I should hasten to add that there are obviously many legitimate offers for goods through auction sites, for multi-level distributorships, for Internet services and other products and services on the Net. And that is precisely why it is so important to be aware of Internet fraud and to deter it.

Con artists are lurking everywhere on the Net, in flashy-looking Web sites, in classified ad sections, in unsolicited E-mail, and even in chat rooms and news groups. In our written testimony, we provided some examples, including a magazine sales scam that involved E-mail solicitations disguised as testimonials from fellow members of news groups.

We also described the technologies that have enabled new types of scams to emerge, like the Moldova case, in which consumers who downloaded a free viewer program to see pictures were unwittingly disconnected from their regular Internet service providers and reconnected to the Internet through a phone number in Moldova, resulting in huge international telephone charges.

There is no limit to the creativity with which crooks seek to use new technologies to snare their victims. Those crooks are located everywhere on the Net. If we could have the chart of the company location,1 you will see that these are the top 20 locations. They are in many States but also in other countries. The category of locations outside of the U.S. and Canada is at number 12, tied with Arizona. Ontario is number 13 and British Columbia is number 20. It is easy to hide who you are and where you are on the Internet, because you can supply false information to register a Web site and you can mask your return address for E-mail. Moreover, the Internet makes geographic boundaries meaningless in terms of the ability for consumers and sellers to communicate with one another. But geographic boundaries are still relevant to jurisdiction for prosecution, a fact that is well understood by con artists who take advantage of the fact that it is difficult or more difficult for law enforcement agencies to go after them if their victims are one place and they are located in another.

Another difference between the physical world and cyberspace can be seen in the problem with auctions. Sellers can offer their wares to millions of potential buyers for a very low fee. But unlike physical auctions where consumers can actually touch the merchandise and actually verify that it exists before they bid on it, you cannot do that in a Web auction, nor can the auctioneer necessarily verify that the goods exist or that they are authentic.

And there are also numerous private sellers that are selling through these Web sites, which raises several issues, including the fact that private sales are not regulated in the same way as sales by businesses. While the Internet opens the doors to honest individuals and small companies for low-cost entry into this new marketplace in cyberspace, it also provides ready access to people who are either inexperienced in business or who have fraudulent intent. Victims of Internet fraud can also be found in every State and other countries, as well. These are the top 20 locations of the victims. Obviously, we hear from victims not only in the United States, but number 8 is the category of outside of the U.S. or Can

1 Charts submitted by Ms. Grant appear in the Appendix on pages 57-61.

ada. In general, victims can be found predominantly in the states that have the highest populations, not surprisingly.

No one is immune to Internet fraud. We hear from consumers of all walks of life and of all ages. If we could have the age chart, please. While people in their thirties, forties and fifties are most likely to report Internet fraud to our Internet Fraud Watch, we also have received reports from youngsters of 17 and seniors of 78. Consumers pay for goods and services promoted through the Internet in a variety of ways. Alarmingly, cash is the fourth most frequent method of payment reported to our Internet Fraud Watch in 1997. This is dangerous because it leaves consumers with no documentation of the transactions and it obviously also allows crooks to avoid their tax obligations.

Though consumers are more likely to pay with checks, money orders and cash than with credit cards, we generally encourage people to use credit cards whenever they are making substantial advance payments for products or services because of their ability to dispute the charges for non-delivery or misrepresentations.

As more and more people go online, more consumer education is obviously needed to make people aware of the danger signs of Internet fraud and help them take advantage of what is on the Net without being victimized. Through our Web site and through other fora, various methods of public education that we conduct, the National Consumers League is leading the way in this effort. We also work with government and the private sector to get the word out to both consumers and to businesses about the proper use of the Internet as a tool for communication and commerce.

And as more needs to be done on the educational front, so must law enforcement's ability to go after the cybercrooks be made easier. Cross-border cases pose especially difficult challenges to investigators and prosecutors because of the legal restrictions of information sharing between different countries, the expense of transporting witnesses and the complications of using different legal systems.

