(Translated from the original Italian)
Every day we exchange personal information with colleagues, friends and unknown people with no idea how it is treated or what it will be used for.
Telephone numbers, email address and driver’s license numbers are examples of the data we provide ordinarily using new media channels like the Internet and through social networks.
This information is of great interest for cyber criminals because it is possible to commit a wide range fraud with high profits.
The terms Identity Theft and Identity Fraud include all types of crime in which an ill-intentioned individual obtains and uses another person’s personal data. These kinds of crimes are increasing according the data provided by law enforcement all over the world.
Many organizations have attempted to provide a characterization of the phenomenon by classifying the types of identity theft into specific categories.
SANS Institute has proposed the following characterization:
- Financial fraud – type of identity theft that includes bank fraud, credit card fraud, computer and telecommunications fraud, social program fraud, tax refund fraud, mail fraud, and many more. A total of 25 types of financial identity fraud are investigated by the United Secret Service.
Criminal activities – type of identity fraud involves taking someone else’s identity in order to commit a crime, enter a country, get special permits, hide one’s own identity, or commit acts of terrorism. The criminal activities can include:
- Computer and cyber crimes
- Organized crime
- Drug trafficking
- Alien smuggling
- Money laundering
How do identity thieves access personal information?
There are a lot of scenarios in which criminals gain access to personal information and identifying them is necessary to recognize and prevent this type of crime. The most common cases are:
- through a social engineering attack
- through a retail transaction
- by hacking into computer systems
- through phishing campaigns
- through stolen purses or wallets
- through stolen personal documents
- by stealing information from a company who had stored the data online
- through stolen mail
- and in many other ways
- through dumpster diving – rummaging through trash in an attempt to find personal information
But how widespread is the problem and what are the figures that show its growth?
Precise estimates of phenomenon globally are impossible due to the different legal treatment reserved for this type of crime in different countries. However, to provide a valid indication I extrapolated some data from the " Identity Fraud Report 2011" study conducted by Javelin Strategy & Research. The company collects data related to US citizens to measure the overall impact of identity fraud on consumers.
In the graphic is presented the growth of the Incident Rate since 2003:
(click image to enlarge)
The situation is worrying, as 4.9% of U.S. adults were victims of fraud in 2011. After a sizable reduction of identity fraud incidence from 2009 to 2010, we see an increase of more than 10%. ID fraud increased to 4.90% in 2011 from 4.35% in 2010, which represents a 12.6% increase. The total number of identity fraud victims increased to about 11.6 million U.S. adults in 2011, compared to 10.2 million victims in 2010.
Despite the growth of incidents in ID fraud, the annual overall fraud rate was at its lowest point - $18 billion - since 2003. attributable to the rapid increase of thefts realizing lower profits.
Particularly alarming is the growth of such crimes in computers. Which include the information that compose our digital identity? On the Internet, our identity is composed by:
- IP (Internet Protocol) address
- address where we live
- personal identification numbers (PINs)
- social security numbers
- birth dates
- account numbers
- other personal information
The data is continuously exposed to high risk of fraud, the increase in the use of social networks, and the rapid spread of mobile platforms which create the right conditions for criminals.
Unlike classic identity theft, digital theft victims don't have to wait for a thief to physically steal their information - it can be stolen by computer criminals from the databases of banks, retailers, ISPs and also from a victim's PC.
Researchers have identified three main schemes for identity thieves:
- Phishing Attacks - The lure often comes in the form of a spam email or pop-up warning that looks like it has been sent from a company we trust. Often the companies are ones that we use regularly like our bank, credit card company or some other online payment system. If we click on the link indicated, we are directed to a web site that is designed to look exactly like the official site of the company being misrepresented. Under the assumption that they are at an official site, victims enter specific personal information, such as social security number, credit card number or password.
- Malware technology – Users download malware just by clicking on a pop-up ad or viewing spam email. The malware gathers information, such as user IDs and passwords for bank accounts, logging all keyboard strokes, or by using Trojans and other techniques to collect information from our PCs. This information is then passed back to the Command and Control servers when victims connect to the Internet.
- Pharming - In pharming, a cyber criminal exploits a vulnerability in an ISP's (Internet Service Provider) DNS server and hijacks the domain name of a legitimate web site. Anyone going to the legitimate site is redirected to an identical but bogus site. Once redirected, unsuspecting site users will enter personal information, such as a password, PIN number or account number.
According to a Gartner Study on Internet identity theft based on a survey of 5000 U.S. adult Internet users, it has been estimated that:
- 1.78 million adults could have fallen victim to the scams
- 57 million adults have experienced a phishing attack
- The cost of phishing... 1.2 billion dollars!
It is clear that the figures mentioned show a great attraction for criminal organizations that are devoting substantial resources and investments in this sector. An increasing component of organized crime is specializing in this kind of activity characterized by high profits and low risks compared to traditional criminal activities.
In the U.S., The Federal Trade Commission is monitoring the phenomenon of Identity Theft along with main national law enforcement agencies which are promoting several activities to educate the population regarding the risks to cyber crime exposure.
Prevention, Detection and Resolution Model
According to the guidelines provided by the Federal Trade Commission, the fight against identity theft crime must be articulated in three phases: prevention, detection and resolution.
The prevention actions are mainly based on creating awareness of cyber threats and a constant monitoring of real exposure of personal information. It’s essential that the population, and in particular internet users, must know the threats related the divulging their data.
Personal information must be protected and citizens must be aware of the real usage of their info once provided.
Protection must be completed with detection actions, operations that must be in place to discover the identity theft and fraud. Constant alerts and bulletins must be provided by the law enforcement every time a new fraud is detected. Private sector and government institutions must cooperate to realize program and project to contain this type of crime supported by an adequate legal framework providing for severe penalties for these offenses.
(click image to enlarge)
Applying the model to the mobile landscape and social networks
Let’s try together to apply the model to two of the most worrying scenarios: mobile devices and social networking. To prevent fraud and identity theft in mobile device usage, let’s follow simple best practices:
- Disable as default every “always on” functionality of mobile devices.
- Install mobile software only from the legitimate App stores and markets.
- Be aware of permission we grant to the applications we execute on mobile.
- Do not jailbreak or root your mobile device.
- Install an antivirus program to mitigate instances of mobile malware.
- Make sure the OS is upgraded to the last version applying security updates.
- Make sure that you can erase the content of your mobile remotely in case of lost.
- Be careful with premium SMS numbers — sometimes you are signing up for stuff when you are agreeing to the licensing terms.
Regarding the user’s behavior and the frequenting of social networks:
Do not reveal sensitive or personal information on social networking sites.
- Such personal details are commonly used by banks and credit card companies as security questions to identify an individual before clearing access to his or her financial accounts, credit card logins, and more.
- Social networking sites can provide fraudsters with personal information to access accounts. Use caution when sharing such details on your profile. Also, take advantage of privacy settings so that you can control who sees your profile information.
Use caution when using apps on social networking sites.
- Verify that the app does not have access to any personally identifiable information. Users of certain social media apps experience a significantly higher incidence of fraud than the general public. In 2011, users who had ever clicked new apps or updated their profiles with important events experienced a 6.8% incidence rate compared to the overall fraud incidence rate of 4.9%.
Prevention is better than cure...
Cross-posted from Security Affairs