South Carolinians have learned, in a very public and painful way, that Internet crime can happen to anyone.
This past year, international hackers compromised the personal information of millions of South Carolina taxpayers through the state’s Department of Revenue computer network. Although officials know of no one who has had their identity or any money stolen as a result of the hack, the state offered free credit and fraud protection from a private company to everyone who has paid taxes in South Carolina over the past few years.
The violation drives home a point that South Carolina Attorney General Alan Wilson likes to make at presentations on how to keep children safe on the Internet. “Nobody, absolutely nobody, is beyond the reach of being a victim of a cybercrime, whether it’s an investment or securities crime, or whether it’s a solicitation or abuse crime against children,” he says.
Cybercrimes range from those laughable emails from foreign princes in need of help to secure family fortunes to predators seeking out vulnerable children in chat rooms and on other public spaces on the Web. But, Alan says, it goes beyond that.
Imagine that a 14-year-old brother is tormenting his 16-year-old sister, threatening to post embarrassing pictures he took of her when her bathing suit came off in the ocean. Alan offers a word of caution.
“Don’t do it,” he warns, “or you could be guilty of distributing child pornography. It could even be a crime simply to snap the photo and keep it on your phone. Everyone has a smartphone, everyone has the ability to take a photo, and a lot of kids go away for spring break or to camp and don’t realize that people are taking photos of them. I’m not just trying to protect kids from predators; I’m trying to protect them from themselves.”
Adolescence today is rife with technology and the ability to splash information instantly for the world to see. “Kids post things that they’ve done on spring break and it ends up costing them an opportunity in the job market,” Alan continues.
Cybercrimes fall into two main categories: personal safety and financial. But Alan says that he also warns teenagers about the pitfalls of sharing too much information that could hurt them down the road when they try to get into college or get a job.
“The Internet is a wonderful, amazing invention. It is a wonderful tool in the hands of someone who respects its power, but it can be a dangerous weapon for someone who doesn’t respect it,” Alan says. “Predators who prey on the elderly or kids no longer have to do it on a playground or in a schoolyard or behind an alley. They can now do it online.”
Lt. Joe Laramie, retired director for Missouri’s Internet Crimes Against Children task force, says a big problem created by the Internet is the sense of friendship anyone can develop with another person who they have never met and who might not be who they claim to be.
“They’re friending people on their social media sites, becoming friends through online video games and playing against the same people over and over again,” says Joe, who participated in a child Internet safety event in Columbia earlier this year. “They feel that they have communicated with the person a lot and so they must be friends.”
Joe says that he does a little analog exercise in his presentations in which he has teens write on an imaginary piece of paper one way to communicate with them online, their name, phone number for texting, email addresses and online gaming names. He then asks if they would take that piece of paper and hand it to a stranger who drives by their home. The kids balk at that as being ridiculous, but Joe reminds them that is what they are doing online.
“On the Internet, you have no idea who you are giving this information to,” he says. “In real life, at least you know what the person looks like.”
Another of the biggest dangers for kids online is bullying. “The person who has the greatest chance of causing a problem online for a kid is another kid,” Joe says.
Parents must strike a delicate balance between keeping up with what their children are doing online and cyberstalking them. The Internet Crimes Against Children task force recommends parents stay aware of who their children are talking to in real life and on the Internet. But Joe cautions against too much intervention.
“I don’t believe in the spy parents mentality,” Joe says. “Know what your kids are doing and who they are doing it with. Parents know who is coming over to play with their kids, but the parents don’t play with the kids while they are there.”
If children no longer trust their parents to sanely monitor their Internet lives, they may create an entirely separate identity that parents will know nothing about. “You end up pushing your kid underground,” Joe says.
Adults can fall victim to cybercrime too, especially financially. These types of scams include being taken in by someone who has gained seemingly close confidence online. While the attorney general’s office addresses financial crimes that involve the selling of securities or other investments, it has unwittingly become known as the “cybersquad” and typically gets victims’ phone calls that must be rerouted to other investigating agencies.
