authorize unconscionably tricky tactics, aiming to stave off a bad report to shareholders for one more quarter by sucking more quarters out of your wallet.

In this spirit, today we open up a new institution to memorialize all this chicanery: The Gotcha Hall of Shame. The first inductee is so deserving that it actually inspired creation of the award: JetBlue Airlines and its $7 pillow.

I know, I know, it's not just a pillow, it's a blanket, too. And both, apparently, have super-powers that block micro-toxins, whatever those are. But if the blanket works so well, why hasn't my doctor given me one?

Even with reduced visibility and a low cloud ceiling, we can all see through JetBlue's pillow ploy. On a plane, you're a captive consumer. There is no shopping around for good pillow prices. You're sleepy, and you will you fork over $7 for a chance to take a nap.

Of course, you could bring your pillow on board, but that would take up your precious carry-on baggage allotment, which could push you to check more baggage. And JetBlue now charges extra for that, too.

You should know that JetBlue had stiff competition for the inaugural Gotcha award -- from within its own industry. US Airways, [changed from US Air] which is said to be considering its own pay-to-sleep fee, gets honorable mention for deciding to charge passengers $2 each time they ask for water. Curiously, coffee is only $1 per cup. C'mon US Air! That's going to hurt pillow sales.

As for circumnavigating the water fee, don't bother. The Transportation Security Administration is in on this, too. Bring water to the airport and you'll lose that at the security checkpoints.

Meanwhile, it feels like all the airlines have involved been in a perverse kind of auction to see who can squeeze consumers the most for checked bags ($15 for a second bag. Do I hear $25? Ok, $25 to Delta Airlines. Do I hear $50? OK, $50 to Delta Airlines!)

The death of pricing
What's going on here? Analysts are politely calling this a move to a la carte pricing. I have another name for it (I'll bet you have a few too). I call it the death of pricing.

These "after charges" make it nearly impossible for consumers to buy airline tickets intelligently. The normal method of searching for flights and sorting by price has been murdered by $10 meals and $50 baggage fees. A $245 flight can be cheaper -- much cheaper -- than a $189 flight. A Delta $100 baggage fee (remember, checked bag fees are one way) can turn a good deal into a bad deal very quickly.

Now, the critical question: How are consumers supposed to do the math when shopping for airline tickets? Can you predict how many bags you'll pack when you're buying a ticket?

This isn't just annoying. It's an assault on capitalism. Companies with the best prices and the best products are supposed to win in our Darwinian economic system. Instead, sneaky charges and tack-on fees prop up poorly performing companies. Instead of rewarding the best performers, we are rewarding the members of the Gotcha Hall of Shame.

Already last year, flying became a textbook example of what economist Caroline Baum calls inflation by degradation. When people pay the same for a product, but get less from it, that's a form of inflation, Baum says. For example, when people pay to get from New York to Chicago in two hours, but the actual travel time is four hours, they've been hit with a hidden form of inflation.

Last year, airline schedules turned into fiction novels, with some planes on some routes arriving on time as infrequently as 10 percent of the time. Yet prices didn't fall, they rose. And now, they are rising again, through the layering of fees so fantastic you'd think Franz Kafka owned an airline.

Come to think of it, even Kafka wouldn't make one of his characters pay for a pillow. No one would buy it.
Congrats, JetBlue Airlines, for earning the first spot in the Gotcha Hall of Shame.

Red Tape readers, feel free to file nominations for the next inductee below.

(While I'm at it, here's a pretty good reference on baggage fees)

Legislation that would ban many unpopular credit card company tactics has been passed by a congressional committee, opening a path for the so-called "Credit Card Holders Bill of Rights" to be considered by the full House of Representatives.

The bill, which was approved by the House Financial Services Committee last week, would prohibit many triggers that cause consumers to pay fees and higher interest rates. For example, it would stop card issuers from imposing higher rates retroactively on outstanding balances in some situations. The legislation was approved by a healthy 39-27 majority despite spirited lobbying against it by the banking industry.

The legislation is nearly identical to a set of new rules proposed in May by banking regulators, including the Federal Reserve. Those rules are still under review, with the public comment period ending Monday. The regulations face several additional hurdles, including a public hearing, though the Fed could wrap up the process by the end of this year.

If passed, the House bill might offer quicker relief to consumers , as some of its provisions would take effect immediately.

But the legislation faces an uphill climb on Capitol Hill. There's only about a three-week window for new business when the House reconvenes in September. Should the credit card bill find its way to the top of the House legislative agenda, and win approval, a similar bill sponsored by Sen. Christopher Dodd, D-Conn., would have to be passed and then aligned with the House bill. Finally, the legislation would either have to be signed into law by President Bush in the waning days of his administration -- highly unlikely -- or his veto overridden by Congress, also unlikely.

'Will help level the playing field'
Still, passage of the bill was heralded as a major victory for consumers by the bill's sponsor, Rep. Carolyn Maloney, D-N.Y. Her office said it was the first legislation with consumer credit card protections ever approved by a congressional committee.

"This landmark legislation will help level the playing field between card holders and card companies, and give consumers the tools they need to responsibly manage their own credit," she said in a statement. "The substantive reforms in this bill are needed now more than ever. ... If unfair credit card industry practices continue to go unchecked -- just as subprime mortgages were -- it will have far-reaching and detrimental effects on families and the economy."

The American Bankers Association, which opposed the legislation, urged House members to let the bill die, saying regulators should be allowed to continue their review process.

"By incorporating into statute the 'initial' proposal on credit cards put forth by regulators ... the committee has denied itself the benefit of valuable public input and agency expertise on the potential consequences of such proposals," the ABA said in a statement. "A deliberative agency rule-making process would provide this benefit and would avoid bad policy results that harm consumers."

