Data Security Breaches Reach a Record in 2007

ASSOCIATED PRESS
December 31, 2007

The loss or theft of personal data such as credit-card and Social Security numbers soared to unprecedented levels in 2007, and the trend isn't expected to reverse anytime soon, as hackers stay a step ahead of security and laptops disappear with sensitive information.

And while companies, government agencies, schools and other institutions are spending more to protect ever-increasing volumes of data with more sophisticated firewalls and encryption, the investment is often too little, too late.

"More of them are experiencing data breaches, and they're responding to them in a reactive way, rather than proactively looking at the company's security and seeing where the holes might be," said Linda Foley, who founded the San Diego-based Identity Theft Resource Center after becoming an identity-theft victim herself.

A growing number of states require businesses and institutions to publicly disclose data losses. Thirty-seven states and Washington, D.C., now have such requirements.

Ms. Foley's group lists more than 79 million records that were reported compromised in the U.S. alone through Dec. 18 -- almost four times the nearly 20 million records reported in all of 2006.

Another group, Attrition.org, estimates that more than 162 million records were compromised through Dec. 21 -- both in the U.S. and overseas. Attrition reported 49 million last year.

"It's just the nature of business, that moving forward, more companies are going to have more records, so there will be more records compromised each year," said Attrition's Brian Martin. "I imagine the total records compromised will steadily climb."

The biggest difference between the two groups' record-loss counts relates to the breach at TJX Cos. Attrition.org estimates that 94 million records were exposed in the theft of credit-card data at TJX, the owner of discount stores including T.J. Maxx and Marshalls.

The Identity Theft Resource Center counts about 46 million -- the number of records that TJX acknowledged in March were potentially compromised. Attrition's figure is based on estimates from Visa and MasterCard officials who were deposed in a lawsuit that banks filed against TJX.

On each list, though, the TJX breach represents more than half the total records reported lost this year.

The breach is believed to have started when hackers intercepted wireless transfers of customer information at two Marshalls stores in Miami -- an entry point that led the hackers to eventually break into TJX's central databases.

TJX has said that before the breach, which was revealed in January, it invested "millions of dollars on computer security, and believes our security was comparable to many major retailers."

With wireless data transmission more common, hackers increasingly are expected to target what many experts see as a major vulnerability. Eavesdroppers appear to be learning how to bypass security safeguards faster than ever, said Jay Tumas, the head of Harvard University's network operations, at a recent conference for information-security professionals.

"Within a year or two, these folks are catching up," Mr. Tumas said.

The two nonprofit groups' 2007 data also show rising numbers of incidents in which employees lose sensitive data, as opposed to cases of hacking.

In addition to the theft at TJX, major 2007 breaches include lost data disks with bank account numbers in Britain, a hacker attack of a U.S.-based online broker's database and a con that spilled résumé contact information from a U.S. online jobs site.

"A lot of breaches are due to inadequate information handling, such as laptop computers with Social Security numbers on them that are lost," Ms. Foley said. "This is human error, and something that's completely avoidable, as opposed to a hacker breaking into your computer system."

Attrition.org and the Identity Theft Resource Center have been keeping track of data breaches for only a handful of years, with varied and still-evolving methods of learning about breaches and estimating how many people were affected.

Despite those challenges, the two nonprofits say it is clear 2007 will end up a record year for the amount of information compromised, because of greater data loss and increased reporting of breaches.

The two groups acknowledge that many breaches may be missing from their lists, because they largely count incidents reported in news outlets that they consider credible. Media coverage has risen in part because of the growing amount of legislation.

Lessons Learned

A hacking spree demonstrates how not to become a victim

By BEN WORTHEN
December 11, 2007; Page R4

Michael and Ruth Haephrati were successful hackers, stealing company secrets from dozens of businesses in Israel before they were finally arrested in London in May 2005 and later pleaded guilty to industrial espionage.

Their story serves as a window into the targeted, sophisticated attacks that are becoming more prevalent and the defenses that companies can put in place.

The following reconstruction of the Haephratis' hacking spree is based on court documents. David Cole, director of security response at Symantec Corp., a computer-security company based in Cupertino, Calif., offers tips on how to protect your company from hackers like these, from preventing an attack to recognizing a breach of security to limiting the damage.