Congress can help by removing any information constraints between the U.S. and other countries that still exist, setting up a fund to aid in cross-border actions, and supporting consumer and law enforcement services such as ours. We also believe that the Federal telemarketing sales rule should be expanded to cover the Internet. Many of the same disclosure requirements and prohibited acts could be tailored to fit Internet and online promotions. State law enforcement authorities would be able to go into Federal courts to obtain injunctions and judgments that would protect consumers in every State, as they can now for telemarketing fraud. And if the statute was amended to provide jurisdiction where either the victims or the perpetrators are located for State consumer protection authorities, it would enable them to go after crooks that are based in their backyards but are targeting consumers in other States, an occurrence that we see frequently.

The promise of the Internet as a means of communication and commerce is dimmed by the presence of fraud. The National Consumers League is committed to working with Congress and others to ensure a brighter and safer future for the marketplace in cyberspace.

Thank you.

Senator COLLINS. Thank you very much, Ms. Grant.
Ms. Gau.

TESTIMONY OF TATIANA GAU,1 VICE PRESIDENT, INTEGRITY ASSURANCE, AMERICA ONLINE, INC.

Ms. GAU. Thank you, Madam Chairman and Senator Glenn. My name is Tatiana Gau, Vice President of AOL Integrity Assurance. Founded in 1985, America Online is the largest Internet service provider and has over 11 million members. I appreciate the opportunity to appear before you today to discuss how the industry is working to promote online safety and security and fight Internet fraud and abuse. Thank you for providing this forum to bring these important issues to the public.

At AOL, we are focused on preventing fraud on many fronts. To give you some insight into these initiatives, let me explain to you my department's mission. From log-on to log-off, AOL Integrity Assurance manages all of the company's safety and security measures in order to ensure the integrity of our member experience.

The prevention of Internet fraud and the promotion of online security are critical to cyberspace. It is also critical to the future development of all interactive media. We believe that the principles of education, prevention, and cooperation are key to these efforts. Identifying and tackling Internet fraud and educating all consumers on how to protect themselves and enhance their online experience is our goal.

We need to inform consumers how they can protect themselves and prevent purveyors of fraud and promote cooperation of the industry and with law enforcement. The vast majority of those who utilize the online medium are contributing positively to this vibrant community. Like any environment, however, the unfortunate reality is that there are individuals who aim to harm.

As more and more new Internet users come online, combating fraud becomes even more important. These new users are not familiar with the technology and they require special protection and attention. Fulfilling the enormous promise of the interactive medium depends on consumers and families being safe and secure online. Online integrity, therefore, is a top priority both at AOL and across our industry. All of us with a stake in cyberspace security are focused on this issue, both pursuing their own strategies and working together.

The Subcommittee has asked that I speak to you about the types of fraudulent scams that exist online. While it is difficult to provide you with a comprehensive list of these frauds, as the dynamics of the scams are constantly changing and evolving. I can provide you with a sampling of those that are most common. There are several different kind of scams that I am going to speak about. These include password scams, credit card scams, Web-based frauds and junk E-mail, commonly known as "spam." So let us begin with password scams.

1 The prepared statement of Ms. Gau appears in the Appendix on page 62.

As you will see on the slide, there are two categories of password scams. There is overt password solicitation, which basically consists of social engineering tactics to lure a user into providing their password, and the concealed variety, where the user is not necessarily aware of the fact that what they are about to do is going to compromise their password.

The first example is a password "phishing" attempt via instant message. First of all, the term "phishing" has been developed in the Internet industry, P-H-I-S-H, kind of a takeoff on that, and it is now used quite widely.

Senator COLLINS. I thought it was a band. [Laughter.]

