Effects of Losing their Identities through Identity Theft - Report Example

Who Are You? Table of Contents Introduction……………………………………………………...2 Faking It........................................................................................3 Worms’ Holes…………………………………………………...4 The Way of the Worm…………………………………………..6 Preventive Measures…………………………………………….9 Summary……………………………………………………….13 Works Cited……………………………………………………15 Introduction Identity theft has become a growing problem for customers and businesses. Businesses lose money when consumers suffer the terrible effects of losing their identities through theft, or when they merely feel threatened by that possibility. Reports of credit card fraud, “pharming”, “phishing”, and other electronic prestidigitation are on the rise, and consumers are increasingly wary of doing particular types of business online. In a survey of 6,000 U.S. consumers, Forrester Research determined that 20 percent of online consumers no longer open email that appears to be from their financial provider, and 26 percent did not apply for a financial product solely because they were concerned about fraudulent activity. In addition, Princeton Survey Research Associates International published a study that finds 25% of Internet users no longer shop online and 86% have made some sort of substantive change in their Internet usage due to risks of identity theft (Verisign, 2005). The financial services industry is the single hardest-hit industry, with 78 percent of all identity theft attempts made on the customers of banks and other financial institutions (Kallender, 2005). The US Federal Trade Commission’s definition says, “Identity theft is brought about when someone possesses or uses your name, address, Social Security number, bank or credit card account number, or other identifying information without your knowledge with the intent to commit fraud or other crimes.” According to recent statistics from the FTC, identity theft is the fastest-growing crime in America. It may also be the hardest to prosecute. Extensive research shows that identity theft consists of three categories: financial, medical, and character defamation (McCoy, 2005). Faking It No matter whether one calls it identity theft, “phishing”, skimming, or social engineering, almost all identity-theft activities are variants of the age-old crime of fraud. However, the increasing use of electronic systems in day-to-day life has vastly extended the operational scope of those who would commit fraud and the potential profits they can reap from their criminal actions. Most people carry several exploitable pieces of identification with them every day, usually credit or debit cards. Until recently, a common technique of criminals trying to steal one’s cards was “shoulder surfing”—lurking behind someone at a cashpoint, noting the personal identification number, or PIN, of a card and then using deception or force to take that card. But, as technology has miniaturised a new technique has emerged. At a busy machine hundreds of card numbers can be collected in a few hours and turned into cloned cards. The wide availability of small card scanners has also made card skimming a problem. In a matter of seconds one’s card's magnetic strip can be copied, and a crooked employee at, say, one’s favourite restaurant can copy many cards in a single day (Thomson, 2005). For more intricate frauds, criminals need more than credit card numbers. There is enough information in most bank statements and utility bills to reveal plenty about those to whom they are sent. Combine that information with publicly available data, such as the electoral roll and credit databases, and criminals could have enough information to apply for credit cards, set up mobile phone contracts or even arrange loans. Needless to say, the problem of criminals rummaging through trashbins for such documents is all too real, and there have even been reports of organised crime paying people to pick through landfill sites for such documents. There's also the problem of lost post. The Royal Mail watchdog, “Postwatch”, reported that 14.4 million letters were lost last year, and stories of new credit cards and their PIN codes, which are always posted separately, being intercepted before they reach the recipient have emerged. By far the biggest problem with identity theft is “social engineering”, which constitutes someone obtaining personal information by way of deception, and usually involves some form of incentive or plain and blatant flattery. A veneer of officialdom also oils the wheels; this is a surprisingly effective technique (Thomson). Worms’ Holes There are many cracks and fissures and gaping loopholes to be found in even the most modern computer operating systems and PC security systems. The “buffer overflow” helped spread the first Internet worm in 1988. It seems programmers and software architects manage to make the same mistakes generation after generation. Even back in 1988, many of the bugs that haunt us today were already old hat (Garfinkel, 2005). “We solved buffer overflows and the Y2K problem with Multics in 1975,” says Peter Neumann, a senior scientist at SRI International who has been researching bugs and their impact on society for more than two decades. But while Multics , which was the first secure multi-user operating system, addressed some thorny problems, bug history keeps repeating itself (Garfinkel). Buffer overflows and race conditions are examples of the kind of bug that foils a computer’s memory. A particularly tenacious beast, the potential for a buffer overflow is created when a programmer