The Pitch

Mr. Haephrati, an Israeli citizen living in London, wrote a Trojan horse, a type of software that sends information from the computer system it infects back to the hacker who placed it there. The Haephratis and several private investigators they worked with embedded the software in emails or on computer discs sent to companies they were hired to spy on. Messages in the emails and accompanying the discs invited the recipients to open what appeared to be a business proposal from a company the victims would trust. Mr. Haephrati or his associates would follow up with phone calls to make sure the victims opened the proposals; when they did, the Trojan horse was loaded onto their system.

An attack like this is designed to defeat the conventional advice that many companies give employees: Don't open attachments or click on links sent by strangers or reply to requests for sensitive information. But companies can help protect themselves against more-sophisticated pitches like this, Mr. Cole says, by training employees to recognize the signs that malicious software has been planted on a computer. The company can then use its security software to conduct a scan of its system so that it can find the invasive program and remove it.

For instance, Mr. Cole says, employees should watch for unusual behavior by their computers when they open an attachment, like error messages, applications crashing or windows quickly appearing and then disappearing -- anything that doesn't normally happen when an attachment is opened. A slowing of the system is another warning sign.

Finding the Bug

Once the Haephratis' Trojan was installed, it scoured the computer for sensitive information like passwords, emails and files. It wasn't detected by the victims' security software, because those programs could only recognize known threats.

Today, more-sophisticated security software is available. It doesn't just spot previously known Trojans and viruses. It's able to detect programs that are similar in some way to past attacks -- perhaps bits of their code are the same, for instance. Businesses can help protect their systems by making sure their security software is up-to-date, says Mr. Cole.

The leading makers of security software include Symantec, McAfee Inc. and Trend Micro Inc. Businesses can buy the latest basic antivirus software with support from Symantec for just over $33,000 for 1,000 people. Prices go up from there.

Blocking the Flow

In addition to finding files, Mr. Haephrati's Trojan took screenshots of the victims' computers at regular intervals. All of this information was sent back to nine servers, the back-office computers that store and process data, operated by the Haephratis and their cohorts.

Even if a business's security software has failed to detect a break-in, a so-called intrusion-prevention system can limit the harm. This type of system, which consists of both hardware and software, can detect unusual traffic on a computer system, in this case files being shipped to an unfamiliar server.

It can also prevent infections from entering the system. For example, it can stop a Web site from delivering code that looks different from normal Web traffic to a company computer. One way a hacker can plant malicious software is by directing victims to a Web site that transmits the software to their computers.

Cisco Systems Inc., Juniper Networks Inc. and International Business Machines Corp. all sell intrusion-prevention systems. Depending on the size of the business buying the system, it can cost in the millions and take a year or two to fully deploy.

Beyond the Firewall

As a new breed of professional hacker emerges,
companies are finding new tools to protect their networks

By BEN WORTHEN
December 11, 2007; WSJ

Breaches of corporate computer security have reached epidemic proportions. So far this year, more than 270 organizations have lost sensitive information like customer credit-card or employee Social Security numbers -- and those are just the ones that have disclosed such incidents publicly.

While lost laptops and misplaced or misdirected files are partly to blame, many breaches have a more sinister culprit: the professional hacker.

There's a thriving black market for the kind of information companies keep about their customers and employees. Hackers can sell a credit-card number for up to $5 or a Social Security number for up to $7, and a bank-account number can be worth as much as $400, according to Symantec Corp., a provider of computer-security software based in Cupertino, Calif. This has led to an increase in the number of hackers and to more-sophisticated attacks.

The new breed of hacker has a bag full of tricks to get around the technology that companies historically have relied on to keep them safe, so-called firewalls that act like a fence around the company network. Security today requires a new generation of tools designed to keep a company's data safe even if a hacker has gained access to the network.

Unfortunately, there's no silver bullet. "No one technology can address all your security needs," says Andy Spiers, information-security officer for National Life Group, a financial-services company based in Montpelier, Vt. Security now requires companies to think like a hacker, and find a way to counter each kind of attack. While there's no way to make a company 100% secure, "you can make it difficult enough for hackers to say 'It is not worth my time,' " says Mr. Spiers.

