Developing Best Practices to Combat ID Theft, Part 1

Currently, identity theft may be the most worrisome and threatening problem for online users and the businesses and institutions that support them.

Unfortunately, it is now easier and cheaper than ever for those bent on illicit gain to use the Internet to obtain the private, personal information necessary to impersonate you online — the first step for cybercriminals to gain access to your financial information.

“Online identity theft is going to grow significantly given the millions of records that have been lost or stolen from banks, credit agencies, hospitals, government agencies and businesses over the past year,” said Randy Abrams of online security and malware detection systems provider ESET.

The good news is that banks, brokerages and financial services providers, along with the security technology providers that service them, are rolling out a variety of new methods and tools to thwart such threats.

A Growing Problem

Some 10 million Americans have been victims of identity theft and they spent an average of US$1,500 and 175 hours to recover from it, according to the Fight Identity Theft site. Moreover, victims spent nearly 250 million hours trying to sort out fake credit card accounts and set their credit records straight, according to the U.S. Treasury.

“As more and more people take advantage of the convenience of online banking and e-commerce, the pool of potential victims of fraudsters increases in size and volume,” Greg Hughes, chief security executive at Corillian, told the E-Commerce Times.

“This presents more opportunity for criminals to take advantage of users, not only through technology like malware and other forms of technical fraud, but also through the evolution of social engineering,” he said.

“There is simply a greater variety of people and a greater number of people (and therefore dollars) for fraudsters to target. In addition, the increased complexity and variety of systems in the marketplace present a ripe environment for finding new holes and creating new forms of trickery,” noted Corillian.

An Act of Simple Theft

The first steps online fraud artists take to perpetrate ID theft and online fraud often occur offline, however, through more run-of-the-mill petty crimes such as pick-pocketing and mail theft, as well as more serious felonies such as burglary — and, of course, the theft of notebooks, laptops and other portable network devices.

“According to the Federal Trade Commission, identity theft accounts for almost 40 percent of all fraud complaints,” Absolute Software CEO John Livingston told the E-Commerce Times. “With the popularity of mobile technologies such as laptop computers, people are more prone than ever to having their personal information stolen.”

Common acts of online fraud resulting from ID theft include the following:

• Unauthorized transactions on existing accounts (e.g., unauthorized charges on a credit card or checks on a checking account);
• Takeover of existing accounts (e.g., prolonged use or emptying of a financial account); and
• Creation of new accounts

A 2006 Ponemon Institute report stated that 81 percent of companies reported the loss of one or more laptops containing sensitive information during the past 12 months, according to Absolute Software.

More than 600,000 laptop thefts occurred in 2004, totaling an estimated $720 million in hardware losses and $5.4 billion in theft of proprietary information, claimed Safeware Insurance.

In order to help thwart the theft of mobile computers and associated data, Dell Computer and Absolute on Feb. 7 announced that buyers of select Dell Inspiron and XPS notebooks who purchase Dell’s CompleteCare Accidental Damage Service will get Absolute’s Computrace LoJack for Laptops theft recovery service gratis for the length of their service contracts.

The Computrace LoJack system protects personal data on the system, as well as helps track down and recover the computer.

Not So Simple Theft

Online fraud artists have also come up with increasingly devious, complicated ways to obtain personal ID information. “The tactics fraudsters have developed to target end users are extensive and are evolving,” commented Corillian’s Hughes. “From complex social engineering in the form of phishing and similar tactics to purely technical exploits like man-in-the-middle, man-on-board, Trojans and malware.

“All of these are deployed — and are often combined — to carry out the gathering of information to gain unauthorized access to a user’s private information or, in some cases, to create identifying documents and other physical media such as duplicate debit and credit cards for the purposes of conducting fraud and theft.”

One of the more common, simple and effective means to obtain personal ID data is through the use of spam, noted Kaspersky Lab’s senior technical consultant Shane Coursen. “Today’s most common method is to send spam messages to a large number of e-mail addresses (a.k.a. a spam run). The spam message refers to a Web site that, once visited, begins a process of placing malware of various types (downloaders, keyloggers, bankers, etc.) on the visiting PC.”

Another tried, true and growing method is the insider attack. “It’s not a new method but one that seems to be increasing in frequency,” said Coursen. “For example, a malicious person attacks their own company by tricking a fellow employee into installing malware, or by bending company policies that result in the installation of malware. It is a troubling trend.”

Developing Best Practices to Combat ID Theft, Part 2