allocates a certain amount of memory to hold a piece of information—for example, nine characters to hold a Social Security number. But then the program tries to store more data in that space when it actually runs. The rest of the data overflows the pre-allocated buffer and overwrites something else in the computer's memory – frequently with disastrous results (Garfinkel). Partially in reaction to memory errors, other languages such as Java, Python, and Perl incorporated a feature called automatic memory management, which effectively took some control away from programmers. With these so-called “type-safe” languages, attempting to copy 16 characters of data into a region of memory that can only hold nine might result in having the second region extended, or it might generate a runtime error, but it would never disintegrate the next item in the computer's memory (Garfinkel). But, the new languages didn't terminate the bugs; they merely moved the cracks and fissures to other parts of the code, says Tom Ball, a scientist at Microsoft Research who studies software reliability. “Type safety doesn't eliminate all problems—it eliminates one class of errors,” says Ball. “It doesn't, for example, ensure that resources like locks are properly used” (Garfinkel). These cracks and fissures allow plenty of room for indentity thieves to breach security, especially as they themselves evolve in their sophistication. The Way of the Worm There are certain prevalent threats against which consumers need to protect themselves in the electronic age. Phishing attacks use counterfeit emails and fraudulent Websites to fool recipients into divulging personal financial data such as credit card numbers, account user names and passwords, etc. Pharming attacks use email to infect consumer PCs with Trojans that re-direct their Web browsers to fraudulent sites. Crimeware consists of a new class of viruses and worms designed to “plant” code in PCs that stealthily steals personal information over time. Crimeware is often sent as file attachments via email over “botnets” comprising thousands of “zombie” computers, making it look like the emails are coming from regular people and actual companies, thus increasing the likelihood the attachments will be opened. Image-based spam is an increasingly common spamming technique in which images, rather than words, are used to lure consumers to fraudulent sites. Most spam filters are ineffective against this type of spam (Proofpoint, 2005). Phishing attacks are increasingly using keyloggers as another method to steal personal information. “Phishing techniques are evolving in sophistication and complexity at a rapid pace,” warns Mark Murtagh, technical director at Websense. As awareness of phishing among Web users has grown, those who traffick in fraud are using new attack methods in addition to fake Websites. “One of the most common forms is where malicious code modifies host files and points end users to a fraudulent site despite them having typed the correct URL into their browser” (Thomson, 2005). Keylogging “malware” steals data from a user's Internet sessions, including logins and passwords from online banking sessions and E-commerce sites, and from Internet Explorer's Protected Storage Area, which can contain personal information for use with the browser's Web form AutoComplete function. There are those for example that specifically capture browser window titles and keystrokes when they detect words associated with financial interactions, such as “bank”, “casino”, “eBay”, “login”, and “PayPal”, to name a few (Claburn, 2005). Sunbelt Software, Inc. discovered one particularly wicked keylogger that ran on Internet Explorer. Company president Alex Eckelberry notes in his blog that the keylogger “is generally undetectable by a software or hardware firewall.” It also turns off the Windows firewall. What's more, there are keyloggers capable of blocking access to the Websites of many anti-virus security companies by altering the host’s file on infected machines. Once a keylogger program has captured enough data, it sends the information in a text file to a remote server where the information is presumably harvested by criminals (Claburn). One quite common phishing tactic is to entice customers to buy products at what will turn out to be a fake e-commerce store. A criminal will set up a phony Website for a few weeks, collect orders, and then suddenly disappear. One of the newest phishing trends to emerge has almost everybody in the security industry concerned: Trojan phishing. So-called Trojan programs, named after the horse of mythology that used a ruse to put the Greek soldiers inside Troy's otherwise impenetrable city walls, disguise themselves as beneficial files, but actually enable hackers to gain access to computers from remote locations to steal account information directly from a computer. Some hackers use these Trojan-infected computers to set up networks of so-called “zombie” machines. The advantage to the hacker is a continuous data flow that comes to him with little chance of his being detected. The Trojans also give criminals a way in to install keylogging software. “These Internet scammers can set up from foreign countries using stolen credit cards to establish accounts at various Website hosting companies,” says Neal Creighton, CEO of GeoTrust. “Then they can point those Webservers to other hacked servers, hijacking lots of Webservers along the way.” Creighton and other experts say this type of remote operation keeps rolling from one distant server to another as banks catch up with them and shut them down. Meanwhile, the