Here's a look at some of the challenges companies are facing and how they're responding.

Email Scams

Most people know not to respond to an email asking for their ATM password or to open attached pictures of Angelina Jolie; many of these scams get caught by email filters before they reach their targets anyway. But hackers have responded to improved filtering software and a savvier population by aiming their attacks at specific individuals, using publicly available information to craft a message designed to dupe a particular person or group of people.

Fred Danback, chief information officer and managing principal at New York-based Integro Insurance Brokers, nearly fell for one of these targeted attacks recently when he was trying to sell tickets to the Broadway show "Wicked" on eBay from his home computer. Someone sent him an email asking if his tickets were the same ones the emailer had seen listed elsewhere on the site. The emailer provided a link, and Mr. Danback clicked on it.

The Web page asked him for his eBay username and password, which Mr. Danback entered before he noticed the site was a fake -- it didn't have the little lock icon in the corner that indicates a legitimate site. He didn't hit the "Enter" key, so the scam was foiled.

Mr. Danback presumes that the hacker who sent the email was planning to use the requested information to steal his credit-card number and other information from his eBay profile. But the link just as easily could have been used to install malware -- computer code that a hacker plants on someone's machine to do things like steal passwords, release a virus or give the hacker control of the computer. And such emails are being sent to people at work, not just on their home computers.

Even though Integro trains employees to spot emails that might be from hackers, Mr. Danback knows how easy it would be for one of these scams to work. That's why he uses antivirus and antimalware software from four different providers to protect his company: Software from Sophos PLC of Abingdon, England, and from Sybari Software Inc., a unit of Redmond, Wash.-based Microsoft Corp., monitors email traffic, while software from Symantec protects the company's workstations from attack and software from McAfee Inc., Santa Clara, Calif., does the same for the company's servers, the back-office computers at the heart of the system. This way, if a virus or some other code written by a hacker gets by one company's product, it will get caught by another, says Mr. Danback.

Key Loggers

One common form of malware is a key logger, which captures the usernames and passwords that an unsuspecting computer user types, and then sends these to a hacker. The hacker then uses these credentials to log into and pilfer a company's database.

Doug True, senior vice president in charge of technology at Forum Credit Union, Fishers, Ind., installed software from BioPassword Inc., of Issaquah, Wash., on the credit union's network in order to prevent a hacker from using a key logger to steal his company's information. The BioPassword software records each employee's typing rhythm and uses that as an extra means of authentication. So even if someone logs into a system with the right username and password, if he types them too fast or too slow the system will deny access.

Forum is also using BioPassword's software on its online banking site, which 60,000 of its customers use. Forum doesn't have any control over what its customers do or don't do with their computers. But Mr. True knows that if someone's account is broken into over the Internet -- no matter whose fault it is -- that customer could blame the credit union. With the BioPassword protection in place, even if someone's online banking information falls into the wrong hands, the bad guys probably won't be able to access the account, because they're unlikely to be able to mimic the typing rhythm of the person they stole the information from.

Patrolling the Network

Lloyd Hession, the New York-based chief security officer for London-based BT Group PLC's global financial-services unit, compares a corporate network protected by a firewall to a hotel: Once someone gets through the front door, he can go anywhere he wants. One way to counter that threat is to limit people's ability to move around the network.

Mr. Hession uses hardware and software from ConSentry Networks Inc., Milpitas, Calif., that allows him to impose tight controls over where on his network each person can go. Someone who tries to access a part of the network he isn't authorized to will be turned away, even if he has a valid login. So a hacker who has stolen an employee's login won't be able to roam freely around the system.

The system also tracks where a computer is accessing the network from, and will block someone from accessing information from an unapproved location. For instance, someone from the human-resources department could access employee information from his office, but not from another location in the building -- a conference room, say, or from outside the building. So if his computer was stolen, the thief would be denied access.

