In an article published on IBLS (Internet Business Law Services)  the author talks about wireless hacking (See WarDriving 101), Hackers 11 and possible changes in laws relating to cybercriminal behavior...

IBLS Editorial Department Staff Attorney
Monday, November 24, 2008

Identity theft is the unauthorized use of an individual's personal information, such as a social security number or bank accounts, for fraudulent purposes or to commit a crime. While the usual form of identity theft refers to the unauthorized use of personal information obtained from databases, another form has evolved; this form uses sophisticated hacking techniques over wireless networks to acquire the necessary private information. In this form of identity theft, hackers typically breach security systems and install programs to obtain personal and financial data that is then either sold to a third party, or used by the hackers for personal gain.

In August 2008, the U.S. Department of Justice filed charges against 11 individuals who allegedly obtained identity information over wireless networks from nine major U.S. retailers, resulting in the theft and sale of more than 40 million credit and debit card numbers. The hackers apparently garnered tens of millions of dollars from a broad-based scheme that involved citizens of the United States, Estonia, Ukraine, China and Belarus. Attorney General Michael Mukasey said, "so far as we know, this is the single largest and most complex identity theft case ever charged in this country, which they then allegedly sold to others or used themselves. And in total, they caused widespread losses by banks, retailers, and consumers."

The hackers used a tactic known as "wardriving" that involves driving around with a laptop computer and trying to access wireless networks in the range of the car. After hacking into the networks, the hackers use programs to locate card numbers and PIN passwords that are then sent to servers in the U.S. and Eastern Europe for online sale. The stolen numbers are "cashed-out" by encoding them on magnetic strips of blank cards to steal money from ATMs.

The Identity Theft and Assumption Deterrence Act of 1998 (18 U.S.C.S. § 1028) makes identity theft a federal crime, carrying penalties of up to 15 years imprisonment and a maximum fine of $250,000. The December 2007 amendments to the above Act provide that a person whose identity was stolen is a "true" victim; previously, only the credit grantors who suffered monetary losses were considered victims. This recent revision of the legislation also allows an identity theft victim to seek restitution if there is a conviction, and it establishes the Federal Trade Commission as a central agency to act as a clearinghouse for complaints and to assist victims of identity theft.

On a State level, in recent years, nearly 40 States have criminalized identity theft, with most making it a felony.

Some experts claim that the noticeable drop in identity theft cases in recent years makes additional state laws unnecessary. Others, however, claim that the current requirement that information must be stolen by means of interstate or foreign communications in order to be prosecutable under federal law, may provide a window of escape to many identity thieves. This is particularly significant because experts say that in the majority of identity theft cases, the victim knows the perpetrator personally. Experts have further warned that cyber-criminals will continue to find unique ways to steal personal information, and that the current laws do not carry particularly significant penalties to promote adequate deterrence.

Legal commentators have suggested that additional laws could make it a felony to damage ten or more computers through the use of spyware or keyloggers. Spyware -software that secretly gathers personal information about an online user while navigating the Internet- and keyloggers -a hardware device that can monitor a user's individual computer keystrokes- are among cyber-thieves' most effective identity theft tools. Another improvement could be to include cyber-extortion cases, where the criminal removes malicious software from a user's computer in exchange for payment, within the definition of identity theft crimes.