Print Email Download Reference This Send to Kindle Reddit This
submit to reddit

Identity theft

1.1 Introduction

Identity theft has become one of the fastest-growing white collar crimes in the world. Just as infectious diseases can today spread faster due to technological developments like affordable jet travel, so too has the growth of identity theft exploded because of the Internet and the ubiquity of powerful computer databases. (Alan Brill and Troy Allen 2006).

1.2 Background

Identity theft is a crime that has existed for a long time, but it is only in the internet age that it really has become a crime that's rate of occurrence has grown exponentially, affecting millions of people worldwide. It has led to dramatic exclamations that "it's the crime of the new millennium"[1] and is called the "quintessential crime of the information age."[2]

Identity theft is a scourge on society that affects businesses and people (dead or alive). The costs to the victim can be extensive, not only in monetary terms but also the damage done to their good name and credit rating as a result. Research from credit reference agency Experian revealed that it takes on average 467 days before you realise you have become a victim of Identity fraud. Such is the length of time between the crime committed and discovery that it makes it extremely difficult to catch the perpetrator, and also for you to prove that you were not in fact complicit in the crime. It may take years, considerable effort and money to resolve the resulting problems from the initial crime.

Why has there been a massive upsurge in the crime of identity theft with the advent of the information age? Newman and McNally have noted that identity theft has three main attractions for criminals:

1. Anticipated Rewards.

2. The advantage of concealment which is intrinsic to the crime.

3. Mild sentences compared with other crimes.[3]

Frank Abagnale Jr, famous from the movie "Catch me if you can!" starring Leonardo De Caprio, spent 5 years in the 1960's defrauding banks, airlines, hotels and other businesses in 26 countries to the value of $2.5 million but who now is a consultant to the FBI in their counter-fraud task force. In an interview with Jeremy Scott-Joynt for the BBC, he stated that: "Technology means that what I did 40 years ago is 4,000 times easier to do today."[4] So it would appear Identity theft is a simple crime to commit , this dissertation's objective is to examine the threats to the Irish online consumer and investigate how aware they are of this crime and what steps they take to protect themselves.

To tackle identity theft we must change people's habits and awareness of the crime. If people don't think it will happen to them they will not take the necessary precautions and exercise reasonable care online when it comes to divulging their personal information. We must also consider that while the person takes every precaution they can, they may still be unfortunate enough that their information gets compromised through a third parties lack of security measures. An example of this would be bank of Ireland losing four unencrypted laptops with customer information and failing to report it to the affected customers. Or the HSE computer stolen in New York.

1.3 What is Identity theft?

The OECD (Organisation for Economic Co-operation and Development) states that there is no standard definition of the term identity theft at an international level. Some countries take a broad view of the concept, which usually applies to both online and offline identity theft, very few countries consider it a specific offense. In the absence of a global definition the OECD define Identity theft as:

"ID theft occurs when a party acquires, transfers, possesses or uses personal information of a natural or legal person in an unauthorised manner, with the intent to commit, or in connection with, fraud or other crimes." [5]

The above definition is a good summation of what identity theft is, the stealing of a person's identity to commit fraud or other crimes. But how does this relate to the Irish consumer, how is Identity theft defined in Ireland? The website http://www.makeitsecure.org is a joint initiative from both the Republic and Northern Irish governments to help raise awareness and educate users of the potential risks including identity theft online in Ireland. They define identity theft as:

"Identity theft is when your identity is stolen by a criminal who then impersonates you and uses your personal details for fraudulent purposes."[6]

Identity theft is not defined as a unique crime under Irish law and this makes it difficult to obtain accurate statistics on the extent of the crime in Ireland as the crime can be listed as theft or fraud or criminal damage. In fact it can be very difficult to prosecute offenders, Detective Sergeant John Finan, head of the Garda's computer crime unit speaking at a data security conference hosted in March 2008 by Deloitte and security software firm Integrity Solutions stated, "Simply having someone else's personal data in your possession is not a crime. A suspect would have to be found to have used that data for criminal purposes to be prosecuted." [7]

