The Face Behind The Mirror
Your e-mail ID is more relevant to this connected world than your birth name. Today, your Web site’s URL brings you more business and recognition than any other avenue. How many friends do you have online-virtual personalities you haven’t even met-as against those offline? Social interactions too, are fast taking a digital role. That we are living in a connected world is such a truism that the statement holds no value and will soon be as useful as stating that the world is round.
When data thus defines your wealth, shapes your standing in society, becomes your ego and ID, it gains value. If you happen to have a desirable identity-a bank account number with a sizeable balance, for example-that identity invariably attracts thieves.
What if you were to wake up tomorrow and find out that you have been leading a double life; that someone out there has been your virtual Mr Hyde misappropriating your money, using your credit card number to commit fraud, abusing your online portfolio? How would you feel to learn that your hard-earned cash and reputation has been virtually sold and abused? Unlikely to happen, you say? Identity theft is scary because it is easy. Even you can do it… with a little patience and the right bent of mind. It is a low-risk, high-gain and low-penalty crime.
Identities are most often stolen for financial gains. There happen to be other forms of identity theft, such as offering someone else’s name as one’s own when arrested-this is called criminal identity theft. But the vast majority of ID theft involves the transfer of an unfortunate person’s money into the hands of a happy thief.
For as little as Rs 2,200, some companies sell Social Security numbers, mother’s maiden names, home and employment addresses, credit history and more
What, Me Worry?
It can happen to anyone. In fact, it happens to a staggering number of people; according to an estimate, one in twenty people in the US have had their identity stolen. One of the reasons for the proliferation of this crime is a large number of electronic transactions conducted on trust.
Say, you receive a cheque in the mail from a friend. You note down the bank routing number and the cheque number and make a call to your credit card company saying you want to pay your bill by cheque.
You can do this over the phone. You are simply required to state the routing number on the cheque you received from your friend, the next cheque number, and the amount the credit card company requires from you and of course, you say the chequebook is yours. Your payment will go through.
You have just paid for your bills using your friend’s account, unknown to him. That’s how simple it is! Of course, the person who sent you the cheque can easily track down where his or her money went, but this example just goes to show how very trust-based most bank transactions are-at least in the US.
For identity theft to occur, personal information must be obtained. In the US, the two prime pieces of personal information are the social security number and the mother’s maiden name. This information can be uncovered-and usually is, when ID theft occurs-by going through someone’s mail or trash, looking for bank and credit card statements, pre-approved credit offers and tax information. Other more direct ways include stealing information from a wallet or purse such as identification, credit or bank cards, completing change-of-address forms to redirect mail, and obtaining credit reports by posing as a landlord or someone who has a right to the information.
But it is not only data like lost Social Security numbers and credit cards that attract ID thieves. Sources of personal information that are publicly available include property records, court records and marriage and divorce certificates. ID thieves can not only rob your mailbox and hack into your computer, but also do things like monitoring your cordless phone and rummaging through low-key stuff like product-warranty cards.
The Internet opens up whole new avenues for identity theft-phishing included. A recent example involved the setup of a copy of part of the PayPal Web site to acquire members’ personal details (See box: “How phishing works” on page 41). Trojans-viruses that remain resident on one’s computer and can submit information to someone else-can monitor keystrokes to access passwords and other personal information. In fact, several virus attacks are intended just to track personal information.
A common phishing scheme involves e-mails that appear to be sent by your bank, requesting that you log in to your online account to confirm some details. You are meant to follow the links in the e-mail, to a fake page that appears to be a genuine online banking site. Some estimates say that phishers are able to convince up to five per cent of recipients to respond to their e-mails and take the intended action. In fact, computer-savvy people, too, get fooled by such e-mails.
The Internet, while providing resources for people to avoid ID theft, has also helped in its spread: the most frightening-and thorough-way of stealing an identity is by purchasing it at one of the many identity-search companies that have come up on the Internet. For as little as Rs 2,200, these companies sell people’s Social Security numbers, mother’s maiden names, home and employment addresses, previous addresses, credit history and more.
Phishing, viruses and paid information apart, consider some of the multifarious ways of stealing identities:
- In a recent case in California, a hospital executive died. In the obituary was a lot of personal information like the mother’s maiden name. An identity thief got the Social Security number of the deceased and used it to steal thousands of dollars from his widow.
