Authentium: FTC Complaint Form a "Keylogger's Paradise"

Share Article

Authentium tests show FTC ID Theft Complaint Form is vulnerable to keylogger attacks; form requests "too much personal information", including social security number, date of birth, bank account details; filling out form could leave consumers vulnerable to "second attack".

Authentium, the leading developer of security software-as-a-service technologies, issued a warning today that personal information submitted via the Federal Trade Commission's online ID Theft Complaint Form could be vulnerable to keylogger attacks.

The ID Theft Complaint Form, accessible at http://www.ftc.gov, was created to provide the FTC with information on attacks, and requests complainants disclose their name, address, date of birth, social security number, driver's license state, and a host of other personal data. Consumers are also encouraged by the FTC to enter bank account information, if they feel that account may have been compromised.

"This form is a keylogger's paradise," says John Sharp, CEO of Authentium. "According to the FTC's own identity theft research, during 2006, fully 60% of consumer identity-related crime was perpetrated online via email or the web. Yet the FTC suggests that these victims should use those same potentially-compromised browsers and computers to fill out a form detailing all the potential information that was stolen. This is a broken process - asking consumers to do this on a compromised computer simply presents criminals with a chance to double-check their stolen information."    

Authentium said that its tests, conducted using the two most popular web browsers and a commercially-available keylogger designed to mimic the advanced technologies developed and used by online criminals, showed that 100% of the information requested by the FTC as part of the complaint submission process, including sensitive information such as social security numbers and data of birth information, could be intercepted, either as text or in the form of screen shots, potentially subjecting consumers to a "second attack" on their personal data.

The information submitted via the FTC's ID theft complaint form is distributed via the Consumer Sentinel database to almost two thousand law enforcement agencies across the United States, and in some cases, to law enforcement partner agencies overseas. Secure Socket Layer encryption, designed to protect session information during a web browser session, does not protect web form data from being copied by a keylogger installed on a consumer's PC.

"With tens of millions of banking, tax filing, bill pay and stock trading customers already online, collection of personal data via a web form is obviously here to stay," said Corey O'Donnell, Authentium's VP Marketing. "However, what our tests show is that collecting personal information via online web forms presents real problems, especially when these problems are compounded by using a compromised device to report the crime. We believe the FTC should be pressing web site designers to adopt "best practices" by leading the way with respect to security data gathered by web forms

"The current method of data capture compounds the issue of consumer identity theft by giving criminals a "second chance" to steal valuable information," added O'Donnell. "But what people may not realize is that filing a report on the basis of a suspected crime may actually create the conditions that lead to the crime occurring - for real.

"The possibility that the act of creating an identity theft report of a suspected crime might lead to a case of real identity theft creates a "no win" conundrum for consumers, and puts them in an extremely difficult position. Clearly, this issue warrants urgent attention."

Authentium's Top Ten Ways to Avoid Identity Theft Online:

1.    Block or filter email from people you don't know.
2.    If an emailed offer sounds too good to be true, delete it.
3.    Don't open email attachments from people you don't know.
4.    Don't download video, audio, or other file types from people you don't know.
5.    Don't click on web site banners, pop-ups, or advertisements - ever.
6.    Keep your antivirus, antispyware and antiphishing software up to date.
7.    Run free virus and spyware scans from different vendors on your PC periodically.
8.    Never use an online form to report ID theft -especially if you suspect it may have been perpetrated via email or as a result of spyware.
9.    Report the crime using a less-distributable method, such as a fax - then shred the document or store it in a locked, secure place after it has been submitted.
10.    Use personal information protection software, such as Authentium VirtualATM

About Authentium
Based in West Palm Beach, Florida, Authentium develops application defense, data interception and data protection technologies for inclusion in its flagship Extensible Security Platform (ESP) solutions. Authentium's patent-pending VirtualATM personal information protection technology enables network operators to secure consumer data, including banking, financial and personal data, from browser to database. For more information about Authentium, please visit http://www.authentium.com.

###

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Corey O'Donnell
Visit website