Monday, April 2, 2007

FTC Complaint Form a "Keylogger's Paradise"

Those of you who follow my blog know that I'm worried about the increasing sophistication of keyloggers.

Which is why, when I went on the FTC site this morning, I was a little shocked to discover that the format of the FTC ID Theft Complaint Form presents a veritable gift to keyloggers. Here's a screen shot of the form from the FTC's site:

Can you spot the problem?

The complaint form asks people who think they may have been a victim of ID Theft to enter every scrap of personal information that could possibly have been stolen from them - their name, address, city, state, time lived at that address, date of birth, social security number, home phone, cell phone, state their driver's license is located in - even bank account and credit card account details.

Yes, you read that right. Scroll down and you'll find that the ID Theft Complaint form requests complainants to include the details of any "current accounts" that may have been compromised, along with the name and address of the their bank, and account number.

The methodology at work here is not best practice. Assuming the complainant had their personal data stolen by a keylogger in the first place (and the FTC's own statistics say that 60% of ID Theft in 2006 was perpetrated by electronic means), the criminal just got a free "second shot" at collecting any personal data they may have missed - courtesy of the agency charged with preventing the crime.

Now don't get me wrong, I think the FTC is a tremendous asset. But someone over there needs to rethink this whole ID Theft Complaint process. The current approach sends the wrong message to web form designers - and criminals - and just compounds the problem it was supposed to help solve.


Ed Dickson said...

Great post - amazing how people trying to help sometimes make a lot of mistakes.

Evansville said...

Given these circumstances, it's probably better to call the FTC in the event of identity theft. And hope that they take more care with information that is phoned in...

1-877-ID THEFT