- Ford Motor’s customer credit reports, containing more than 13,000 records of identifying information such as Social Security, bank account and credit card numbers, had been lodged in a supposedly secure database at Experian, one of the three major credit bureaus in the US. Hackers bypassed security by posing as employees of Ford and got access to all the personal information.
- Even fingerprints can be reproduced and used. “If I steal your password, a credit card company can issue you a new password,” says Chris Hoofnagle, legislative counsel for the Electronic Privacy Information Centre in Washington, DC. “But if people are able to lift a latent fingerprint of yours and reproduce it in a mould-and this can be done-you can’t be issued a new fingerprint. So how do you prove you are you?”
- Even children are not safe from this identity theft. In April 2003, the story of Lisa Barraza’s son was uncovered. Barraza’s seven-year-old son is a typical youngster, except for the fact that since the age of one, he has piled up over $100,000 in credit card debt. How can a child so apply for credit cards and spend that kind of cash? He Obviously can’t, says his mother.
| Online Versus Offline ID Theft |
| Trevor Healy, vice-president, Payments at VeriSign, a California-based online certification agency that secures transactions, says: “Online fraud is very different from offline fraud. Online fraud is committed in three categories: online theft, which is virtual shoplifting; identity theft, stealing identities, so you can either sell those identities or actually use those identities for shoplifting; and cash theft. “In the online world, what we are witnessing is that the level of scale is drastically different. In the offline world, if you steal an identity from a merchant’s trash can if the merchant is silly enough to put credit card slips in there. You may get five or six cards and use those to create a fraud. “But in the online world, if you break into a merchant’s system, you could steal literally hundreds of thousands of identities. So the level of scale in the online world, if a fraud occurs, is much bigger. Everybody, though, is focused on product theft-the virtual shoplifting-first and forefront, and not on the other possibilities.” |
Barraza first learned of her son’s debt problems when she found a credit card in his name. “My son’s social security number was hijacked,” says Barraza.
The reason identity theft is so powerful is that much of our security today is based on your identity
Bruce Schneier, Founder and CTO, Counterpane Internet Security
Bruce Schneier, founder and CTO of Counterpane Internet Security of Cupertino, California, and a recognised authority on security, says, “The reason identity theft is so powerful is that much of our security today is based on your identity.”
New Avenues
When data becomes increasingly centralised, things become easier for ID thieves-they can increasingly do one-stop data shopping. The cell phone is becoming a repository of the most sensitive personal data, and thus finds itself a lucrative target for attackers. Single-sign on services, such as Microsoft’s Passport service, open another easy avenue for ID thieves. If a thief gets hold of one Passport ID, he or she has pretty much everything to take on the victim’s identity.
Similarly, if a thief gets hold of your bank account number and online banking PIN, there’s no limit to what havoc he can wreak with your finances, routing money to other accounts, sending out e-cheques, and the like.
However, many people argue along the lines that you are “more likely to be struck by lightning than becoming a victim of fraud or identity theft when they use electronic bill payment and account services”. The essential thing here is to keep your password or PIN safe.
| The Future Of Phishing |
| Dr Jonathan Tuliani, in an article floating on the Internet titled “The Future of Phishing”, believes that the next few years “will see the emergence of Internet man-in-the-middle attacks”. In such an attack, the user is tricked as in a usual phishing scenario, except that instead of just the user communicating with the attacker, the attacker is also communicating in real-time with the bank. “Two (or even 10) factor authentication is of no help, since the attacker does not interfere with the login process. Both the user and the bank are unaware of the presence of the attacker and believe they have a secure connection directly from one to the other. Once established, the man-in-the-middle has complete control. He can modify instructions, even transfer funds to a different account or simply cut the user off and submit whatever instructions he desires to the bank. “To combat this threat, it is necessary to move away from session-based security (based on a secure log-in), to message-based security (based on explicit authentication of individual transactions).” |
The same goes for the online use of credit cards. Although many people argue that using your credit card online is safer than using it offline because fewer people see your card number physically, the fact is that several unscrupulous sites will authenticate your credit card without verifying your billing address and the CVV number (the three-digit authentication number on the back of your credit card). Fortunately, such authentications are on the decline, and more and more financial institutions now require you to provide the CVV number and verify the billing address. If you’re still paranoid, you can think of using services like HDFC Bank’s NetSafe system wherein you are assigned a credit card number for single use, with a limit that you choose, based on your real credit card details.