The ConSentry system also helps protect BT Group against a hacker who has taken over someone's computer. Most people use the network in a predictable way, accessing the same few systems over and over again. A hacker, on the other hand, needs to discover where the most valuable information is kept, and is likely to snoop around the network trying to find it. Mr. Hession says the ConSentry system can detect when someone is behaving in a suspicious manner, similar to the way a good security guard can tell when someone is casing a building.

Policing the Police

ConSentry's system also helps protect a company's computer system against dishonest employees. Other products offer similar protection in different ways. Ed Lipson, a vice president at Bank of New York Mellon Corp., worries that one of the bank's 65 database administrators -- the people hired to keep the bank's computer systems up and running -- or other employees might try to sneak information out about customers and their accounts.

Mr. Lipson uses software from New York-based Application Security Inc. that monitors who accesses each database and can tell if they make any changes to it. If there is suspicious activity -- someone trying to access information that he or she shouldn't, or repeated failed login attempts that suggest someone is fishing for the right combination of keystrokes -- the software notifies the database's designated security manager. The software also sends an alert if someone makes an unauthorized change to a system.

The Application Security software also helps find databases that the information-technology department isn't aware of, maybe something created by someone outside the IT department or by an employee who has since left the company. Such databases might not have the proper security measures in place, Mr. Lipson says, and could be easy prey for a hacker -- or someone on his staff.

"I know all these guys," Mr. Lipson says. "It would be very surprising to see one of them steal the information. But it happens."

ID Theft and Data Breach Costs Soar

November 29, 2007, WSJ

By Ben Worthen

Two new studies on data breaches and identity theft send a clear message: The number of these incidents is rising, and so are the costs – both to the victims and the companies who suffer the breach.

The Federal Trade Commission, the government agency that’s nominally in charge of identity-theft issues, found that 8.3 million American adults – about 3.7% of the adult population – were victims of identity theft in 2005. (The findings are based on a survey of close to 5,000 adults taken between March and June 2006. We have no idea why the results weren’t released until now.) The most common incidents involved fraudulent use of a credit or debit card. Most of these incidents were detected quickly and resolved with little cost to the victim. However, 17% of identity-theft victims said that thieves opened new accounts with their information, and that these incidents were harder to resolve. More than 75% of these victims had trouble getting loans, had their utilities cut off, were investigated by law enforcement or suffered similar disruptions.

While the cost in dollars to individual victims may be negligible, the cost of a data breach to companies is rising. The Ponemon Institute, a privacy think tank, studied the costs incurred by 35 organizations that experienced data breaches in 2007 and found that on average, the companies spent $197 per record lost, up from $182 last year and $138 in 2005. (Registration required to read the report.) That brought the average cost per breach to $6.3 million for these companies.

Forty-nine percent of the breaches involved a lost laptop or other device, in 9% of the incidents an outsider broke into the company, and 9% were caused by a malicious insider who willfully stole the data. This partly explains why investigating the cause of the data breaches only made up 6% of the cost incurred. Conversely, 56% of the cost came from a drop in business that could be tied to the breach. The companies studied reported a 2.7% customer churn rate as a result of their breach.

The average cost per record lost was $239 for financial services companies compared to $145 for retailers, suggesting that customers hold companies to whom they entrust their personal information to a higher standard.

Assessing Identity-Theft Costs

Scam Victims Lose
Billions of Dollars;
Progress Questioned

By CHRISTOPHER CONKEY
November 28, 2007; WSJ

WASHINGTON -- Identity thieves continue to victimize millions of people each year and cause billions of dollars in losses, a new government survey suggests, but it is unclear whether the problem is getting better or worse.

Some 8.3 million people, or 3.7% of the adult population, were victims of identity theft in 2005, according to a consumer survey released yesterday by the Federal Trade Commission. The typical loss was $500, but 10% of consumers said criminals obtained $6,000 or more. Overall, fraudsters caused $15.6 billion in identity theft-related losses in 2005.

The report indicates that identity theft, which ranges from standard credit-card fraud to bank-account takeovers and new accounts created fraudulently, remains a major threat in the digital age. Indeed, the FTC gets 5,400 identity theft complaints each week from consumers, far more than other scams.