Ms. GAU. Instant messages are real time, one-on-one communications that can be transferred between one user to another, and they are private communications that only go to the designated recipient and they are real time. What scam artists often employ is a technique where they impersonate either a billing service representative of the Internet service that that user is accessing the Internet with, or they might take on the guise of a phone company representative coming up with some type of claim that there is trouble with your phone line, please provide your password. One of the things that AOL has done to try to raise awareness of this issue is on the window of the instant message, when it comes to you, there is actually a warning in red letters that states, "AOL will never ask you for your password or billing information."

The next example via E-mail is very similar to the previous example I discussed in that they employ similar tactics, either as a billing service representative or a phone company rep or a security rep for the company, but they send it via E-mail. And these can sit in an E-mail box, can get mixed up with other personal mail, and when a user goes to read it, they may not be as vigilant as they should be in deciding whether or not they really should believe this and send in their password.

A first example of concealed password scams is what is called the "Diag.dat", phishing via instant message. "Diag.dat" is a file where the password is recorded on your computer, and different services have different names for that file. And what scams artists will do is they will send you an E-mail under the pretext that they have malfunctioning software and could you help them out and send them a copy of your file so they can get their software working again. And, again, the rule of thumb to follow here is not only do not accept things from strangers and if it sounds too good to be true, it probably is, but also do not give out things to strangers unless you really know what you are giving.

The second example of concealed password solicitations are Trojan horses. Trojan horses are programs that come in attachments to E-mail that are sent to you under the guise of some type of beneficial offer for free: "Here is a great new animated video. Download it and enjoy." And they take different approaches to try to entice the user to download it. And when the user does download it, in fact, at that point, they have become infected and have the poten

1 See Exhibit No. 1, slide presentation of Tautiana Gau, America Online, appears in the Appendix on page 240.

tial of either having their password compromised or even having files deleted, a variety of different things, depending on the Trojan.

This slide actually shows the area on America Online where we have posted safety tips for our members to understand what Trojan horses are and the telltale signs of Trojan horses, as well as linking them to an area where they can get special antivirus software that protects against Trojan horses.

This is an example of a scam using a screen-saver approach. It states, "Hey, this is cool. It's the latest coolarama screen saver. Download it and enjoy." Here the rule of thumb, of course, is to again be careful who you receive information from and do not download things from people you do not know.

A second example of an approach to provide a Trojan to someone is to take on the guise of a software company. And in this situation, the scam artists will impersonate software companies and will send a message stating, "This is the upgrade you have requested," or "This is the upgrade that you need. Please download as soon as possible."

I will discuss three more areas of password vulnerabilities. All of these scams that I have mentioned via instant message and E-mail can also occur on Web sites. Fake log-in procedures can be posted on Web sites to try to entice you into entering your password and other information that they might be requesting. There are also Web sites that take on the appearance, say, of an Internet service provider billing or registration page where, in fact, they are asking for the member to provide their registration information along with their password.

Password guessing is becoming more frequent in that recent studies have shown that approximately 60 percent of users on the Internet have insecure passwords in that they are either names of their spouses or words in the dictionary or names of their pets, whatever the case might be. And if a scam artist chooses to target one particular person, they can, in fact, just through raw attempts try to guess the password, entering and entering until they finally get in.

Password cracking is a higher level of that kind of guessing in that scam artists use an automated program to actually, through brute force, continue to prompt a password field in order to try to get into the account. This is why, of course, it is so important for users to choose safe passwords for their E-mail accounts. In fact, the password is the key to the E-mail account. And this is an area where education on the part of consumers is greatly needed.

Credit card and billing scams, there are two categories in this section. There are those scams that affect users and those scams that affect the services. Here is an example of a billing service scam, and this takes a similar approach as taken in password phishing in that this time it might say that the database is contaminated and your full name, address and credit card number and expiration date is needed in order to make sure your account will stay alive; if not, it will be turned off within 24 hours, usually taking some guise of that sort.

A slightly more complex version of that is when the E-mail that is received by the user then links the user to a Web site where, as I mentioned previously, a Web site has been put up mimicking