Online
Identity Theft and Business
By
Chula G. King and W. Timothy O’Keefe
Identity
theft is one of the fastest-growing crimes in the United States.
It occurs when personal information such as a Social Security
number or a credit card number is stolen and used to perpetrate
fraud or other crimes. With this personal information, an
identity thief can go on spending sprees using existing credit
card accounts, open new credit card or bank accounts in the
victim’s name, establish telephone or wireless service
in the victim’s name, and even give the victim’s
name to police during an arrest.
Identity
thieves also target businesses, stealing bank account and
credit card numbers, employee and client information, and
supplier account numbers. In today’s electronic environment,
one of the easiest ways for an identity thief to operate
is to masquerade as a business by stealing its online identity.
This is done through a technique known as web spoofing.
With web spoofing, a company’s website is reproduced
under a similar domain name that is controlled by the identity
thief.
Web
Spoofing
Web
spoofing can occur because a thief can manipulate the three
basic components needed to publish a website. One of the
components is the domain name, which is a unique Internet
identity (e.g., www.amazon.com
or www.cnn.com).
Domain names can be purchased from a number of online sources
for as little as $4.95 and can contain any combination of
letters, dashes, and numbers. If a particular domain name
is already in use, a close variation can likely be found
by including a dash, making a singular word plural, making
a plural word singular, or adding some type of qualifier
such as “cpa.” The second ingredient needed
to publish a website is the actual content. It includes
text in hypertext markup language (HTML) or other acceptable
language, as well as scripts, images, forms, links, and
streaming media.
The
content of a website needs to reside on a server that has
a direct connection to the Internet, and must be configured
to be accessible on the World Wide Web. Web hosting can
be done in-house or through companies known as web presence
providers. Oftentimes, the web hosting includes customized
e-mail addresses with the form your.name@companyname.com.
The
easiest way for a web spoofer to mimic a real domain name
is to use one that is deceptively similar to the real domain
name. For example, a user looking for President Bush’s
latest State of the Union Address might try whitehouse.com.
However,
this site actually contains sexually oriented adult material;
whitehouse.gov is the authentic site.
Unless
steps are taken to protect the content, parts or all of
a website can be easily downloaded with a few clicks. To
download a logo or other image, one merely right-clicks
on the image and chooses “save image as.” To
download an entire page and all of the underlying code,
one merely chooses “file” and then “save
as.” An entire website can be downloaded by using
the import web wizard in Microsoft FrontPage.
Once
the content is downloaded, the web spoofer can package it
in any way desired. For example, the web spoofer could start
with the exact homepage that appears in the legitimate website,
and add bogus content behind that homepage. When the unsuspecting
visitor clicks on a link, she could be taken to a page that
contains misinformation about the real company, a page that
asks for confidential log-in information, a page with pornographic
content, or any number of other pages designed with a malicious
intent.
With
the domain name and content in hand, the web spoofer’s
final task is securing a web hosting service. If the web
hosting includes customizable e-mail addresses, the web
spoofer can assume not only the company’s online identity,
but also the online identity of the company’s principals
and employees.
Online
Identity-Theft Vulnerabilities
If
a deceptively similar domain name can be purchased, and
if part or all of the content of a legitimate website can
be downloaded, then the website is vulnerable to online
identity theft.
To
assess the potential vulnerability of CPA firms to online
identity theft, the authors randomly selected 100 CPA firms
listed on CPAFirms.com, which claims to be the most complete
directory of CPA firms available on the Internet.
During
the week of August 25, 2003, the authors visited the websites
of each of the 100 firms chosen, to determine domain name
characteristics. In general, the first part of the domain
name tended to include some variation of the firm name or
initials, and some variation of cpa.
The
authors then used NetworkSolutions, a domain name registration
company, to determine if a domain name similar to the legitimate
one could be purchased. If the domain name included the
firm’s name, variations on that name were checked
for availability. For example, if the domain name was smithjones.com,
could smith-jones.com be purchased? Other variations were
checked. For example, if the domain name was sjcpa.com,
could sjcpas.com, sj-cpa.com, or sj-cpas.com be purchased?
When one of these basic variations was available for purchase,
the domain name was deemed vulnerable.