RFID chips are particularly interesting. These chips are used in a variety of situations. For example, in healthcare, they are implanted under the skin. The intended use is to give medical practitioners access to the medical details of the person when he or she is unable to communicate. But how easy would it then be to steal such a person’s identity?
Some argue that all one would need to do is to purchase an RFID scanner, scan the victim as he or she passes by, clone a new chip with the same number and implant it under their own skin. This issue-that of the stealing of information via RFID tags-may become easier as RFID readers find their way into cell phones.
In early 2004, Nokia created a reader for RFID tags for its 5140 phone. This is based on NFC (Near Field Communication) technology-which means that the phone needs to be put within an inch of a tag to be able to read it. A recent report from ABI Research says the first NFC smartphone will be out this year and goes on to predict that by 2009, more than half of all handsets will have it inbuilt.
Wireless LANs, or WLANs, are another potential area of attack. Merwyn Andrade, a contributor to the 802.11i security specification and chief technical officer at Aruba Wireless Networks, warns that ID theft could become a problem for companies using WLANs. For example, users with 802.11i wireless phones might save their passwords and PINs on the phone. “This would be like keeping your keys to your house in your wallet and then losing the wallet,” he says. “Once 802.11i is pervasive, people might miss that they have to worry about authentication.”
Solutions
ID theft is the fastest growing crime in the US and is rising fast in India as well. As credit cards and online transactions, amongst other things, become more commonplace in India-banks in India are fast catching on to credit history reporting and the PAN card number may soon become what the Social Security number is in the US-it is only natural that identity thieves here will take up the same techniques.
Thinking of it as a worldwide problem, what is the answer? It probably lies in the further centralisation of data and the padlocking of that data using a mix of several techniques, including, possibly, biometrics and secure tokens.
| How Phishing Works |
| On November 17, 2003, many eBay customers received an e-mail notification that their accounts had been compromised and were being restricted. Included in the message was a link to what appeared to be an eBay Web page for re-registration. The top of the page looked just like eBay’s home page and incorporated all the internal links. To re-register, customers were asked to provide credit card data, ATM personal identification numbers, Social Security numbers, dates of birth and mother’s maiden names. Fact is, eBay hadn’t sent the original e-mail and the Web page didn’t belong to them either. Many who received the e-mail carried out the recommended actions, in the process, giving away vital ID secrets. |
Biometrics refers to identifying one by something one is, rather than something one has or knows. Examples of machine readable biometrics are fingerprints, retinal or iris patterns, hand geometries and facial features. A secure token is a physical device: an example is USB secure tokens, which are designed to store a person’s digital identity. When someone attempts to log in to applications via a PC, virtual private network, or wireless network, he or she is prompted to enter a unique PIN. If the number matches that on the USB token, access is granted. The number stored on the token is encrypted for additional security.
The most secure method of identification is “two-factor authentication”. This would be something like a PIN plus something you have (a key or an access card). Biometrics adds levels of security by combining something you know with something you are (for example, a fingerprint). Additional levels of security can be implemented by added factors such as a username and password plus a biometric and a token.
Be Very Afraid…
Cases of ID theft abound; some more mentionable than others. In one notorious case in the early ’90s in the US, the thief was a convicted felon. He not only incurred more than Rs 43.5 lakh in credit card debt, he obtained a home loan, and bought homes, motorcycles, and handguns in the victim’s name. The icing on the cake was that he called his victim to taunt him, saying he could continue to pose as him for as long as he wanted. ID theft was not a crime.
While the victim and his wife spent more than four years and over Rs 6.5 lakh to restore their credit and reputation, the criminal served only a brief sentence for making false statements to procure a firearm.
This case prompted the US Congress in 1998 to create a new Federal offence of identity theft. Creating an offence of it is one thing, but ID theft is a low-risk and high-payoff crime.
There are several pieces of information that make up an identity; we need to realise that each of these pieces is potentially valuable information, and we need to overhaul the way we communicate and exchange this information.
In the long run, technology could come to the rescue. Before that, the problem will loom on us until every last one of us keeps every bit of personal information under lock and key, and shreds it before throwing it away-physically and virtually. Paranoia is the need of the times. You have to pretend like someone’s looking over your shoulder all the time.