perpetrators never have to leave their homes. “Server owners have no idea that this illegal activity is going on from their own servers,” he said (Germain, 2005). “The scale is unimaginable. There are thousands of machines pinging back daily. There is a keylogger file that grows and grows, and then is zipped off and then the cycle continues again (note that while thousands of machines are pinging back, the amount that are being logged into the keylogger file is less than that, but still significant). The server is in the US, but the domain is registered to an offshore entity,” writes Sunbelt’s Eckelberry (Sunbelt Blog, 2005). Rather than spamming consumers with e-mail requests, pharmers work quietly in the background, “poisoning” one’s local DNS server by redirecting one’s Web request somewhere else. As far as the PC owner’s browser is concerned, he is connected to the right site. The danger here is that people no longer have to click an e-mail link to hand over their personal information to identity thieves. Just watching the address bar on the Internet browser will not inform one of any hijacks; to the user, the URL and possibly even the mimicked financial site will look just fine (Vamosi, 2005). Through pharming, a hacker could break into an Internet service provider's DNS servers and switch legitimate addresses stored in the server's “cache”, a temporary holding area, with fake addresses. Likewise, a scam artist could pretend to be a Website's operator to persuade an Internet registrar to make the change to the fake address in the registration database (Anonymizer, 2005). Preventive Measures There are methods that are capable of helping businesses and consumers outwit the madness of identity theft. Camera phones, closed-circuit television, personal digital assistants, and computers are now providing digital forensic evidence that can help solve the “conventional” identity theft crimes. Computer crimes targeted at businesses—such as hacking and denial of service attacks—could be reduced if people did more to secure their computer systems. “Vast numbers of businesses have an online presence, and they are vulnerable to crimes such as hacking,” says detective inspector Chris Simpson of the UK’s Metropolitan Police. “There is a need for consumer education. Proxy and zombie computers are marketable assets, but if we can educate the end user to install firewalls, anti-virus software, and update systems, then we can put a stop to this” (Thomas, 2005). The police, themselves, are also being educated and equipped. The Compusys corporation not only provides Intel technology, but also trains police on how to use the equipment. “It is an ongoing relationship because every time we provide them with a solution, a better bunch of criminals come along so we have to come up with something else,” says commercial director Gordon Davies. “For the past two years we have been equipping police…with the technology to combat the growth of computer crime” (Hailstone, 2005). Microsoft, eBay, PayPal, and Visa have backed a service that aims to crack down on phishing attacks by creating a central database of known scammers. Their Phish Report Network allows companies to report fraudulent sites to a central database, operated by IT security firm WholeSecurity. Companies subscribing to the network can use the database to help improve consumer protection by blocking these sites in their security applications. For example, companies such as eBay, PayPal, and Visa can enter confirmed phishing sites, and software companies, internet service providers (ISPs), and security vendors can incorporate the aggregated list into software, email, and browser services to help protect consumers against online fraud (Ranger, 2005). Netcraft has released its security toolbar for the open source Firefox browser, aiming to limit the threat of phishing victimization by using a blacklist of known fraudulent Websites. The technology relies on individuals earmarking the URLs of phishing Websites and passing the information on to other users. The toolbar then blocks access to the sites. It also makes sure that the browser displays all the toolbars. Some phishing sites hide the URL to prevent users from noticing that the URL of the fake site differs from the legitimate version (Sanders, 2005). Then there is FS Pro Labs’ ID Knight, which is security software that scans one’s Internet Explorer autocomplete fields for the identity data or any data that the user might specify as a template and removes them. It eliminates one’s worry about Internet Explorer security and using autocomplete that can expose one’s credit card numbers to theft. The ID Knight works by automatically detecting credit card data, social security numbers, emails, postal addresses, driver's licenses, and other IDs (FS Pro Labs, 2005). Businesses can take certain actions will assist law enforcement in an investigation into a case of electronic identity theft from phishing. Businesses should: preserve all log data; have consumers forward phishing e-mail, complete with header information, as well as any information they provided to the fake request (this information is essential in tracing the e-mail route, ensuring the preservation of evidence and providing law enforcement with verifiable information for comparison); record the level of returned or bounced e-mails to assist in estimating the scope of the attack; provide as much information on the phishing IP addresses as available, and coordinate any attempts or efforts to persuade the Internet Service Provider to shut down the illegitimate Website with law