Symantec's  "Internet Security Threat Report", published bi-annually found that UK british bank accounts were the most common commodity being sold on black market forums and were exchanging hands for as little as £5 a piece.  The report discovered that EU identities were favoured over American identities as their use could be applied over more than one country - and this was reflected in the average price - up to 50% higher than the American counterpart.  Bank accounts belonging to high value businesses were also more attractive than consumer low balance accounts.  Symantec also identified a growing trend in bulk buying personal identities - a batch of 50 credit cards numbers were found to be on sale for £20; 500 credit cards were available to purchase for £100.  Full identities were also desirable commodities, being the third most common item being advertised in "cyber supermarkets". 

The table below shows the average price per "commodity" available to buy on the black market:

Source: Symantec Corporation

This data supports a recent undercover investigation by BBC News.  Data released by the banking industry's APACS, the Association of Payment Clearing Services, suggests credit and debit card losses on the internet rose to £290.5m in 2007 - up 37% from the previous year.  When the BBC's investigation took into account  failed accounts, that figure increased to a staggering £500m.  Card losses were calculated across phone, internet and mail order fraud. 

The BBC News investigation deployed 2 BBC journalists to pose as computer hackers and gain access to a website selling thousands of stolen credit cards - obtained from small internet retailers.  The addresses and identities of individuals who signed for goods obtained by fraudulent means is now being passed to the police. 

The government is under increasing pressure to do more to protect the consumer.  Andrew McClelland from the IMRG, stated "If you're committing a crime online then there is a high probability that you'll get away with it and even if you are caught a fairly high probability again that the punishment won't be that severe."  The Shadow Home Secretary, David Davis calls for a central agency for reporting and prosecuting those involved in internet crime, arguing that  "all those things would do a great deal to make Britain less of a soft target."

The Information Commissioner reported that 2007 saw 94 security breaches and urged companies and public bodies to do more to protect personal data.  Two-thirds of the security lapses were linked to government or public sector organisations.  Of the 28 breaches in the private sector, 14 were reported by financial institutions.  A survey of 1.000 businesses carried out by PricewaterhouseCoopers on behalf of the Department for Business Enterprise and Regulatory Reform, found that 90% were prepared to let staff leave company premises with personal (arguably sensitive) data on USB sticks.    The trend for encrypting data on laptop hard drives is also diminishing according to the survey, when comparing data from 2 years ago.  Only 20% of the businesses who reported a stolen laptop confirmed that data had been encrypted on the hard drive. 

Chris Potter, author of the PricewaterhouseCoopers' report said:  "Companies have focused on the areas which have caused them most damage in the past, such as viruses and system failures.  These tend to have caused the greatest cost in terms of business interruption. The biggest concern is around the protection of customer data, which companies clearly want to be good at.  Sometimes that's not translating into real action."

On a positive note, consumers can do  more to protect themselves by making sure their version of Internet Explorer (and others) is current.  Old and vulnerable browsers lack some of the new security features available and make PCs more open to phishing attacks.  PayPal has announced this month that it will block unsafe browsers (such as Internet Explorer 3 and 4) from using its payment services.  Browsers which support Extended Validation SSL Certificates (a legitimate site will highlight the address bar in green) include the latest version of Internet Exployer and Firefox 2 (downloadable free of charge) enabling the user to determine whether they are on the site they intended to visit.  The PayPal white paper on managing phishing states:  "In our view letting users view the PayPal site on (an unsafe) browser is equal to a car manufacturer allowing drivers to buy one of their vehicles without seatbelts."

Some security consultancies are now going as far as saying using passwords as a means of security is obsolete, unless websites offer a two-pronged method for verifying user accounts.  Users can help themselves by avoiding websites that email you back with your original password when you request a password reminder.  Michael Owen, head of security management at IRM: "I wouldn't recommend any system that mailed back passwords.  You're assuming that you can trust all of the machines that it will pass through, and that the customer definitely has control of his email at the time you're sending it out." 

Users should also be wary of sending a link to a password reset page - unless the site also asks the user a secure question it is questionable that the site is totally secure.

Sites that offer password protection and CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) are recommended.  The deployment of  smart cards would be the ideal authentification process but it's recognised that this is not financially viable for the majority of online retailers.