1.3.1 Identity theft statistics from other countries

Some U.S. statistics from the 2010 Javelin Identity Fraud Survey Report: It says Identity fraud continues upward climb. 4.8 percent of the U.S. population was affected by identity fraud in 2009. The study confirms that the number of identity fraud victims in the U.S. increased 12 percent to 11.1 million adults in 2009, while the total annual fraud amount increased by 12.5 percent (or $6 billion) to $54 billion. The increase in existing card fraud indicates more computer theft of passwords, usernames, and other entry keys to persons' accounts. The number of fraudulent new credit card accounts increased to 39 percent, up from 33 percent in 2008. New fraudulently-opened Internet accounts more than doubled over the previous year. Technology is helping to detect fraud faster but fraudsters are taking advantage of it to commit crimes. When consumers discover fraud through electronic monitoring, they typically spend less time and money to recover. The study revealed that when consumers wait to find fraud on paper statements, they incur a higher out-of-pocket cost to recover and it takes longer to detect - $274 and 39 days vs. $116 and 30 days for discovering fraud through electronic monitoring. However, the study found that fraudulent new e-commerce accounts such as eBay and Amazon, and email payment accounts like PayPal, both increased by 12 percent, indicating that fraudsters are targeting online accounts. (http://pr-canada.net/index.php?option=com_content&task=view&id=166286&Itemid=58)

In the UK only identity fraud currently costs £1.7 billion per year, compared with £1.3 billion in 2002 (The Home Office, 2006) http://www.allacademic.com/meta/p_mla_apa_research_citation/2/7/0/3/1/p270317_index.html

The profile of perpetrators of high tech crime has also changed. Initially, such crimes were committed by individuals with advanced technical knowledge. These individuals began to form small teams to coordinate their efforts and further hone their expertise. National organised criminals then became aware of the profits that could be made from this type of activity and started to recruit the required level of technical expertise to carry out these

crimes. Nowadays, international organised crime gangs invest large sums of money in the creation of hardware and software infrastructure to perform high tech crimes against financial institutions on an industrial scale. (High Tech Crime: A Growing Threat, Dave O'Reilly, Cybercrime Analyst, UCD Centre of Cybercrime Investigation)

Identity theft is easy and nearly risk free. Gartner reports that only 1 in 700 identity thieves are prosecuted.

In the UK, 12% of users say they have used the internet without having any security software in place. The research from National Identity Fraud Prevention Week October 2009 http://www.scmagazineuk.com/twelve-per-cent-of-internet-users-have-no-security-software-as-two-thirds-of-users-lack-fraud-awareness/article/152230/

The figures from CIFAS, the UK's Fraud Prevention Service, showed that there have been over 59,000 victims of impersonation, while the overall number of identity frauds has increased by 33 per cent in the first nine months in comparison with 2008. http://www.scmagazineuk.com/victims-of-identity-fraud-rise-by-a-third-as-it-becomes-a-primary-concern-among-consumers/article/152084/

1.4 Online Identity theft in Ireland

Ireland as part of the digitised world has not avoided this insidious crime. As stated previously, accurate statistics on the crime in Ireland is hard to quantify because it is grouped in with other fraudulent crimes, however a survey commissioned by Fellowes[8] for National Identity Fraud Prevention Week suggests that 90,000 people in Ireland have already been victims of identity fraud - an increase on 2008. (http://www.stop-idfraud.ie/the-facts.php). With so many people affected, does this mean that irish consumers are unaware of the risks of online identity theft? A study by IPSO shows most Irish consumers are unaware of the impact of identity theft and most people do not think the crime will happen to them.

Keaney. A (2009) noted in a study that while there are already good preventative measures consumers can take to prevent identity theft, these measures are not being followed. Further education is needed for Irish and US consumers. So who should educate Irish consumers? Up until now this has mainly been done by the Irish banking organisations. The government did launch the "MakeITsecure" campaign website in 2006 which does outline various potential threats online and also preventative measures a person can employ. This dissertation will try to establish Irish consumer awareness of online identity theft and part of this research will be to discover are the initiatives created by the banking sector and the Government successful? Are people aware of these informative websites?