The attorney general’s office is responsible for securities fraud online or off, and one new type of fraud involves “crowd funding.” Crowd funding is when people solicit investments, donations and contributions to help get a new product off the ground or to help fund a local school’s uniform needs, a local animal shelter’s pet food bill or some other small charitable cause. Typically, crowd funding is legitimate, but investigators in Alan’s office say they worry it will create an opportunity for fraud and the potential for personal information to be compromised. As with all investments and charitable donations, Alan recommends that folks do their homework and use common sense.
His office keeps up with all registered securities being sold in South Carolina, so that is a good first stop for folks before making an investment. If the security or investment is not registered, it’s not legitimate. The South Carolina Secretary of State’s office keeps a record of all charities that are allowed to solicit funds in South Carolina. Again, if it’s not registered, it’s not legitimate.
“Trust, but verify,” Alan says. However, he points out, his office cannot make a determination whether an investment is a good one, just that it has met the requirements to register in the state.
None of this would have helped the 3.8 million South Carolina taxpayers whose Social Security numbers, along with 387,000 credit and debit card numbers, were exposed in the 2012 security breach, along with 699,900 business tax filings. It was the largest such breach of a state agency’s information. According to the official report of the incident, hackers used an email phishing scam to gain access to taxpayer records. The email contained a link that, when clicked on by the recipient, executed a malware program that gave hackers access to a login and password. From there, the hackers accessed other logins and passwords with credentials that got them to the files that were stolen.
The Revenue Department says that it is taking steps to reduce the risk of another hack, including requiring a two-prong verification system that uses a temporary password generated by a device that is available only to employees who need to access the agency’s system.
“I feel confident that we’re doing everything we can,” says Bill Blume, who was named director of South Carolina Department of Revenue in January. “But if I say, ‘We will never be hacked again,’ somebody’s going to get out there and try it.”
Bill says that his agency is sharing information and new safety systems with other state agencies that need to protect sensitive data. And the agency is being proactive in trying to anticipate new methods hackers can use to get around those systems.
Bill refers to this as “getting in front of the pain,” a phrase doctors use with post-operative patients as a way to manage pain medications. “We can stay in front of them, but it has to be continuously and every day,” he says.
Identity theft is the biggest threat to the folks whose information was hacked. To protect that, the state has hired credit reporting agency Experian to provide a year’s worth of free protection against fraudulent credit in victims’ names. Taxpayers were encouraged to sign up for the protection this past year.
An assistance team with staffers from the Department of Revenue and state Consumer Affairs Department also has been set up to deal with taxpayer questions and suspected fraud. The team can walk people through the process of filing claims with the Federal Trade Commission or the appropriate police agency.
No amount of security or policing will eliminate the risks inherent in conducting business online, both Bill Blume and Alan Wilson say. But the key is often simple common sense. If the stock deal offered in an email sounds too good to be true, well, it probably is. If the man or woman who just happens to start chatting on the Internet looks and sounds and acts like the perfect partner, it may be more than coincidence and less than fate — it may be a lie.
If you think you have been the victim of online identity theft, contact the state Department of Consumer Affairs at (800) 922-1594. If you have already signed up for Experian’s ProtectMyID, contact that organization at (866) 578-5422.
If you missed the enrollment time period for that program, you still can put a fraud alert on your credit report by contacting one of the three credit reporting agencies. A fraud alert is free and lasts for 90 days.
You also can place a security freeze on your credit reports to prevent anyone from taking out any new lines of credit in your name. It is free to place, thaw and lift the freeze for South Carolina residents. Once you place the freeze, you will receive a personal identification number (PIN) you can use to thaw or lift the freeze. Remember once you freeze your credit report, even you will be blocked from getting a new line of credit until the freeze is temporarily halted or completely lifted.
Here is contact information for the agencies for placing, thawing or lifting a security freeze:
Equifax Security Freeze
P.O. Box 105788 • Atlanta, GA 30348
(800) 685-1111 (automated line – press 3)
Experian Security Freeze
P.O. Box 9554 • Allen, TX 75013
(888) 397-3742 (automated line – press 2; press 2 for Fraud Prevention, press 2 for Security Freeze)
P.O. Box 6790 • Fullerton, CA 92834
(800) 680-7289 (automated line – press 3)