 |
|
|
|||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||
|
|
|
|
 |
|||
 |
|||
|
|
|
Identity theft
A UK Treasury policy/discussion paper on curbing financial crime and terrorism proposes more data sharing between the authorities, more funding for the Charities Commission to tackle terrorist abuse of charities and other anti-money-laundering measures. The ultimate guide to identity theft prevention identifies the main ways in which identities are stolen: your mail, your computer, your trash. It’s a shame they missed your friends and family but still, it’s a worthwhile guide. A UK Government-sponsored website on identity theft by the Home Office Identity Fraud Steering Committee, yet another well-meaning public security awareness initiative, estimated that around 100,000 people have suffered identity theft in the UK (~1 in 600 people or 0.17% of the population) with costs amounting to £1.7bn (~0.1% of GDP). What’s more, they ‘show their workings’ on the site, giving some confidence to the financial estimate. In contrast, the National Consumer League’s PhishingInfo.org site claims the (US?) victimization figure is one hundred times higher at an amazing 1 in 6 people (17%). “There are a few things that are different In Canada” says one of our correspondents, “for example the criminal code around ID theft in Canada is different. The report on identity theft by PSEPC Public Safety and Emergency Preparedness Canada (aussi en Français) covers who to contact, stats and a bit about the criminal code in Canada. While in Canada there is no Generalized offence called ‘identity theft’, there are a number of offences in the Criminal Code that criminalize activities integral to the criminal misuse of personal information.” Thanks for that - nice work! SafeCanada.ca’s identity theft questions and answers has a stack of excellent resources on identity theft - how to avoid it, how to recognize if your identity has been stolen and what to do if you are a victim. An identity theft fact sheet from the Office of the Privacy Commissioner of Canada offers solid information and straightforward advice. ABC’s of fraud is an online quiz, also from Canada, on various forms of fraud including identity theft. The Canadian government’s Safe Canada identity theft page provides some questions and answers. Police forces such as the City of London Police (“Bobbies”), the Metropolitan Police (“the Met”) and the Royal Canadian Mounted Police (“Mounties”) offer advice to the general public and businesses on identity theft. So does the UK Home Office. Expert Law offers pragmatic advice on recognizing and responding to identity theft. Make IT Secure is a beautifully clear and succinct Irish website on identity theft. Ideal if you don’t have time to wade through reams of info. Mari Frank in California has a great radio show on privacy and identity theft topics. She also has a great website with a ton of information about identity theft. Mari’s books are recommended for general consumption, perhaps provided to personnel as an awareness action not only to help them protect their own personal data but also making them more aware of the need to protect the personal data they handle during their own daily work activities. The US Securities and Exchange Commission piece online brokerage accounts: what you can do to safeguard your money and tour personal information warns those trading their stocks and shares online to beware identity theft. It’s unusual to see the three main types of control laid out so clearly: eight tips on how to avoid being scammed (preventive controls) offer sound advice, as do the two on identifying that you have been scammed (detective controls) and three on how to resolve such issues (corrective controls). The Identity Theft and Assumptions Deterrent Act made identity theft a specific crime in the US since at least 1998. The US Office of Inspector General offers sound advice to students and prospective students about identity theft scams targeting them. A typical example is a phone call to a prospective student asking them for their banking information ‘in order to process an application fee’. Students seldom have much money but fraudsters can obtain credit in their names and rack up bigger bills quicker than even the most profligate party animals. The Stanford University newspaper picked up on a survey of students regarding their awareness of identity theft. A free 12 minute security awareness video on drive-by downloads explains step-by-step how merely visiting a malicious web page with an unpatched PC can result in your machine being silently infected in an instant with spyware and viruses. The worst operating system and browser flaws can leave your machine wide -open to attack, although properly configured and up-to-date antivirus/anti-everything software does help to some extent. There are plans afoot to increase penalties under the UK’s Data Protection Act to include prison sentences of up to two years for identity thieves, following a report published in May 2006 by the Privacy Commissioner What Price Privacy? The unlawful trade in confidential personal information. The report “reveals evidence of systematic breaches in personal privacy that amount to an unlawful trade in confidential personal information.” US victims of identity theft are encouraged to report the details to the Internet Crime Complaint Center, a collaboration between the FBI and National White Collar Crime Center. CIO Magazine’s top ten ways you can help prevent identity theft are mostly suggestions for organizations to protect their employees’ personal data (SSNs etc.). Reporting on a September 2005 study of 1,000 US users of online banking by a market research firm, ZDNet UK News said “many consumers were worried that their personal information could either be stolen by hackers and phishers or sold to third parties by banks. Nearly 83 percent of those who conduct banking online reported such concerns, while 73 percent of respondents said personal information theft is a deterrent for them.” By neglecting to mention the threat of identity theft from offline bank users, ZDnet implies that online banking is especially risky whereas other studies have indicated the opposite e.g. see the Better Business Bureau report published in January 2006 which noted that theft of sensitive (identity-related) paperwork is more likely to lead to identity theft than online data compromises. Often, the perpetrator turns out to be someone close to the victim - a family member or friend with access to the victim’s personal effects. Phishing