But Maloney said that legislating credit card rights is the only way to ensure that consumers are protected.

"Legislation is the only lasting solution to this problem," she said. "The Fed's work doesn't diminish Congress' responsibility to act in the best interest of our constituents and pass meaningful reforms that bear the force of law." She also said that the Fed's new rules could be watered down by the time they are finalized.

Lauren Zeichner Bowne, a lawyer for Consumer Reports and advocate of the Fed's rule change, said the credit card legislation serves as an important backup and encourages regulators to stick with their rule-making process.

"It encourages the Fed not to back down and make the rules any less strict," she said. "That's why we're pushing both." There's also a risk that regulators might go through several rounds of revisions, each requiring lengthy public comment periods, which could bog down the rules changes, she said.

Key provisions in the Fed rules and the legislation are:
• Credit card companies are required to give cardholders 45 days notice of any interest rate increases.
• Retroactive rate increases are prohibited, unless the card holder is more than 30 days late.
• Billing statements must be sent 25 calendar days before the due date under the legislation; the new Fed rule varies slightly, requiring 21 days.

The banking industry argues that any restrictions on the way it prices credit will increase costs for all consumers, including those who always pay their bills on time.

"Things that appear attractive on the surface often come with too high a price tag," the ABA's statement said. "If lenders are limited in their ability to adjust interest for customers whose risk levels may have changed, they will have to account for the increased risk by raising prices for everyone. That's unfair."

Consumers have taken an active interest in the debate. The Fed has received 15,600 comments on its proposed rules, and another 27,000 comments that appear to be form letters.

Credit card protections have also played a minor role in the presidential campaign. Sen. Barack Obama has proposed his own Credit Card Bill of Rights that would offer additional protections to consumers, including elimination of interest charges on fees. He has also proposed a five-star rating system for credit cards that would direct the Federal Trade Commission to evaluate credit cards and rate them on their consumer -friendliness. The McCain campaign has issued no specific credit card rules.

Sue Brown was excited when an order for 60 books came in a few weeks ago. Brown works for The National Center on Addiction and Substance Abuse at Columbia University in New York, one of the nation's largest agencies devoted to drug addiction research. The e-mail order from "Dr. Scott Smith" was for copies of the book "High Society: How Substance Abuse Ravages America and What to Do About It."

Brown often receives bulk orders when a professor is teaching a new class or a new support group is starting. Each one represents a small victory in the agency's effort to spread understanding about addiction.
But this order was different. For starters, the writer insisted on very speedy delivery. He wanted the books delivered to him overseas within three to five days. And the destination for the books -- Lagos, Nigeria -- gave her pause. Still, this was nothing like the Nigerian scams she'd heard about, involving e-mails promising millions of dollars in inheritances, so she began filling the order.

"Dr. Smith" insisted on paying with his credit card. Brown resisted, instead asking for a money order up front. The good doctor ignored her and sent the credit card number anyway. So she ran the number and the charge was approved.

"The cards were in his name," she said. "I thought, 'It could be plausible.'"

Still, Brown had a queasy feeling. Dr. Smith was being awfully insistent that the order be shipped with all haste.

"He kept saying, 'Today. I want them shipped today.' I knew that meant something," she said.

Fortunately, Brown is working on a separate project with Visa and called her contact there. Officials from the company told her the order was most likely a scam, and advised her not to ship the books. Then, she did a Google search on her customer's e-mail address and found another Web site that accused him of being involved in a scam. Finally, she called and asked Dr. Smith to name the bank his credit cards were issued by -- and he couldn't. She canned his order.

'Would have been on the hook'
"I'm glad I didn't get taken to the cleaners," she said. "Visa said that had I shipped the books, (while they were) in mid-air we would have found out the cards were fraudulent and we would have been on the hook."
Internet users have become accustomed to the creativity of Nigerian scams, but Brown had difficulty imagining how a Nigerian con artist could profit from stealing 60 substance abuse books. The oddity of that order almost led her into the trap.

"I knew to be suspicious (of a Nigerian order), but then I said, 'This is not the same thing.' He went to the trouble of going to our Web site, and finding we had a book for sale, then asking to buy it," Brown said. "I started to believe him."

James Perry, a scam expert at the National Consumers League, said that while Brown's story may sound exotic, it is typical.

"These people will try to purchase anything they can get their hands on," he said. "They figure if you can ship it to them they can figure out how to sell it ... and even if they can't sell them, since they are using other people's money they haven't lost anything."

While attempted purchase of drug abuse books might be a new twist, bookstores have been targeted by Nigerian scammers in the past. Four years ago, there were multiple stories of small Christian bookstores being scammed into sending Bibles to Nigeria-based scammers. The scammers were able to sell the Bibles and make a modest profit.

It's not surprising that scam artists would target small enterprises, Perry said.

"Small organizations are not as seasoned," he said. "They can fall for things larger organizations might not. I know a small business that's about to be shut down because they got taken for $20,000."

RED TAPE WRESTLING TIPS
• Don't send money or things to Nigeria. It sounds obvious, but if you are a small nonprofit group trying to spread your message, an order for 60 books can sure sound tempting. Just don't do it.
• When haste is urged in any Internet business transaction, take a step back. Criminals often try to force victims to act before they have time to think. Anyone who doesn't want to give you time to think is probably trying to trick you.
• Visa refused to discuss the details of Brown's attempted scam, but the company offered some generic advice to avoid falling for a similar ruse:
"In transactions in which a card is not physically present, Visa encourages merchants to be alert for potential fraud indicators, including orders that include several of the same item, rush orders and shipping to an international address," the company said in a statement.