But the FTC report also has significant limitations, and leaves several important questions unanswered. Among them: Are these crimes still growing or are preventive efforts reducing their impact? How much does identity fraud cost businesses each year?

Identity theft has often been referred to as the country's "fastest-growing" crime since the FTC released its first consumer survey in 2003. But there is actually a rancorous debate among security experts as to whether it is growing at all, given the heightened awareness of consumers and the extensive resources businesses are taking to prevent it.

Some studies have even suggested the incidence of identity theft has fallen in recent years, but many experts have been waiting for the FTC to weigh in on the matter with its new survey.

Aware of its impact, the FTC delayed releasing the results of its report -- which shows a slight decrease in the prevalence and cost of identity theft -- after a similar survey conducted by the same sampling firm in 2006 showed a drastic increase.

In the latest report, the FTC said a change in methodology renders comparisons with its 2003 study useless. Avivah Litan, a fraud specialist at research firm Gartner Inc. who hashed out the issue with FTC officials, calls the FTC's numbers "unreliable."

Betsy Broder, assistant director of the FTC's division of privacy and identity protection says in the future her agency plans to gauge identity theft trends by relying on a Department of Justice survey that samples a much larger group of households.

Beyond the question of whether the crime is growing, consumer surveys can only capture a small slice of identity-theft crimes since businesses bear most of the losses incurred. Some variants such as synthetic identity fraud, in which fraudsters mix real and fake data together to open new accounts, can be impossible for consumers to detect.

Yet lenders, merchants and many other businesses are secretive about their fraud losses, making it difficult to measure the full extent of the problem or track its evolution. Some consumer advocates are pushing banks to be more transparent. "Information could be used by policymakers, companies making investment decisions and consumers," said Ed Mierzwinski of the U.S. Public Interest Research Group, a consumer-advocacy organization. "We'd be able to rank companies on their quality of information protection," the PIRG official said.

Some lawmakers yesterday seized on the report to emphasize the need for enhanced consumer protections and data-security requirements. The Senate passed a bill beefing up law-enforcement powers earlier this month, but prospects in the House are uncertain. Broader bills are bogged down among jurisdictional spats and debate among consumer and industry lobbyists.

Identity Theft Targets Children

By JILIAN MINCER
November 21, 2007; WSJ

NEW YORK -- While only a small percentage of identity-theft victims are children, the number is growing, and the impact on the victim's credit, confidence and relationships could be devastating.

The crime can go undetected for years and is most commonly committed by a family member, according to a report released this week by the Identity Theft Resource Center, a San Diego nonprofit organization.

Fortunately, simple precautions, such as keeping your child's Social Security number secret, can prevent some of the abuse. For instance, you can check your children's credit reports at credit bureaus to nip identity theft in the bud.

The Federal Trade Commission estimates that 5% of identity-theft cases involve minors. Other groups believe the number is closer to 10%, but no one knows for sure because the crime often goes unreported or takes decades to discover.

That is because most people don't realize that someone has been illegally using their identity or Social Security number until they apply for their first job, a driver's license, a student loan or a mortgage. They can also be denied phone service or federally provided services. Sometimes victims find out at a younger age if a bill collector tracks them down for an account that the child never opened. Some are even blamed for an act they never committed.

"Parents don't often check their children's credit history because they don't think they have one," says Rachel Kim, an associate analyst at Javelin Strategy & Research, a financial-services and payments research firm in Pleasanton, Calif.

Linda Foley, founder of the Identity Theft Resource Center, says there are two types of child identity theft: one when the child is younger than 18 years of age, and the other when they are older than 18.

"It's easy," she says, "to prove that a 5-year-old didn't sign anything in crayon." It is a little harder to rectify when the person already is an adult.

The Identity Theft Resource Center report found that more than half the child identity-theft victims surveyed first became victims between birth and age five. Most of the cases occurred when a person, often a family member, used the child's Social Security number for work and credit.

The research also found that 69% of the victims said the thief was one or both of their parents or a step-parent. Ms. Foley says that in some cases, immigrants who don't have a Social Security number use their children's identity.