CastleCops and Sunbelt Software have launched a joint initiative - Phishing Incident Reporting and Termination (PIRT) - to respond quickly to reported phishing incidents and get phishing websites taken off line as soon as possible. Do you report phishing attacks to the companies whose good names are being abused? The preferred way of reporting is to forward the original phishing email, plus the full email header (which you can get from Outlook, for example, by clicking View --> Options then mark and copy the header text) to abuse@<company website here> Sometimes, if we have time, we like to check out the phisher’s website but be VERY careful! If you visit a phisher site, there is a good chance it will try to infect your machine with malware. The safest option is simply to do a whois lookup on the phisher site - we like Karen’s Power Tool whois utility for this purpose. Online Identity Theft: Phishing Technology, Chokepoints and Countermeasures is a report published on the Anti Phishing Working Group website. The APWG is a tremendously helpful community for those of us fighting phishing. Several organizations have started using (simulated) phishing attacks against their own employees as a security awareness activity. The New York State Office of Cyber Security and Critical Infrastructure Coordination, for example, sent staff an internal email asking them to enter their passwords into a ‘password checker’. 17% of their 10,000 users succumbed and were given additional education. When the exercise was repeated a month later, the phishing email phooled just 7% who were presumably given stronger, more explicit advice and encouragement by management. In Man bites phish on the PBS website, Robert Cringely wrote “The simple way to kill phishing is by making it harder for the phisher to make money from it. Right now, a phisher sends out a million e-mails and gets back 100 replies that yield positive data. There is almost no effort involved in sending out the e-mails after the first one, and the quality of the return data is very high. No wonder this is such a popular business! Let’s change that. If you get phishing e-mail, go the web sites and enter false data. Make up everything -- name, sign-on name, password, credit card numbers, everything. Instead of one million messages yielding 100 good replies, now the phisher will have one million messages yielding 100,000 replies of which 100 are good, but WHICH 100?”. [Encouraging people to visit phishing sites is a counterintuitive, not to say risky security strategy but the article points out that there’s not much hope in depending on law enforcement to phight the phishers.] A rather more conventional approach to fighting phishers was outlined here. Pharming is a variant phishing technique whereby visitors to a legitimate website are secretly redirected to a fake website run by fraudsters. Pharming exploits technical and procedural security weaknesses in DNS (the Domain Name System which links domain names to specific IP addresses) and the domain registration process. Thankfully such attacks are quite rare, mostly because security controls were improved after a few initial attacks revealed the vulnerability. If you are concerned about unknowingly visiting a spoofed website that uses URL trickery to conceal the true domain name, a simple bit of JavaScript will decloak them (it’s easiest to link the following code to a shortcut button on your browser links bar): javascript:alert("True root URL = " + location.protocol +"//" + location.hostname + "/"); If you doubt the veracity of a site you are visiting, click the button to see the domain part of the page’s URL - maybe not completely foolproof but better than nothing. Senator Patrick Leahy (re-)introduced his Anti-Phishing Act 2005 to the U.S. Senate. The act outlaws phishing (emails that mislead victims into visiting fake websites) and pharming (attacks that redirect visitors’ attempted connections to a legitimate website, sending them instead to a fake website). “The Anti -Phishing Act of 2005 would enter two new crimes into the U.S. Code. The first prohibits the creation or procurement of a website that represents itself to be that of a legitimate business, and that attempts to induce the victim to divulge personal information, with the intent to commit a crime of fraud or identity theft. The second prohibits the creation or procurement of an email that represents itself to be that of a legitimate business, and that attempts to induce the victim to divulge personal information, with the intent to commit a crime of fraud or identity theft.” An article in CSO magazine explained how phishing works. Target companies receive huge numbers of customer inquiries when a phisher is active, implying that the general public, thankfully, are increasingly aware of IT frauds. Phishers sometimes exploit other cunning tricks such as using Java code to swap your browser address bar for a functional replacement, except that thereafter the phisher’s code steals information from your browsing activities ... you’ve got to admire their technical abilities, if not their morals. What’s the betting that we’ll soon see spammers trying the same tricks? Network Associates released this white paper into phishing and the corresponding ‘best practice’ controls. Being a well-known public financial service connected with on-line auctions, eBay is very much in the firing line for phishing attacks, and provides this information for customers on how to spot fake (phisher) emails. PayPal’s advice to its customers mentions that one way to identify a legitimate PayPal message is that they identify customers by name ... unfortunately, phishers seem to have defrauded PayPal merchants and thereby obtained their customer names (amongst other information), therefore this advice is no longer entirely reliable [PayPal’s original press release is no longer online]. eBay is in the process of setting up private mailboxes for its customers to which only eBay can send messages - this is fine so long as customers ignore “eBay” emails received via other routes. According to Ireland’s Electric News, Bank of Ireland customers who fell for a phishing scam have lost a total of €113,000. It is unclear at this point whether the Bank will refund customers’ losses. Fraud Watch International is an Australian organization tackling web frauds including identity theft. The site lists current phishing attacks - over 700 phishing sites are