Exhibit
1 contains the characteristics of domain names of the
100 CPA firms used in the analysis. Fifty-four of the domain
names included some variation of the firm’s name and
58 included some variation of cpa. Of the 54 domain names
containing components of the firm name, 24 also included
some variation of cpa. Forty of the domain names contained
the firm’s initials. For
example, with a firm name of Smith and Jones, the domain
name would include sj, sjcpa, etc. Because 98 out of 100
of the domain names used the .com top-level domain, variations
(e.g., .net) were not checked. Of the 100 CPA firms used
in the analysis, 71 were found to have domain names that
could have been spoofed with a variation of the real name.
This vulnerability appeared most often when the domain name
included some variation of cpa.
In
visiting the 100 websites, the authors were also interested
in how vulnerable the content was to web spoofing and how
easy it would be to assume the online identity of one of
the firm’s principals or employees. The three things
important here were: 1) whether the homepage could be downloaded
in its entirety; 2) whether the entire website could be
downloaded using the import wizard in Microsoft FrontPage;
and 3) whether the principals’ or employees’
names and e-mail addresses were listed. The results of the
content analysis are shown in Exhibit
2.
What
is particularly sobering is that 83 out of the 100 homepages
and 90 out of 100 websites could be downloaded in their
entirety. The reason that the 17 homepages could not be
completely downloaded was that they contained either flash
components or rollover images. The 10 websites that could
not be downloaded in their entirety all used either active
server pages or java script. The 64 firms whose websites
listed both names and e-mail addresses for principals and
employees created the potential for someone else to assume
those individuals’ online identity.
Exhibit
3 combines the domain name and content characteristics
to show that 63 out of the 100 firms analyzed have both
unprotected domain names and unprotected content. These
firms are therefore vulnerable to online identity theft.
Included among these 63 firms are 40 whose site listed both
names and e-mail addresses of the principals or employees.
Protecting
an Online Identity
The
same electronic network that allows for the online publication
of company information also exposes the company to online
identity theft. Exhibit
4 lists a number of steps that can be taken to protect
the company’s online identity.
A well-thought-out
domain name helps current and potential clients locate a
firm’s website instead of its competitors’ websites.
To protect that domain name, the firm should ensure that
it also owns variations of that name. In addition, the firm
should consider multiple-year domain name registration contracts;
if annual registration fees are not paid in a timely manner,
then the domain name becomes available for someone else
to purchase.
When
it comes to both domain name registration and web presence
providers, you get what you pay for. Some low-cost domain
name registrars include a clause in their fine print that
states that the domain name belongs to them, not the company
paying the registration fee. The same is true for web presence
providers with regard to the content that resides on their
servers. In addition, one cannot assume that either the
domain name registrar or the web presence provider is a
U.S.-based company. If not, U.S. laws designed to thwart
online identity theft may not apply.
One
can build a spoofed website or modify a legitimate website
with very little training. If the website is built with
a more sophisticated technology such as active server pages
or java script, then web spoofing becomes more complicated.
Even
if simple HTML is used to build the website, the content
can still be protected with encryption. HTML encryption
software such as HTML Guardian can protect HTML code, java
scripts, active server pages, style sheets, images, etc.,
by making it impossible to reuse them if they are downloaded.
CPA
firms that publicize the e-mail addresses of their principals
or employees expose these individuals to not only online
personal identity theft, but also a spammer technique known
as harvesting. Harvesting is a process that uses software
to scan websites for any text containing the “@”
symbol used in e-mail addresses and aggregate them in a
database for use by spammers or resale.
A CPA
firm’s most valuable asset is its people. Therefore,
a natural tendency is for a firm to advertise the expertise
of its principals and employees, and to make it easy for
current and potential clients to contact them via e-mail.
Firms should weigh the benefits of making this information
available online with the potential costs that could result
if a web spoofer assumed the online identity of one or more
of these individuals.
Of
the 100 websites visited by the authors, 11 contained client
log-in pages. If a web spoofer included a bogus client log-in
page, then he or she could obtain both the user ID and password
entered by an unsuspecting client. With the user ID and
password, the web spoofer could access confidential client
information from the legitimate website. Therefore, firms
should assess whether the benefits of allowing client log-in
outweigh the potential threats.
Chula
G. King, PhD, CPA, and W. Timothy O’Keefe,
ABD, CPA, are both professors in the department of
accounting and finance at the University of West Florida,
Pensacola, Fla. |