Identity Theft - UK's fastest growing crimeIdentity theft, which can be defined as the process of someone gathering enough information about you to impersonate you, has received a lot of press coverage recently and there is good reason for it. It can be very rewarding (not only financially) for a criminal to assume your identity. I read in a recent magazine article that a quarter of adults in the UK have been a victim of identity theft or know someone who has been affected by it. Identity theft means that an impersonator can become "you" either online, by mail, over the telephone, or even in person. According to Equifax, a victim of an identity theft will need to take up to 300 hours to clear their name following the attack, furthermore it has been estimated that this type of crime costs the economy around £1.3 billion a year. How they do itIdentity thieves can obtain your information in a variety of ways. They may obtain your business or personnel records at work or find personal information in your home (e.g. a window cleaner looking through your study window). Some other common ways are:
Allow me to elaborate on that last point. One of the methods our company uses when performing penetration testing is to gather information about the target, and this will include performing search engine queries. If you've ever seen some people's home page web sites, there can be a lot of information available; this can include where they went to school and their date/place of birth. You may recall that these are questions often asked by banks for authentication purposes. Then there are the photographs of themselves and their families, their address, telephone number/s, their last holiday information and when they will be taking their next one. Web logs or 'Blogs' (like online diaries) can be particularly useful for this kind of information. Of course, then there is the traditional way of hacking into someone's computer at home. Consumers also fall prey by responding to e-mail spam which ask for personal information. Millions of identities can even be stolen at once through organised crime schemes in which company databases or commercial web sites are hacked. Look at the direction mobile phones are taking; they are integrating with traditional Personal Digital Assistants (PDAs) so that soon the all -in-one phone and diary with much more personal information will be the norm. It's important because hackers have been targeting mobile phones for viruses recently. In 2004 the first known mobile phone virus was seen (Cabir). In March 2005 a new wave of phone viruses started to appear, including the skulls virus. The implications are that vulnerabilities exist and this means another potential way to steal your identity. What they do with itYour personal information can be used in many ways. An example is the impersonator calling your credit card issuer, asking to increase your credit limit and to change the mailing address on your credit card account. The thief then spends up big on your account. Because the bills are no longer being sent to your address, it gives the thief time before you know there's a problem. Other common identity theft uses include:
What you can doIdentity theft is a crime for opportunists, so how can you help detect and prevent it? It's important to do the basics such as checking your financial statements to know if you've become a victim. Some impersonators will slowly drain your account in the hope you won't notice. Try not to use your mother's maiden name or place of birth as security passwords. Shred (using a cross-cut shredder if possible) sensitive documents before disposing of them. Avoid using the same password on more than one account. This seems to be difficult for a lot of people who don't have the inclination for remembering passwords. Don't disclose information such as your date of birth, mother's maiden name etc unless you initiated a transaction. Recently, I was called by someone who purported to be from my bank, with them wishing to check some things on my account. They initiated the call and then expected me to provide passwords and personal details to prove it was me they were speaking to. I asked how I could be sure it was actually my bank calling and they were stumped to come back with a response. My details were not disclosed, but not all people will be so suspicious. Opt-out of information-sharing at your financial institution/s. That means (usually) ticking that box next to the small print. Beware of strange Automatic Teller Machines (ATMs), or known ATMs that might suddenly seem to look different; they may be rigged to skim data off your card's magnetic strip. These can be bought easily on the Internet. Some have cameras to record your PIN too. Protect yourself from hackers, at home and in business. Schedule a penetration test for your business to find out if your network has any exploitable vulnerabilities. Properly destroy unwanted hard drives. Did you know that even if you format a hard drive, the data probably still exists in "unallocated" disk space? Our company recently recovered some data for a client that had been deleted 10 years previously. If we can do this, so can a determined identity thief with the right tools and knowledge. Who knows what may still be on the PC you gave to that charity in Nigeria last year, or to the local school collection? Alan Phillips, 7Safe Information Security |