Who’s watching your assets?

It is morning. I am at the airport and have just boarded the plane. The man I climb over to reach my window seat looks crazy to my sleepy eyes. The kind of crazy that might lead to some type of psychiatric episode halfway through the flight from Boston to San Francisco. He is a hard little man sitting in the middle seat. Long gray-streaked brown hair hangs equally over each shoulder. Crusty patches of something dot the thighs and cuffs of his pants. His eyes dart around. He mumbles something I don’t understand, and when asked to repeat it, he stops talking altogether.

Meet Peter Cassidy, international expert fighting identity theft. Despite an alarming first impression, this is the man you want protecting your assets: tough, knowledgeable, unconventional, slightly paranoid, and — as I learn sitting next to him for six hours — talkative.

An hour after take-off and a can Amstel Light beer later, Peter Cassidy stops muttering to himself and instead starts talking to me. I learn he co-founded the Anti-Phishing Working Group (APWG), an international association of banking, computer, and law enforcement officials. According to the Federal Trade Commission, “phishing” is one of five ways thieves can get information about your identity. It is (at the time of this writing) the main way to do so electronically.

What does phishing look like? Pop-up windows in your web browser and email that ask for your username and password to “verify your account” are just two ways experience a phishing attack. Ironically, many phishing scams pretend to be protecting you from what, in fact, they are actually doing.

We are flying over Ohio. I am drinking a Diet Coke. Cassidy’s hand wrests on the flap of a tray open in front of him, cupping his second beer. “Eventually someone starts a database on you.” He leans towards me. I smell beer. “From one source they get access to your social security number, from another they get your bank accounts and credit card numbers and then they bundle it together. Your data in that form would be sold on the market for about $25.”

That’s right. There are identity theft middlemen out there who collect your data and upsell it to professional thieves who are even better at abusing your personal information.

The APWG exists to stop this. They track phishing scams, publicize crime trends, create guidelines and organize conferences that strategize how to fight this type of crime. That last point is interesting. APWG is not affiliated with any specific industry, so they can bring together people working in bank security, credit card companies, software developers, prosecutors, social scientists, and police officers to pool their knowledge. They break down silos to put up barriers, in a sense.

Cassidy develops these guidelines and organizes face to face conferences and lectures all over the world. The morning we met, he was flying to the west coast to present to the U.S. government and argue with Microsoft about its role and responsibilities to reduce identity theft. A few months before, while he presented the latest findings to the EU, another colleague from APWG was on the floor of the UN. Last week he traveled to Japan to organize yet another upcoming conference. Data knows no boundaries.

“There will be two newsworthy items discussed at the Japanese conference” Cassidy tells me. He scratches his scalp, beard or mustache as he speaks. What I now perceive as alert brown eyes peer out from under all that hair. One of the newsworthy topics is the growing shift from consumer phishing to corporate phishing. Instead of pop-up screens interfering with personal web browsing, criminals target corporate personnel by phone to obtain even more valuable information.

I look confused. Cassidy responds by enacting a hypothetical phish, his voice loud on the quiet plane:

“Ted, this is Chris from IT. The server went down and I need the serial number on your computer.”

“Sure Chris, anything else?”

“Yes, actually how about reading me the number on the FOB just to make sure you’re connected again when we bring the system back up.”

“Will do.”

By asking for information not normally associated with account security (and therefore not raising any red flags), the thief can still hack his way into the hardware of the company’s main servers—accessing its bank account and stealing millions of dollars instead of just thousands.

What about consumer phishing? How does someone steal your money? Cassidy is happy to tell me how. Once enough personal information has been collected from one or many sources, a false document is filed stating your mortgage has been paid in full. This seems counter intuitive; why would a thief pay off your debt? By doing this, however, he has created a debt-free equity line with complete access. To complete the the plan, he will bring a document stating your house is paid off to your town’s mortgage registry—often a small town department using photocopied records not much more advanced than the older handwritten ledgers stored in the basement. They accept the document and enter it as government record. With this information, the thief goes to the bank, takes out an equity loan on your newly paid off house and walks out with a treasury check for $100,000 or more.

Our plane is over the Grand Canyon by now. Most of the people are asleep or watching the movie playing on the few screens suspended from the cabin ceiling. Peter Cassidy is into his third and final beer. He begins to share how he became involved with all this. I relax some more and lean my head lightly against the window. Cassidy graduated journalism school in the 80s when computers were just about to enter the consumer market after already transforming business. After graduating, Cassidy wrote opinion pieces and forensic technology articles for Infoweek, The Economist, ForbesASAP, Wired, Boston Business Journal, and USA Today. During this time, he also helped start a technology magazine in Australia. Cassidy lived overseas for 15 months and recounts sleeping on the beaches of New Zealand for four of those months. Something about clearing up a visa problem with the Australian government and being broke. “Most of the beaches were free, but sometimes you had to pay a $1 to spend the night.” Eventually, he returned to Boston to be closer to his family. Since then his work has been based out of Cambridge, MA.

As we near San Francisco, Cassidy puts away the book he had not opened (another interest of his: hedge fund vulnerabilities). He fishes out a business card from a worn leather wallet (he looks like a serial killer in his driver’s license photo, although I now know better). He laughs, opens his wallet as wide as it will go and shows me the only bills inside—30,000 Japanese yen. “I will need to cash these so I can get a cab from the airport.”

We exit the plane. We smile politely when we see each other again at baggage claim as we go forward into our separate days. Peter Cassidy may be scary looking, but he's the man who keeps the real bogey men at bay.

This is an essay I wrote in March, 2008 and is a true story.