Identity Robbed Blind?

Articles and Tips:

Laura Chappell

01 Feb 2006

PanAm estimated that between 16 and 18 years of age, Frank Abagnale flew more than 1 million miles for free and visited over 26 countries.

Frank Abagnale's identity scams are legendary. The subject of the Steven Spielberg movie, Catch Me If You Can, Frank Abagnale used common sense, bravado and adaptability to manipulate his identity to suit his needs. Today I imagine he would delve into the world of digital identity theft, color printers and home laminators rather than use the PanAm decal off a model plane as he did at age 16.

How rampant and problematic is the issue of identity theft? How is identity theft perpetrated? How can we protect ourselves and our corporations from privacy breaches caused by identity theft?

As I am writing this article, I must admit that I am a bit distracted after just winning the InfoDiamond International Sweepstakes! And not just once, but three times in just one month! At least that's what the e-mail said. I mean really--what are the chances of that? Unfortunately I'm really pressed for time to collect my winnings because eBay just sent me a message asking me to log in immediately and provide a credit card number to update my account or they will cancel it. Thank goodness I got that Microsoft all-in-one security update so my computer is protected against any kind of security breach. I'd hate someone to find out that I'm so lucky; they might try to scam me out of my winnings. Then how could I help that poor man in Nigeria get his money?

Sometimes in the technical world, we have to just roll our eyes at some of these blatent phishing schemes. Who really falls for these things? Well, unfortunately on a global level, millions of people fall victim to these schemes each year. These scams may be focused at a quick fraudulent monetary gain or they can be geared toward obtaining enough personal information about a target to open or manipulate accounts under that person's identity--identity theft.

The United States Federal Trade Commission (FTC) defines identity theft as a fraud that is committed or attempted, using a person's identifying information without authority.

How do these folks get your identity information? You'd never type in your credit card details or any other personal information on a public computer, right? Makes you feel a lot safer, doesn't it? Unfortunately, you still have your backside hanging out in the wind--your personal data is maintained by numerous credit card companies and financial institutions. Your credit card numbers are seen every month by online retailers, gas station cashiers, waiters and waitresses, travel agents and even taxi drivers. You race to the ATM and blithely punch in your PIN number while that sweet looking girl next to you talks on the phone and shoulder surfs the PIN number you type in; she'll grab your ATM card later at the bar, although someone else may already have it from the false-front ATM machine you just used.

The CardSystems case should have taught us a lesson: we cannot directly protect our own information anymore. More responsibility lies on the shoulders of the corporations that enter, revise, update, sort and search through our identity information.

How difficult would it be for someone to reach into your mailbox or garbage can and snag one (or tens) of those credit card offers that come to you every day?

Identity theft plagues the credit card industry like network problems plague hacker conferences!

ID Theft is Hot!

Identity theft is on the rise at an alarming rate, sitting at the top of the Federal Trade Commission annual list of consumer fraud filings for the fifth year in a row. (See Table below.) When the FTC categorized the 635,173 complaints received in 2004, 246,570 were identity theft reports and 388,603 were fraud complaints. (The FTC releases this yearly report in January or February.

Other findings from the report include:

Identity theft reports and fraud complaints totaled more than US $547 million.
Internet-related complaints accounted for 53 percent of all reported fraud complaints with monetary loss calculated at more than US $265 million.
Credit card fraud was the most common form of reported identity theft, followed by phone or utilities fraud, bank fraud and employment fraud.
The major metropolitan areas with the highest per-capita rates of reported identity theft were Phoenix-Mesa-Scottsdale, AZ; Riverside-San Bernardino-Ontario, CA; and Las Vegas-Paradise, NV.

The top categories of FTC-reported consumer fraud complaints for 2004 include:

Category	Percent
Internet Auctions	16
Shop-at-Home/Catalog Sales	8
Internet Services and Computer Complaint	6
Foreign Money Offers	6
Prizes/Sweepstakes and Lotteries	5
Advance-Fee Loans and Credit Protection	3
Business Opportunities and Work-at-Home	2
Telephone Services	2
Other (miscellaneous)	12

Keylogging and Site Validation Techniques

OK, we all know how people get conned through e-mail and how credit cards can be run through skimmers that duplicate the magnetic strip. But what if you are tech savvy? Are you less likely to have your ID stolen? Not necessarily. Consider the Kinko's Keylogger case where strategically placed keyloggers captured everything typed into public computers.

What can you do if you are using a public computer and you absolutely must enter a password or passcode? (I can't imagine a scenario where you have to do this, but let's just say you do for a moment.) And how do you know if keylogging software is installed?

Many of today's virus detection tools automatically detect and remove known keylogging software; but of course, this is always a game of "follow-the-hacker."

One of the world's largest financial companies, ING, introduced a feature called PIN Guard to help thwart these keyloggers when customers log in to do banking transactions. Instead of typing in their PIN number, which would be caught by a keylogger, the customer uses a mouse to select the numbers and characters off the screen--a good idea unless someone is shoulder surfing your password.