enforcement. In some instances, the site may need to be left up a short time to assist law enforcement in pinpointing the origin and gathering as much information as available to help with identifying the origination location (Emigh, 2005). Similar procedures should be followed to help into investigations into other methods of electronic ID theft. Likewise, individuals have techniques of prevention that they can adhere to. One should never give anyone a credit card number or related information over the telephone except when dealing with someone personally known or with whom there is a well-established business relationship. Similarly, one should avoid confirming such information to a stranger on the telephone. One should not carry one’s birth certificate, passport, or extra credit cards on one’s person unless it is of absolute necessity. When using an ATM or public telephone, one should shield the viewing screen or keypad so that others cannot read ones’ Personal Identification Number (PIN). Credit card numbers should not be written on cheques. Shred all documents containing account numbers or other personal information before disposing of them. Bank and other financial statements, ATM and credit card receipts, and pre-approved credit offers are among criminals’ favorite sources of information (LA District Attorney, 2005). Never use a public trash can to dispose of anything with important personal information on it. Identity thieves have been known to sort through trash to obtain personal information. If one receives an e-mail or a pop-up message that asks for personal or financial information, one must not reply to the e-mail or click on any link in the message. If one has any concerns about one’s account, then one should contact the business or financial institution by telephone. Never should one open an e-mail attachment unless one is absolutely sure who sent it and what is in the attachment. A safe approach is to immediately delete e-mail from unknown sources, without opening the e-mail. People should make sure their personal computers are equipped with up-to-date antivirus software and the latest security patches. Some phishing e-mails contain software that can physically harm computers or surreptitiously track individual activities on the Internet, something known as spyware. Antivirus software and a firewall can protect people from inadvertently accepting such malicious files. To better recognize legitimate e-mails from third parties, one should familiarize oneself with the privacy and security policies of third-party Websites to understand how they will use one’s e-mail address. One should access one’s credit report from a credit reporting agency once per year to ensure that it is accurate and does not include debts or activities that one has not authorized or incurred. Before submitting personal information through a Website, one should look for the padlock icon on the browser's status bar. This signals that one’s information is secure during transmission (MBNA, 2005). Summary The problem of identity theft is one requiring fighting fire with fire. Simply put, all that businesses, consumers, and law enforcement can do is be more informed than the ever-more organized criminals targeting others’ identities for their taking. In the information age, information equals money. What is identity but organized information? When businesses and consumers give away identities, they are lining criminals’ pockets with their money. Businesses and consumers must stay several steps ahead of those preying upon disembodied human capital. Upgrading security measures must be constant. Consumers and businesses alike must be ever-evolving, for their criminal counterparts surely are. Works Cited “A New Threat to Your Privacy: Pharming”. Anonymizer. Retrieved Dec. 2, 2005. . Claburn, Thomas. “Identity Theft Keylogger Identified”. Information Week: Aug. 11, 2005. . Eckelberry, Alex. “More on the Identity Theft Ring”. Sunbelt Blog: Aug. 6, 2005. . Emigh, Aaron. “Online Identity Theft: Phishing Technology, Chokepoints and Countermeasures”. Retrieved Dec. 2, 2005. . Garfinkel, Simson. “Battling Bugs: A Digital Quagmire”. Wired News: Nov. 9, 2005. . Germain, Jack M. “The Real-Life Internet Sopranos”. Sci-Tech Today: Dec. 2, 2005. . Hailstone, Laura. “Police Put Compusys on the Case”. Retrieved Dec. 5, 2005. . “How Can I Avoid Becoming a Victim of Identity Theft?” MBNA Canada. Retrieved Dec. 5, 2005. . “Identity Knight: Stop Identity Theft and Keep Your Online Privacy Secure”. FS Pro Labs. Retrieved Dec. 3, 2005. . “Identity Theft”. Los Angeles County District Attorney’s Office. Retrieved Dec. 4, 2005. . Kallender, Paul. “Phishing Attacks Still Climbing”. PC World.Com: March 29, 2005. . McCoy, Michael. “Identity Theft Takes Many Alarming Forms”. Des Moines Business Record: Dec. 4, 2005. . “Proofpoint Announces Five Golden Rules of Holiday Identity Theft Prevention”. Retrieved Dec. 5, 2005. . Ranger, Steve. “E-Commerce Giants Hook Up to Sink Phishermen”. Retrieved Dec. 3, 2005. . Sanders, Tom. “Firefox Toolbar Blocks Phishing Sites”. Retrieved Dec. 2, 2005. . “Security as a Competitive Differentiator”. Verisign. Retrieved Dec. 3, 2005. http://www.verisign.com/static/036237.pdf Thomas, Daniel. “Specialist Police Units Tackle Computer Crime”. Retrieved Dec. 3, 2005. . Thomson, Iain. “Identity Theft—the Facts”. Retrieved Dec. 4, 2005. . “Keyloggers the New Phisherman's Friend”. Retrieved Dec. 4, 2005. . Vamosi, Robert. “Alarm over Pharming Attacks: Identity Theft Made Easier”. CNET: Feb. 18, 2005.< http://reviews.cnet.com/4520-3513_7-5670780-1.html>. . Read More