Online Identity Theft and Business
By Chula G. King and W. Timothy O’KeefeIdentity theft is one of the fastest-growing crimes in the United States. It occurs when personal information such as a Social Security number or a credit card number is stolen and used to perpetrate fraud or other crimes. With this personal information, an identity thief can go on spending sprees using existing credit card accounts, open new credit card or bank accounts in the victim’s name, establish telephone or wireless service in the victim’s name, and even give the victim’s name to police during an arrest.
Identity thieves also target businesses, stealing bank account and credit card numbers, employee and client information, and supplier account numbers. In today’s electronic environment, one of the easiest ways for an identity thief to operate is to masquerade as a business by stealing its online identity. This is done through a technique known as web spoofing. With web spoofing, a company’s website is reproduced under a similar domain name that is controlled by the identity thief.
Web spoofing can occur because a thief can manipulate the three basic components needed to publish a website. One of the components is the domain name, which is a unique Internet identity (e.g., www.amazon.com or www.cnn.com). Domain names can be purchased from a number of online sources for as little as $4.95 and can contain any combination of letters, dashes, and numbers. If a particular domain name is already in use, a close variation can likely be found by including a dash, making a singular word plural, making a plural word singular, or adding some type of qualifier such as “cpa.” The second ingredient needed to publish a website is the actual content. It includes text in hypertext markup language (HTML) or other acceptable language, as well as scripts, images, forms, links, and streaming media.
The content of a website needs to reside on a server that has a direct connection to the Internet, and must be configured to be accessible on the World Wide Web. Web hosting can be done in-house or through companies known as web presence providers. Oftentimes, the web hosting includes customized e-mail addresses with the form firstname.lastname@example.org.
The easiest way for a web spoofer to mimic a real domain name is to use one that is deceptively similar to the real domain name. For example, a user looking for President Bush’s latest State of the Union Address might try whitehouse.com. However, this site actually contains sexually oriented adult material; whitehouse.gov is the authentic site.
Unless steps are taken to protect the content, parts or all of a website can be easily downloaded with a few clicks. To download a logo or other image, one merely right-clicks on the image and chooses “save image as.” To download an entire page and all of the underlying code, one merely chooses “file” and then “save as.” An entire website can be downloaded by using the import web wizard in Microsoft FrontPage.
Once the content is downloaded, the web spoofer can package it in any way desired. For example, the web spoofer could start with the exact homepage that appears in the legitimate website, and add bogus content behind that homepage. When the unsuspecting visitor clicks on a link, she could be taken to a page that contains misinformation about the real company, a page that asks for confidential log-in information, a page with pornographic content, or any number of other pages designed with a malicious intent.
With the domain name and content in hand, the web spoofer’s final task is securing a web hosting service. If the web hosting includes customizable e-mail addresses, the web spoofer can assume not only the company’s online identity, but also the online identity of the company’s principals and employees.
Online Identity-Theft Vulnerabilities
If a deceptively similar domain name can be purchased, and if part or all of the content of a legitimate website can be downloaded, then the website is vulnerable to online identity theft.
To assess the potential vulnerability of CPA firms to online identity theft, the authors randomly selected 100 CPA firms listed on CPAFirms.com, which claims to be the most complete directory of CPA firms available on the Internet.
During the week of August 25, 2003, the authors visited the websites of each of the 100 firms chosen, to determine domain name characteristics. In general, the first part of the domain name tended to include some variation of the firm name or initials, and some variation of cpa.
The authors then used NetworkSolutions, a domain name registration company, to determine if a domain name similar to the legitimate one could be purchased. If the domain name included the firm’s name, variations on that name were checked for availability. For example, if the domain name was smithjones.com, could smith-jones.com be purchased? Other variations were checked. For example, if the domain name was sjcpa.com, could sjcpas.com, sj-cpa.com, or sj-cpas.com be purchased? When one of these basic variations was available for purchase, the domain name was deemed vulnerable.