Some people, she says, also use the number to create a new identity, especially if they have ruined their credit or owe money. They get away with it because credit issuers typically don't need to verify the applicant's age. Additionally, the credit-reporting agencies don't necessary know the age of the applicant.

"In some cases, the parents don't understand that they're causing any harm," says Ms. Foley. "They say: 'We'll pay off the bills before they reach 18.' "

She adds: "But we've seen fathers and mothers use a child's Social Security number when applying for a job to avoid paying child support."

Pam Dixon, executive director of the World Privacy Forum, a San Diego research group that focuses on privacy issues, says thieves also use children's birth certificates and Social Security numbers to purchase prescriptions.

The victims must eventually contact the three credit-reporting agencies, law enforcement and credit issuers to clear their records.

Unfortunately, because the perpetrator is often a family member, law enforcement frequently doesn't want to get involved, and children often don't want to prosecute their relatives.

Tips for a Scam-Free Holiday

By JOSEPH DE AVILA
December 5, 2007 WSJ

Online shopping is an easy way to shop for sales and avoid crowds at the mall. It is also an easy way to get ripped off.

And because online shopping spikes during the holiday season, scammers enjoy a larger pool of potential victims. "They see it as an opportunity to defraud consumers," says Ron Teixeira, executive director of the National Cyber Security Alliance, a nonprofit group that educates consumers and businesses.

Online-security experts say consumers should stay alert on auction and classified-ad sites, where a lot of the fraudulent activity takes place. And phishing activity -- say, bogus email from charities that is used to fish for consumers' financial information -- tends to increase during the holiday season.

The Internet Crime Complaint Center, a partnership of the Federal Bureau of Investigation and the nonprofit National White Collar Crime Center, tracked $198.4 million in losses due to Internet fraud last year. That was up from $183.1 million in 2005. Under federal law, credit-card customers are liable for only $50 for unauthorized charges and some issuers don't even charge the $50. But the customer first has to notice the bogus charge and report it to the card issuer.

By conducting a little research and using a few basic tools, you can limit your vulnerability to scams and fake e-commerce sites. Free software can alert you when you are at a fraudulent Web site, like one used for phishing. And financial institutions offer temporary account numbers so you don't have to fork over useful financial information to online merchants.

Here are a few ways to shop safely:

• Update your security software

The first thing you need to do before you even begin shopping is protect your computer. That means getting updated versions of a firewall and antivirus and antispyware software, Mr. Teixeira says. Many computers come with such software preloaded. But if the user doesn't pay roughly $50 to $150 when the trial period is up, often after 90 days, the software expires.

Only 22% of Internet users say they have the core protection recommended by Mr. Teixeira, according to a study released in October by the security alliance and online-security company McAfee Inc. The most common reason users didn't have the protection was because they failed to keep their security software up to date, he says.

If you're online, click on the periodic update alerts that flash on your screen.

• Determine if the store is legit

Before buying from a company you've never heard of, find out as much as you can about it.

Look for the business's physical address, a telephone number and an email address in case you need to contact the company if something goes wrong, says Steve Salter, vice president of the Better Business Bureau's BBBOnLine division. If the information isn't on the vendor's site, that doesn't necessarily mean the site is fraudulent, Mr. Salter says. But resolving any problems after you've made your purchase will be more difficult.

You can also find information about a company by checking with the Better Business Bureau Web site (www.bbb.org). Plug the vendor's Web address into the bureau's database to see if any complaints have been filed.

Shoppers should also check to see if the site is certified by an online-security certification company, Mr. Salter says. Network Solutions has a certification program called SiteSafe (www.networksolutions.com), and ScanAlert runs a program called Hacker Safe (www.scanalert.com). The companies run daily checks on Web sites to hunt for vulnerabilities and confirm that transactions are secure.

Web sites vetted by programs like these typically display certification logos on their home page. When you visit a new site, click on any such logo to make sure it's real, Mr. Salter says, because it is relatively easy to duplicate these images on fraudulent sites. When you click on the logo, you should see information about the site's certification status.

While certification programs add a layer of security about a Web site, they don't guarantee it is hack proof.

