The FBI arrested Van Dinh, a college student in Philadelphia, for fraud last week. According to press accounts, Van Dinh had invited visitors in an on-line stock forum to use some stock charting software he provided, which happened also to be a Trojan – spyware that logged key strokes. He was thus able to steal an ID and password and break into an investor’s on-line brokerage account. He used the ID to get the victim buy some options from him which had become worthless. He tried to hide his own identity using aliases and various false email accounts, but in the end it was possible to trace him.

If the reports are accurate then Van Dinh wasn’t the smartest icon on the desktop, since he was never going to be able to hide the fact that he was the seller of the options, even if he had succeeded in destroying the traces of his hacking activity. This sounds like a case of “too much time spent in the chat rooms and not enough time spent watching CSI”.

An amusing aspect of the story is the effort (in the associated news stories) made by the various vendors of “spyware” to pretend that their business is kosher and their intentions are entirely honourable. “Oh yes, we sell the software so that parents can monitor the PC behaviour of their kids, protecting them from pornography and unsavoury contacts in chat rooms. We are always horrified to discover that people use our products dishonestly.” Yeah right. They are probably mortified when they see their sales rising in the wake of the publicity from yet another hack attack.

Identity theft is a serious problem – and like all serious IT security problems it is doubling every year or so. (If it keeps on doing this then within 20 years everyone on the planet will have their identity stolen every three months.)

Last week a Los Angeles film editor sued Microsoft after her identity was stolen by on-line thieves – she accuses Microsoft of selling unsafe products. I personally don’t expect her to win this case, but it would set a neat precedent if she did. Imagine software vendors being liable for the security of their products. Who knows where it could lead?