Information technology and Identity theft

Arya MirSécurité

7 juil. 2011 (il y a 3 années et 6 mois)

1 139 vue(s)

Identity theft, Personal information, Security, Fraud, Phishing, Spam, Trojan horse, Account takeover, True-name fraud

I
NFORMATION
T
ECHNOLOGY AND
I
DENTITY
T
HEFT


Arya Mirdjalali

Department of Electronics and Computer Science

University of Southampton

am1903@ecs.soton.ac.uk



A
BSTRACT

Identity t
heft has become one of the fast growing

and c
o
mmon

forms of fraud in the world
.

According
to the statistics about 10
million people each year
become affected

by a sort of identity theft or

abuse
of personal information

[1]
. It means
19 new victims

every minute.

This paper explains the definition o
f
identity theft and studies the

different types and
ways of occurrence and suggests

some solutions to
minimize the risk of this fraud.

This paper also
focuses

on Information technology

in re
lation to

Social engineering

and

identity theft and

how
technolog
y and new developments can be

improved
to minimize and deals with misuse and abuse of
technology.


Keywords

Identity theft, Personal informati
on, Security, Fraud,
Phishing, S
pam
,

Trojan horse
,

Account takeover,
T
rue
-
name fraud


1.

I
NTRODUCTION

Identity theft is not a new form
of crime and has
been around for many years. In
some

cases the
victims remain unaware of their identi
ty and
personal information being abused,
until months and
years after t
he crime
. This is one of the reasons
which make this crime very devastating and it cost
millions of dollars, time and energy to deals with
these incidents every year.


Statistics show a dramatic increase in the number of
incidents reported each year, whil
e still many of
them remain undiscovered. According to these
statistics
there has been 11
-
20% growth between
2001 and 2002 and 80% between 2002 and 2003.
[1]


T
hat

means

the growth in the number of incidents
has been multiplied by a factor between 4 and 8 in
just one year.



According to the same sur
vey 49% of the
respondents stated that they don’t know how to
adequately protect themselves against this crime
[1]
and over 90% did not

see an end to this problem
,

which

means there

is a
great
chance of people
getting trapped over and over and become victi
m of
different frauds on
e

after the other.


Another survey done in spring 2006 by Identity Theft
Resource Center team shows that only 5% of the
interviewed people believed that they have
answered a scam email.
However this figure is
much higher in reality.

This is
due to the lack of
information and knowledge of the public
.

In that
same survey o
ver 50% of the interviewed
populations stated that they don’t know what the
phishing
or scam
is. And only 25% were able to
mention the real definition
s
.


Therefore on

clear way of reducing these crimes
and preventing millions of people each year from
being a victim and loosing thousands of dollars
, is to
educate the public

and provide them with enough
information to be able to identify the risks and

handle different si
tuations by using good
judgements and making the right decisions.


Section 2 and 3 of this paper respectively focus on
definitions of Personal information and Identity theft.
The paper continues in section 4

and 5

by
introducing Social Engineering as a fun
damental
method of identity theft and different common
techniques used to steel personal information.
Section 6 focuses on identity theft and financial
world and introduce
s

a number of common attacks.

And finally s
ection 7 briefly identifies some
technolo
gical solutions

and considerations
.



Permission to make digital or hard copies of all or part of this
work for personal or classroom us
e is granted without fee
provided that copies are not made or distributed for profit or
commercial advantage and that copies bear this notice and the
full citation on the first page. To copy otherwise, to republish, to
post on servers or to redistribute to

lists, requires prior specific
permission.

© 2007 Electronics and Computer Science, University of
Southampton




2.

P
ERSONAL
I
NFORMATION

Any
form of recorded or not recorded
factual or
subjective information about an
identifiable individual

is personal information.

This could include
information such as name, date of birth, address,

social security number, credit card detail, and
photograph.


3.

I
DENTITY THEFT AND
F
RAUD

Identity theft is the illegal act of stealing someone
else’s personal information
or identity and using

it
without his knowledge

to obtai
n products, credit or
any
valuab
le possessions
.



Sometime Identity thieves

use
the stolen personal
information in order to impersonate the victims and
commit crimes in their

name.

They can threaten the
personal and professional life of their victim by
engaging in different

activities




4.

S
OCIAL ENGINEERING

Social Engineering is a term referred to the

collection of
methods and
techniques
which are
used

by thieves

to manipulate

and scam
people into

giving out

confidential information
. It is one of the
most common methods used by criminal
s to obtain
personal information. This term usually applies to
scam for gathering information or accessing
computer system

and in most
cases the attacker
does not come

face

to

face with the victim

at any
point during the process
.