Exhibit 1 contains the characteristics of domain names of the 100 CPA firms used in the analysis. Fifty-four of the domain names included some variation of the firm’s name and 58 included some variation of cpa. Of the 54 domain names containing components of the firm name, 24 also included some variation of cpa. Forty of the domain names contained the firm’s initials. For example, with a firm name of Smith and Jones, the domain name would include sj, sjcpa, etc. Because 98 out of 100 of the domain names used the .com top-level domain, variations (e.g., .net) were not checked. Of the 100 CPA firms used in the analysis, 71 were found to have domain names that could have been spoofed with a variation of the real name. This vulnerability appeared most often when the domain name included some variation of cpa.
In visiting the 100 websites, the authors were also interested in how vulnerable the content was to web spoofing and how easy it would be to assume the online identity of one of the firm’s principals or employees. The three things important here were: 1) whether the homepage could be downloaded in its entirety; 2) whether the entire website could be downloaded using the import wizard in Microsoft FrontPage; and 3) whether the principals’ or employees’ names and e-mail addresses were listed. The results of the content analysis are shown in Exhibit 2.
What is particularly sobering is that 83 out of the 100 homepages and 90 out of 100 websites could be downloaded in their entirety. The reason that the 17 homepages could not be completely downloaded was that they contained either flash components or rollover images. The 10 websites that could not be downloaded in their entirety all used either active server pages or java script. The 64 firms whose websites listed both names and e-mail addresses for principals and employees created the potential for someone else to assume those individuals’ online identity.
Exhibit 3 combines the domain name and content characteristics to show that 63 out of the 100 firms analyzed have both unprotected domain names and unprotected content. These firms are therefore vulnerable to online identity theft. Included among these 63 firms are 40 whose site listed both names and e-mail addresses of the principals or employees.
Protecting an Online Identity
The same electronic network that allows for the online publication of company information also exposes the company to online identity theft. Exhibit 4 lists a number of steps that can be taken to protect the company’s online identity.
A well-thought-out domain name helps current and potential clients locate a firm’s website instead of its competitors’ websites. To protect that domain name, the firm should ensure that it also owns variations of that name. In addition, the firm should consider multiple-year domain name registration contracts; if annual registration fees are not paid in a timely manner, then the domain name becomes available for someone else to purchase.
When it comes to both domain name registration and web presence providers, you get what you pay for. Some low-cost domain name registrars include a clause in their fine print that states that the domain name belongs to them, not the company paying the registration fee. The same is true for web presence providers with regard to the content that resides on their servers. In addition, one cannot assume that either the domain name registrar or the web presence provider is a U.S.-based company. If not, U.S. laws designed to thwart online identity theft may not apply.
One can build a spoofed website or modify a legitimate website with very little training. If the website is built with a more sophisticated technology such as active server pages or java script, then web spoofing becomes more complicated.
Even if simple HTML is used to build the website, the content can still be protected with encryption. HTML encryption software such as HTML Guardian can protect HTML code, java scripts, active server pages, style sheets, images, etc., by making it impossible to reuse them if they are downloaded.
CPA firms that publicize the e-mail addresses of their principals or employees expose these individuals to not only online personal identity theft, but also a spammer technique known as harvesting. Harvesting is a process that uses software to scan websites for any text containing the “@” symbol used in e-mail addresses and aggregate them in a database for use by spammers or resale.
A CPA firm’s most valuable asset is its people. Therefore, a natural tendency is for a firm to advertise the expertise of its principals and employees, and to make it easy for current and potential clients to contact them via e-mail. Firms should weigh the benefits of making this information available online with the potential costs that could result if a web spoofer assumed the online identity of one or more of these individuals.
Of the 100 websites visited by the authors, 11 contained client log-in pages. If a web spoofer included a bogus client log-in page, then he or she could obtain both the user ID and password entered by an unsuspecting client. With the user ID and password, the web spoofer could access confidential client information from the legitimate website. Therefore, firms should assess whether the benefits of allowing client log-in outweigh the potential threats.
Chula G. King, PhD, CPA, and W. Timothy O’Keefe, ABD, CPA, are both professors in the department of accounting and finance at the University of West Florida, Pensacola, Fla.