McAfee (www.mcafee.com) offers a free add-on for your Web browser, SiteAdvisor, that rates the safety of each Web site that turns up in search results. Next to each result is a colored icon: green for safe, yellow for suspicious and red for potentially dangerous. If you click on a yellow or red icon, SiteAdvisor will provide an explanation. For example, the site may be known for downloading spyware or adware. McAfee cautions, though, that it can't guarantee it will catch every hazardous site and that SiteAdvisor users must still exercise caution.

• Avoid crazy deals

Auction and classified-ad sites, like eBay and Craigslist, are some of the riskiest places to shop online, says Susan Grant, director of the fraud center for the National Consumers League. Complaints about general merchandise, which includes classified-ad and e-commerce sites, were the No. 1 grievance the league received about Internet fraud from January to Sept. 15, accounting for 27% of the roughly 8,400 complaints. Auction sites came in at No. 3, making up 19% of the complaints.

A new scam is advertising purebred puppies for an absurdly low price or free if the buyer pays for the shipping, Ms. Grant says. The scammers keep the money sent to them and never deliver the dog. "If somebody is offering something for way cheaper that it normally costs, I would be suspicious of that," Ms. Grant says.

Sometimes, scammers will ask for payment via a wire service. "There is no reason why somebody would ask you to wire the money to them. That's how crooks want money," Ms. Grant says.

Craigslist places antifraud warnings on all of its home pages and at the top of each for-sale posting. "Craigslist users can avoid virtually 100% of fraud attempts by following one very simple rule: Deal locally with people you can meet in person," says Jim Buckmaster, chief executive for Craigslist. The site constantly works on new technical measures to deter fraud, he says.

On eBay, the advice is to comparison shop not just for prices, but for sellers as well, says Jim Griffith, dean of eBay education. If the seller has poor feedback from other buyers or little feedback at all, you should reconsider buying from that seller. Also check to see if the seller gives refunds or insures items. Mr. Griffith says only a small percentage of eBay sellers engage in fraud. And once an eBay member is kicked out of the site for fraudulent behavior, eBay's tracking measures make it "next to impossible" for that person to reregister with the site, he says.

• Try a temporary card number

There are new payment options for users wary of putting their credit-card information on the Web.

Citi, Bank of America and Discover offer temporary account numbers for their cardholders. These services will generate a random number that you can paste into a merchant's payment form. This limits exposing useful financial information to thieves and hackers. The merchant can't tell that you're using a temporary number, and the charge appears on your credit-card statement like a normal purchase. You can request a new number every time you shop or use the temporary number for multiple purchases, though each number can be used with only one merchant.

PayPal (www.paypal.com) has a free add-on tool for your browser that works in a similar way. PayPal account holders can use this tool to make online payments at any vendor that accepts MasterCard. The tool will generate a unique MasterCard account number for the purchase.

One drawback is that you probably can't use these offerings for all purchases. For example, they typically won't work for items like concert tickets you have to pick up in person because the temporary card number will differ from the one on the card you present at the box office for verification.

• Verify your bank's emails

The holiday shopping season "is a fertile time for the phishers to attack" since more shoppers are online, says Frederick Felman, the chief marketing officer for MarkMonitor, a brand-management company. Increased shopping also boosts the chance a consumer will respond to a phishing email that appears to come from a bank or credit-card company, especially if the email comes soon after a purchase, Mr. Felman says. Often a consumer might be multitasking when responding to email and not notice that he has clicked a bogus link.

If you receive an email about a transaction, call the number on your bank statement or credit card, rather than clicking on a link or using a phone number in an email.

Charity-related phishing also pops up during the holidays. In these scams, you receive an email with a link to a fake charity soliciting a donation. Enter your financial information and "that credit card is up for grabs," says Bari Abdul, vice president of Worldwide Consumer Marketing for McAfee.

"We tell people not to click on those links unless you have signed up to receive those charities' newsletters," says Sandra Miniutti, vice president of marketing for Charity Navigator, an online charity evaluator. Be wary of using search results to find a charity's Web site. Or go to Charity Navigator's Web site (www.charitynavigator.org), which links to 5,000 charities, she says.

The Better Business Bureau's Web site also has reports on hundreds of charities.