Social Engineering term
has become more and
more popular in recent years. One of the most
famous Computer criminal and security consultants,
Kevin David Mitnich, believes that it is much easier
to scam people into giving out their username and
password than to spend lots of effor
t and time to
hack i
nto their systems or accounts [2
].



5.

S
OCIAL
E
NGINEERING
T
ECHNIQUES

All methods and techniques used in social
engineering are based on imperfections in human
logic known as Cognitive biases. Cognitive bias
is
misrepresentation in the w
ay humans perceive
reality

[3
].

Some of the most common forms of these
Social
Engineering based
attack techniques are discussed
below.

5.1

Pretexting

technique

In Pretexting the attacker creates and invents a
tempting scenario to persuade and manipulate the
t
arget to give out his personal information or get
involved in an action or transaction. It is usually
done over the telephone.


It is usually done using some prior knowledge and
information about the victim so a degree of prior
research is essential. These

pieces of information is
used to establish
legitimacy

in the mind of the target


Pretexting

i
s a very common method
used to scam
the business operators to reveal personal

information

about their customers. It
is

also widely
used by
investigators to obtain

telephone records,
utility records, banking records and other information
directly from junior company service
representatives.

All is usually needed is some
preparation for the possible questions
combined
with the

right gender voice with an honest and
le
gitimate

tone.


Most of the big companies still use simple
information such as date of birth, mother’s maiden
name or client ID to

authenticate a client
over the
phone. These

information are usually very easy to
obtain from lots of resources
. Although

ther
e is a
serious need for a more eff
ective method of
authentication, still most companies tends not to
invest in development of new more sophisticated
techniques to improve their security due to the fact
that they claim to be losing less money in
compensatin
g the fraud than trying and investing in
elimination and prevention of the crime.


In a
survey

done by organisers of infosecurity
conference in 2003
,
over
90% of office workers
outside o
f their office tricked to give out

their
password

in exchange for an o
rdinary pen. [4]



5.2

Interactive Voice Response

fraud

IVR is a computerised

telephon
e information system
that interacts with the caller by use of a combination
of pre recorded voice messages

and data
which are
stored in databases. The caller might be asked t
o
enter his date of birth, account number credit card
number in order to access different services and
information.


There are some attackers that use a fake Interactive
voice response system to copy the existing
legitimate software of the company or bank
. Then
the target is tricked to call a n
umber and interact

with this

system to verify his details and information.
These fake systems can be programmed to transfer
the caller to
a fake customer service representative
in order to gain more valuable informat
ion.


5.3

Spoofing and
Phishing

technique

Spoofing is a general term referred to a situation
when someone or a system pretends to be another
system or person by modelling and copying that
system in order to gain people’s trust and make
them release their perso
nal information.



Phishing attacks are based on a collection of
spoofing methods and social engineering techniques
and work by persuading the victim to

give his
personal information.


5.3.1

Email and website based phishing

One of the common forms of phishing k
nown as
website phishing

is the act of sending an email
message pretending to be from a respected
company or organization and asking the user to go
to an specific URL and provide his information.

The
victim who believes he is communicating with the
real co
mpany easily gives out his information.


Another very successful method known as
advance
fee scam

starts with sending an email message
offering and promising a great amount of money
from an isolated bank or company in exchange with
a small amount of advan
ced processing fee. [5]


5.3.2

Exploit based phishing

Apart from these email and web based phishing
attacks there are some more sophisticated
techniques called
exploit based

phishing
in which
the attacker take advantage of a bug or vulnerability
in common web br
owsers to install malicious
software called malware.


Key loggers are one of these malwares. They have
the capability to log all pressed keys. In order to
make it easier for the attacker to identify the
sensitive information they can be adjust to only lo
g
the keys pressed when the user is visiting a
particular website such as bank website.


