Digital risk trends 2008: hacking. Cyberwarfare. Identity theft. Ten years ago these risks were barely on the radar of most organizations. Today they are ubiquitous. With new threats appearing every day, Risk Management takes a look at some of the most frightening digital risks that have made headlines this past year

Risk Management, Oct, 2008

--Bill Coffin

Stolen Identity

History's largest and most complex identity theft case shines a light on data vulnerability.

In August, after, a three-year investigation that tied together a host of seemingly unrelated, high-profile hacking incidents, federal authorities announced the arrest and indictment of what is believed to be the largest identity theft ring in U.S. history. The group, which consisted of 11 hackers from the United States, China, Ukraine, Estonia and Belarus, was charged with hacking into the wireless computer networks of several major companies and stealing and selling more than 40 million credit and debit card numbers.

The alleged thieves used a simple but effective technique called "wardriving," in which hackers cruised arbitrary streets with a laptop searching for accessible wireless internet signals and vulnerable networks. Once found they installed "snifter programs" to capture card numbers as retailers processed them.

At least nine retailers, including BJ's Wholesale Club, OfficeMax, Barnes and Noble, Sports Authority, Boston Market, Dave & Buster's restaurants, DSW shoe stores, Forever 21 and TJX Companies. which operates the discount stores Marshalls. T.J. Maxx and A.J. Wright, were thought to be victims of the ring, but the full scope of the damage remains unknown.

The hackers were charged with conspiracy, fraud, and identity theft and the alleged ringleader. Albert Gonzalez. who had been an informant of the U.S. Secret Service, faces life in prison after he double-crossed the agency and informed his co-conspirators of impending probes.

This incident sheds light on a much larger trend. More than 27 million Americans were victims of identity theft of some kind between 2003 and 2007, according to the Federal Trade Commission. And by August 22 of this year, the Identity Theft Resource Center had already reported more data breaches than all of last year--numbers that still likely underestimate the problem.

Considering that scam artists do not need sophisticated methods to be able to mine corporate networks for card numbers and ID information, more complex scams are all the more effective. So in addition to using firewalls and security software, corporate managers and individuals are also turning to identity theft protection companies. But even they can be vulnerable.

For instance, one particular company, LifeLock, was in the news this May. CEO Todd Davis had been publishing his social security number in advertisements for the company in order to emphasize how effective his company was at protecting his identity. Nevertheless. Davis' identity was "stolen" multiple times during the campaign.

--Pearl Gabel

Free Ride

"White hat" hackers expose security flaws in Boston's mass transit system.

Three ambitious young hackers recently found a way to ride for free on the Boston mass transit System and in the process exposed a major security flaw in the smartchip technology used in the system's recently revamped fare card. Fortunately for the city, the three MIT students opted not to use their discovery maliciously, but did cause the system's governing agency, the Massachusetts Bay Transportation Authority (MTBA), to panic when it found out that they planned to detail the vulnerabilities to other like-minded digital gurus in a presentation during the DefCon hackers convention on August 10 in Las Vegas.