active as I write this. Take this phishing quiz (revised) to assess your awareness of the phishers’ tricky techniques and find out how URLs are obfuscated (hidden) by phishers. Some phishers lure their victims with false prizes. Naive victims fall for these crude tricks, making phishing and identity theft obvious security awareness topics. The Financial Services Technology Consortium, a US financial services industry body, has a project looking at how to share fraud information in real time (such schemes are already operating in some smaller countries). Secunia’s_frame_injection_vulnerability_test demonstrates a specific browser vulnerability used by some phishers. A chronology of (US) data breaches reported since the ChoicePoint incident shows a conservatively estimated total of around 90 million personal data records exposed since February 2005. Yes, more than 90 million! That’s at least 5 million a month! How many or how few of the breaches result in identity theft or similar incidents is a moot point. A double-sided phishing prevention tips brochure from the US Treasury gives a satellite, space shuttle or lunar lander view of the problem. The Phish Report Network (PRN) is an anti-phishing reporting and aggregation service coordinated by Symantec with members such as Microsoft, eBay and VISA (paying $50k p.a. each). PRN collates information about phishing scams in order to get phishing sites shut down more quickly through concerted action. The National Consumer League’s phishing site has copies of their public service broadcasts and other materials. Phishing and identity theft incidents
Identity theft leads to prison ... for the victim, not the perpetrator in this case. A BBC man on holiday in Slovenia spent 2 nights in prison there as a consequence of an identity theft incident stemming from the theft of his passport years earlier. He was accused of having defrauded a German company of €450k. Around 100 staff resigned, 19 were sacked and around 350 were disciplined as a result of a two-year investigation into their unauthorized use of database facilities at Centrelink, the Australian federal government’s social security and welfare agency. As such, Centrelink staff have access to a wide range of personal information. Spyware was used to track staff use of the systems. A Centrelink general manager said “It was done for a whole range of reasons - from just sticky-beaking, through to at the more serious end of records actually being changed ... What this shows is that we have zero tolerance for any people who have surfed the details of the family and friends or peeked at records of their neighbours in our system.” [This statement however fails to acknowledge the potential for abusing such wideranging access to personal data in order to commit identity theft.] A US accountant’s stolen PC contains details of 800 clients for whom she had prepared tax returns. The thieves appear to have targeted the PC specifically since they left behind cash and checks. A remarkably successful identity thief was eventually brought to justice through an alert immigration officer who spotted dubious documentation, sparking further checks that revealed a fraudulent passport application. The self-styled Earl of Buckingham (not his real name) managed 23 years under an assumed name. His real identity remains hidden, thanks partly to Switzerland’s privacy laws since he was working in Zurich as an IT security consultant for an insurance company. Read three identity theft victims’ stories from the BBC, and find out how easy it is to steal personal data from Londoners’ rubbish bins, or from bins outside English banks. Identity thefts on the UK’s online tax credit system cost £2.7m in 2005. Identities of nearly 9,000 Department for Work and Pensions staff were stolen during 2003-4 and nearly 7,000 of them were used to commit identity theft. Initial estimates indicated that around £15m was at risk but prompt action by the authorities kept the damage to less than £3m. A US government laptop stolen from a Department of Transport special investigator held the names, addresses and SSNs for nearly 43,000 airline pilots in Florida. Consequential identity theft is a distinct possibility. It wasn’t until David Richardson had a lot of trouble getting a mortgage that he discovered his identity had been stolen ten years earlier. BBC News reported that after David’s birth certificate and passport had been stolen, an identity thief fraudulently opened two accounts in his name and racked up £6,000 in debts. “I would advise anybody to look after their personal details.” he said. “It’s amazing what kind of information you can get from a basic utility bill. People should be very careful with their personal items and documents.” Following a huge potential disclosure of personal information when a Veterans Affairs’ PC was stolen, the VA offered straightforward advice. The man behind an identity theft scheme involving “tens of thousands of victims” and “losses of between $50 million and $100 million” was reportedly a help-desk worker at Teledata Communications Inc., a Long Island software company. He was jailed for 14 years for disclosing customer passwords and codes for downloading consumer credit reports. Accountancy Age reported that a solicitor abused the trust implicit in his position to set up a bank account in the name of “Ian Revue”. He used the account to siphon-off £825k (more than $1.5m) of his employer’s funds intended for the Inland Revenue. The fraud was reported by a sharp-sighted whistleblower at the firm who spotted him writing a check for stamp duty (property transfer tax) on a transaction that did not incur the tax. MiscellaneousIf you like blogs, try this one for size on ‘identity stuff’. An article describes how difficult it is to counterfeit money, explaining some of the anti-counterfeiting controls incorporated into US bills that are designed to make the whole process difficult, risky and essentially uneconomic for the counterfeiters. Bear this article in mind, however, if your organization uses vouchers, tokens, credit notes, staff passes and so on. How easy would it be for a creative teenager with a scanner and color printer to fake them? Access to a ‘free’ 135-page eBook on Identity Management paradoxically requires you to disclose personal data during the application process. Treat this as a small exercise in privacy management if you will: can you get the book without compromising your privacy?
|
The US Federal Trade Commission offers 
|
|
|