Another possibility

is

transferring the entire internet
traffic of the victim through a third party server by
changing the proxy setting of the victim’s web
browser.
[
6]

5.3.3

AntiPhish mechanism

This is
a mechanism
which can be integrated into
the web browsers. It works by keeping track of the
information and preventing them from being sent to
not fully trusted websites. The fundamental idea
behind the development of Antiphi
sh applications is
coming from the automated form filling mechanism
which is integrated into many web browsers. The
automatic form filling functionality allows the forms
to be stored and retrieved by user permission.
Antiphish further develops this functio
nality by the
ability to track where the information is sent


5.4

Trojan horse

The main idea behind Trojans is the curiosity and
greed which exist in all humans. The attacker uses
this curiosity to deliver and install malware or spy
ware on the target comput
er. They can come in the
shape of a tempting file or picture attached to an
email, or as an important alert of anti virus update.
The success of these methods relies on the
observation that most people tends to open and
click every attachments they receive

or click ok on
every message alert appears on their screen.
[7]


Another very popular way of spreading the Trojan
horse is by using

an infected
physical media

such as
a floppy disc, CD or USB memory storages and put
them in easy reach of the victim to tak
e and use.
Sometimes a fancy label is all needed to trigger the
curiosity of the victim.


6.

I
DENTITY
T
HEFT IN
F
INANCIAL
W
ORLD

There are two very common types of identity theft

in
financial world

according to whether the thief uses
an existing bank account o
r credit card

or opens
new bank or credit card account
s
.



6.1

Account takeover


Account takeover
is the most common form in which
the thief obtains the information about an existing
bank account or credit card and starts using that
information to withdraw mon
ey or

buy goods or
services

or arrange new loan
s
.
This includes
u
nauthorised use of credit cards over the internet by
just obtaining th
e card numbers and expiry dates.
In
June 2005, MasterCard International
Company
announced

a security breach of a
third

pa
rty credit
card pr
ocessing company that stole

the details of
over 40

million card
ho
lders. [8
]
Victims of this form
of fraud usually find out by noticing unknown
transactions on their

bank or credit card statements.


6.2

True name fraud

True name fraud

is when t
he thief uses the stolen
personal information such as national id card or
driving license to open a new bank or credit account
under victim’s name and responsibility. It usually
takes longer time for the victim to notice this form of
fraud.


7.

T
ECHNOLOGICAL

S
OLUTION

Some of the technological solutions and
considerations which can help to prevent and
minimise the risk of identity theft are mentioned
below.

The idea behind these techniques is to make
and design the identity pieces in a way that are only
usabl
e by their true owners. And try to make the
stolen infor
mation unusabl
e
.



Biometrics



Gelatin



Comparison to a data record



If stolen, cannot be changed


Multi
-
factor



Photographs on credit cards


Public Key Infrastructure



Digital Signatures



PI
V


8.

C
ONCLUSION

Identity theft is a considerably fast increasing and
devastating crim
e. People should be informed of
different attack possibilities and be trained and
prepared to face risky situations by using a good
judgment to identify the risk and consequences of
the a
ctions they perform. P
eople should understand
that If a deal sounds too good to be true, most
probably it is not true and it is considered extremely
risky to get invol
ved in such a transactions or trades
.


Also the developers and providers of new
technolog
ies should take into account all the
possible usage of the technology or service they are
providing as not all the users use these facilities in a
good legal manner.

There are always people who
abuse the technology in a criminal way to attack
others As

an
example

there are many
companies
who work in

development of filtering facilities

and
earn millions of dollar on this market without
considering that there are some governments that
uses these technologies to bound and prevent their
people from accessing to

free information which is
against the fundamental rules of human rights.

9.

R
EFERENCES

[1]

Extracted from

the survey done by Harris
Interactive
available at Identity Theft Resource
Centre website
http://www.idtheftcen
ter.org

last accessed January 2007


[2]

Kevin D. Mitnick. William L. Simon and Steve
Wozniak
. The Art of Deception. Published 2002
by Willy


[3]

Kahneman, D., Slovic, P. & Tversky, A
.
Judgment under Uncertainty: Heuristics and
Biases.
Published 1982 by
Cambri
dge
University Press
.


[4]

Office workers give away passwords for a cheap
pen
. By
John Leyden
, published on
A
pril
20
03.
http://www.theregister.co.uk/2003/04/18/office_
w
orkers_give_away_passwords/


accessed January 2007


[5]

Sweeney, L. Protecting Job Seekers from
Identity Theft. IEEE Internet Computing 10 (2)
March 2006


[6]

Engin Kirda, Christopher Kruegel.
Protecting
users against phishing att
acks with anti phish.

Technical University of Vienna 2005

IEEE


[7]

Aron Emigh, Radix Labs. Online Identity theft,
Phishing Technology, Chokepoints and
Countermeasures. Published by DHS
-
SRI
Identity Theft Technology Council on October
2005.


[8]

Credit card breach exposes 40 million a
ccounts
,
By Joris Evers
, CNET News.com

Published:
June 17, 2005