Federal Trade Commission's Online ID Theft Complaint Form is Vulnerable to Keylogger Attacks

    Authentium a developer of security software-as-a-service (SAAS) technologies and systems issued a warning that personal information submitted via the Federal Trade Commission's online ID Theft Complaint Form could be vulnerable to keylogger attacks

    The ID Theft Complaint Form, available at http://www.ftc.gov, was developed to provide the FTC with information on attacks, and requests complainants disclose their name, address, date of birth, social security number, driver's license state, and a host of other personal data. Users are also encouraged by the FTC to enter bank account information, if they feel that account may have been compromised.

    John Sharp, CEO of Authentium, stated: "This form is a keylogger's paradise. According to the FTC's own identity theft research, during 2006, fully 60% of consumer identity-related crime was perpetrated online via email or the web. Yet the FTC suggests that these victims should use those same potentially-compromised browsers and computers to fill out a form detailing all the potential information that was stolen. This is a broken process - asking consumers to do this on a compromised computer simply presents criminals with a chance to double-check their stolen information."    

    The tests were done on using the two most well-known web browsers and a commercially-available keylogger fit to mimic the advanced technologies developed and used by online criminals, showed that 100% of the information requested by the FTC as part of the complaint submission process, including sensitive information such as social security numbers and data of birth information, could be intercepted, either as text or in the form of screen shots, potentially subjecting consumers to a "second attack" on their personal data.

    The data submitted via the FTC's ID theft complaint form is distributed via the Consumer Sentinel database to almost two thousand law enforcement agencies across the United States, and in some cases, to law enforcement partner agencies overseas. Secure Socket Layer encryption, designed to protect session information during a web browser session, does not protect web form data from being copied by a keylogger installed on a consumer's PC.

    Corey O'Donnell, Authentium's VP Marketing, added: "With tens of millions of banking, tax filing, bill pay and stock trading customers already online, collection of personal data via a web form is obviously here to stay. "However, what our tests show is that collecting personal information via online web forms presents real problems, especially when these problems are compounded by using a compromised device to report the crime. We believe the FTC should be pressing web site designers to adopt "best practices" by leading the way with respect to security data gathered by web forms. The current method of data capture compounds the issue of consumer identity theft by giving criminals a "second chance" to steal valuable information"

Ten Ways to Avoid Identity Theft Online, posted by Authentium:

1.   Block or filter email from people you don't know.
2.   If an emailed offer sounds too good to be true, delete it.
3.   Don't open email attachments from people you don't know.
4.   Don't download video, audio, or other file types from people you don't know.
5.   Don't click on web site banners, pop-ups, or advertisements - ever.
6.   Keep your antivirus, antispyware and antiphishing software up to date.
7.   Run free virus and spyware scans from different vendors on your PC periodically.
8.   Never use an online form to report ID theft -especially if you suspect it may have been perpetrated via email or as a result of spyware.
9.   Report the crime using a less-distributable method, such as a fax - then shred the document or store it in a locked, secure place after it has been submitted.
10.   Use personal information protection software, such as Authentium VirtualATM