Pierluigi Paganini May 01, 2012

Every day we exchange personal information with colleagues, friends and unknown people with no idea how they are treated and for what use they will be managed. Telephone number, email address or driver’s license number are example of the data we provide ordinary using new media channels like internet and the social networks.

The use of this information is of great interest for the industry of crime because it is possible to commit a wide range frauds with high profits.

With the terms Identity Theft and identity fraud are referred all types of crime in which an ill-intentioned individual obtains and uses another person’s personal data, this kind of crimes are increasing according the data provided by law enforcement all over the world.

Many organizations have tried to provide a characterization of the phenomenon trying to classify the types of identity theft in categories.

SANS Institute proposed the following characterization:

• Financial fraud – type of identity theft that includes bank fraud, credit card fraud, computer and telecommunications fraud, social program fraud, tax refund fraud, mail fraud, and many more.  A total of 25 types of financial identity fraud are investigated by the United Secret Service.
• Criminal activities – type of identity fraud involves taking someone else’s identity in order to commit a crime, enter a country, get special permits, hide one’s own identity, or commit acts of terrorism. The criminal activities can include:
  • Computer and cyber crimes
  • Organized crime
  • Drug trafficking
  • Alien smuggling
  • Money laundering

How do identity thieves access personal information?

There are a lot of scenarios to access to personal information and identify them is necessary to recognize and prevent this type of crime. Most common case are:

• through a social engineering attack
• through a retail transaction
• by hacking into computer systems
• through phishing campaigns
• through stolen purses or wallets
• through stolen personal documents
• by stealing information from a company who had stored the data online
• through stolen mail
• and in many other ways
• through dumpster diving – rummaging through trash in an attempt to find personal information

But how widespread is the crime and what are the figures that show its growth?

A global precise estimates of phenomenon is impossible due to the different legal treatment reserved for this type of crime in different countries, however, to provide a valid indication I extrapolated some data from the “2012 Identity Fraud Report 2011”  study conducted by Javelin Strategy & Research.  The company collects data related to US citizens to measure the overall impact of identity fraud on consumers.

In the next graphics is presented the progress of the Incident Rate from 2003.

The situation is worrying, 4.9% of U.S. Adults Were Victims of Fraud in 2011. After a sensible reduction of identity fraud incidence from 2009 to 2010, we see an increase this year of more than 10%. ID fraud increased to 4.90% in 2011 from 4.35% in 2010, which represents a 12.6% increase. The total number of identity fraud victims increased to about 11.6 million U.S. adults in 2011, compared to 10.2 million victims in 2010.

Despite the growth of incidents for for ID fraud, the annual overall fraud amount was at its lowest point of $18 billion since 2003 attributable to the rapid increase of thefts characterized by lower profits.

Digital Identity

Particularly alarming is the growth of such crimes in computers. Which are the information that compose our digital identity?

On the Internet, our identity composed by:

• IP (Internet Protocol) address
• address where we live
• usernames
• passwords
• personal identification numbers (PINs)
• social security numbers
• birth dates
• account numbers
• other personal information

The data are continuously exposed to high risk of frauds, the propensity of Internet users to the usage social networks and the rapid spread of mobile platforms create the right conditions for criminals.

Unlike the classic identity theft, for digital theft victims don’t have to wait for a thief to physically steal their information that can be stolen by computer criminals from the databases of banks, retailers, ISPs and also from victim’s PC.

In internet researches have identified three main schemas to realize identity thieves

• Phishing Attacks – This lure often comes in the form of a spam email or pop-up warning that looks like it has been sent from a company we trust. Often the companies are ones that we use regularly, like our bank, credit card company or some other online payment system. If we click on the link indicated, we are directed to a web site that is designed to look exactly like the official site of the company being mis-represented. Under the assumption that they are at an official site, victims enter specific personal information, such as social security number, credit card number or password.
• Malware technology – The fraud is realized when users download malware just by clicking on a pop-up ad or viewing spam email. The malware gathers information, such as user IDs and passwords for bank accounts, logging all keyboard strokes, or by using Trojans and other techniques to collect information from our PCs. This information is then passed back to the Command and Control servers when victims connect to the Internet.
• Pharming – In pharming, a cyber criminal exploits a vulnerability in an ISP’s (Internet Service Provider) DNS server and hijacks the domain name of a legitimate web site. Anyone going to the legitimate site is redirected to an identical but bogus site. Once redirected, unsuspecting site users will enter personal information, such as a password, PIN number or account number.

Prevention, Detection and Resolution Model

According to the guidelines provided by the Federal Trade Commission the fight to the identity theft crime must be articulated in three phases, the prevention, the detection and the resolution.

The prevention actions are different mainly based on the awareness on cyber threat and a constant monitoring of real exposure of personal information. It’s essential that population, and in particular internet user must know the threats related the divulgation and the improper usage of their data.

Personal information must be protected and citizens must be aware of the real usage of their info once provided.

The protection must be completed with detection actions, operations that must be in place to discover the identity thefts and frauds. Constant alerts and bulletins must be provided by the law enforcement every time a new fraud is detected. Private sector and government institution must cooperate to realize program and project to contain this type of crime supported by an adequate legal framework providing for severe penalties for these offenses.

Applying the model to the mobile landscape and social networks

Let’s try together to apply the model to two of main worrying scenarios, mobile and social networking. To prevent fraud and identity theft in mobile device usage let’s follow simple best practices:

• Disable as default every “always on” functionality of mobile devices.
• Install mobile software only from the legitimate App stores and markets.
• Be aware of permission we grant to the applications we execute on mobile.
• Do not jailbreak or root your mobile device.
• Install an antivirus program to mitigate instances of mobile malware.
• Make sure the OS is upgraded to the last version applying security updates.
• Make sure that you can erase the content of your mobile remotely in case of lost.
• Be careful with premium SMS numbers — sometimes you are signing up for stuff when you are agreeing to the licensing terms.

Regarding the user’s behavior to have during the frequentation of social networks:

• Do not reveal sensitive or personal information on social networking sites.
  • Such personal details are commonly used by banks and credit card companies as security questions to identify an individual  before clearing access to his or her financial accounts, credit card logins, and more.
  • Social networking sites can provide fraudsters with personal information to access accounts. Use caution when sharing such details on your profile. Also, take advantage of privacy settings so that you can control who sees your profile information.
• Use caution when using apps on social networking sites.
  • Verify that the app does not have access to any personally identifiable information. Users of certain social media apps experience a significantly higher incidence of fraud than the general public. In 2011, users who had ever clicked new apps or updated their profiles with important events experienced a 6.8% incidence rate compared to the overall fraud incidence rate of 4.9%.

Prevention is better than cure

Pierluigi Paganini