Financial institutions are scrambling to put solutions in place that verify authorized users are accessing their accounts. Bank of America recently introduced Sitekeys as a method to identify the computer the customer is using to log in. (Most users consistently log in from the same computer when doing online banking.)

The Sitekey technology asks the user to select an image that will be displayed to indicate that the bank site has done some behind-thescenes authentication of the user's computer. If the user approaches the login screen and the image is not correct or not displayed, the user is prompted with a series of questions in an attempt to positively identify them. The SiteKey technology was put in place to differentiate the true Bank of America Web site from bogus sites that might present a mocked-up login page to the user to capture account numbers and passwords.

Indications of Identity Theft

Most cases of identity theft are recognized by the consumer first. Some signs to watch for are:

unusual phone calls from creditors
getting turned down unexpectedly for credit
unusual credit card charges
account names or passwords not working
missing bills and statements
unusual entries in your credit records

Protect Yourself; Protect Your Company

At some point it is inevitable--you'll have a credit card stolen or fraudulently used in your name. Here is a list of additional steps you can take to protect yourself:

One of the best ways to protect yourself is to monitor your credit reports on a regular basis. (Consider signing up for a service to track changes on your credit report and automatically notify you of those changes.)
Shred credit card offers and financial information before throwing it away.
Get a safe and store checkbooks, bank statements, social security information, billing information and any other identity-related information out of sight.
View your electronic bank statements on a regular basis--at least twice a month.
Avoid giving out your social security number.

Now what about your company? Protect it and yourself by securing all identity-related information, including both employee information and customer information. You need to protect both your original and backup data sets. You have a lot riding on the line:

Limit access to all confidential information and log who accesses it.
Run log reports and review them with your staff.
Reconsider who should have access to sensitive information. Do the right people have access? Can too many people access it?
Consider auditing the entire network to look for unauthorized software and hardware, and for security vulnerabilities.
Educate your users on the issues of identity theft and their responsibility to maintain the confidentiality of identity-related information.

If Frank Abagnale was interested in stealing an identity today, I imagine he would have a field day getting a temporary job in a company that maintains sensitive identity information. Does your company? He would have the latest and greatest laptop computer with wireless antennas to boost the signal. That would allow him to listen in on unsecured communications at the local Starbuck's and McDonald's hot spots. Trolling around on the Internet, he would find a plethora of information about you, me and anyone else he wants to research. I'm just glad he's now on the law enforcement side. Now, if you'll excuse me, I need to reply to eBay and that poor Nigerian man that needs my help getting his money out of that foreign bank. Maybe there really is something in it for me. Imagine me--a millionaire!

The Shadowcrew Case

"Shadowcrew.com" was one of the largest online centers for trafficking stolen credit and bank card numbers and identity information. Closed in October 2004 by the U.S. Secret Service, Shadowcrew trafficked in at least 1.5 million stolen credit and bank card numbers that resulted in a loss in excess of $4 million. Of the 21 individuals arrested in this case, 12 have pled guilty as of November 17, 2005. One defendant admitted that in September 2004, he illegally acquired approximately 18 million e-mail accounts with associated user names, passwords, dates of birth, and other personally identifying information--approximately 60,000 of which included first and last name, gender, address, city, state, country and telephone number.

U.S. Identity Theft Reporting

If you think you're the victim of any type of identity theft, don't wait to check it out and report it. Call the fraud units of the three principal credit reporting companies.

Equifax

To report fraud, call (800) 525-6285 or write to P.O. Box 740250, Atlanta, GA 30374
To order a copy of your credit report ($8 in most states), write to P.O. Box 740241, Atlanta, GA 30374, or call (800) 685-1111.
To dispute information in your report, call the phone number provided on your credit report.
To opt out of preapproved offers of credit, call (888) 567-8688 or write to Equifax Options, P.O. Box 740123, Atlanta GA 30374

Experian (formerly TRW)

To report fraud, call (888) EXPERIAN or (888) 397-3742, fax to (800) 301-7196, or write to P.O. Box 1017, Allen, TX 75013.
To order a copy of your credit report ($8 in most states): P.O. Box 2104, Allen TX 75013, or call (888) EXPERIAN.
To dispute information in your report, call the phone number provided on your credit report.
To opt out of preapproved offers of credit and marketing lists, call (800) 353-0809 or (888) 5OPTOUT or write to P.O. Box 919, Allen, TX 75013.

Trans Union

To report fraud, call (800) 680-7289 or write to P.O. Box 6790, Fullerton, CA 92634.
To order a copy of your credit report ($8 in most states), write to P.O. Box 390, Springfield, PA 19064 or call: (800) 888-4213.
To dispute information in your report, call the phone number provided on your credit report.
To opt out of preapproved offers of credit and marketing lists, call (800) 680-7293 or (888) 5OPTOUT or write to P.O. Box 97328, Jackson, MS 39238.

* Originally published in Novell Connection Magazine

Disclaimer

The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.