Yesterday’s bad news was that a “gaping hole” in the internet’s essential design allows identity thieves to invisibly redirect internet users to their own sites. This redirection to an “evil twin” website means the thieves can then intercept the unsuspecting user’s personal and financial information.

As if that wasn’t bad enough, Dan Kaminsky, the security guru who discovered the flaw, announced today that email is also vulnerable to interception by criminals bent on stealing identities.

How does that increase your risk of ID theft? You know that email you got from your credit card company, bank or stockbroker when you initiated your online account? The one that confirmed your user name, password and account number, or the one they sent you when you forgot your password? You might not be the only one who received it.

Kaminsky delivered the bad news to a crowd at the Black Hat hackers conference in Las Vegas. Industry executives filled chairs, the floor and the hallway to learn more about the internet flaw–and more importantly—what they can do to defend themselves against it.

Kaminsky said major vendors like Microsoft, Cisco Systems and Sun Microsystems have already created patches to protect their systems, but others lag behind. He estimates that approximately 40% of all internet users are still unprotected.

Since the bug was revealed in July hackers attacked AT&T using what’s now called the “poisoned cache” flaw. AT&T customers were directed to a bogus Google site where a malicious program automatically clicked on ads. As a result the revenue from the clicks went streaming in to the criminals’ coffers.

It’s likely that there have been other successful attacks, but they haven’t been discovered–or they have been discovered but not announced.

Referring to the potential for identity theft and stolen money, Paul Vixie called it “the mother lode” for criminals looking for access to other people’s identities and finances. Vixie is president of the nonprofit Internet System Consortium.

LifeLock, the industry leader in identity theft protection, currently protects the identity, security and good name of more than 1 million customers. To learn more about Life Lock’s services and their $1 million warranty, visit LifeLock.com. Use promo code RD17 and receive a discount on LifeLock’s services.

This entry was posted on Thursday, August 7th, 2008 at 1:46 pm and is filed under ID theft. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.