A report from the Autumn 2009 quarterly bulletin from www.amas.ie, it shows the Irish are one of the most trusting nations in the EU when it comes to online activities. Source: Eurobarometer Confidence in the Information Society report, May 2009. Based on a sample of 12,799 at-home internet users aged 15 years and above across the 27 EU Member States. 500 persons were interviewed in Ireland. (http://amas.ie/documents/AMAS_state_of_the_net_No14_sept09.pdf)

Some statistics from the report:

70% of Irish people think that internet transactions are either completely safe or rather safe. That puts us sixth-highest in a survey of the EU-27 countries. Only Finland (84% say safe), Denmark (82%), Sweden (78%), the Netherlands (78%) and the UK (76%) are more confident.

In the same survey, over 7% of Irish people said that they had given personal information to fraudsters operating "phishing" scams, the second highest rate among the countries surveyed. We also reported high levels of abuse of personal information (8%) and having computers taken over to become part of a "botnet" (6%) compared with other countries surveyed.

Another related survey from Amas of 300 Irish users of social networking sites found that 10 gave their email addresses, two Bebo users posted their full addresses, 62 Facebook users gave their full dates of birth and nine MySpace users revealed their salary details. Some 100pc of Facebook users gave their full names, compared with 80pc of Bebo users and 13pc of MySpace users. This statistics makes the author question is awareness of online identity theft severely lacking by Irish consumers online based on this behaviour.

New EU data on online shopping helps create this profile of the typical Irish online shopper. It shows that the number buying online in Ireland has shown one of the fastest growth rates across the EU27. In 2008, 36% of Irish people shopped on the Internet, compared with just 14% in 2004, with the latest rankings putting us slightly above the EU average of 32%. The greatest concentration of online shoppers in Ireland is among 25-34 year olds at 52%, followed by 35-44 year olds (44%) and 16-24 year olds (34%). Source: Eurostat, March 2009, respondents asked if they have bought or ordered goods or services for their own use over the Internet over past 12 months, data collected mainly in second quarter of 2008

These statistics show that the Irish consumer's use of the internet is growing incredibly fast. Obviously more consumer usage online gives the identity theft criminals increased opportunities to access customer details and steal personal information.

So far Ireland has not suffered nearly as bad as the USA when it comes to identity theft crime. Irish Data Protection Commissioner, Gary Davis believes this is because "The main reason ID theft has been contained in this country is because we don't operate like the US where a unique identifier like a social security number is used. There's a vigilant fight underway with organisations that request PPS numbers when they don't have a legal basis for doing so." He goes on to say "The main protection against identity theft in this country is the fact that people have to go to some length to establish their identity with address information. The reason we haven't experienced the same level of ID theft is the fine line that exists with PPS numbers."

Even if the consumer is extremely careful online and take every precaution they can still become a victim of identity theft through negligent practices of business in Ireland. According to an analysis from Enterprise Risk Services at Deloitte, some 65pc of Irish websites put consumers at risk of fraud[9]. They analysed over 100 Irish based e-commerce websites in 2008 and found that "a significant proportion of websites" are not compliant with the payment card industry security standards, 53% of companies supported weak or legacy encryption, with 2% not encrypting cardholder data entry sessions at all, which leaves them wide open for fraudsters to access this information. Colm McDonnell from Deloitte states "Identity theft and credit card fraud is a growing problem here in Ireland, and inadequate levels of security must be addressed by merchants as a matter of priority."[10] There have also been many high profile incidences reported in the past couple of years in which companies have not taken adequate measures to protect people's information on the hardware on which they are stored. A number of laptop computers have been stolen from banks, from the HSE, from Bord Gais and from hackers accessing companies systems and stealing consumer data such as Irish TK Maxx customers payments details leaked from parent companies system in USA. What is extremely worrying is that when these security lapses occur, the companies in question did nothing at the time to warn the customers in question that their details might be leaked and to encourage customers to take preventative measures. A prime example was Bank of Ireland had 4 laptops stolen between June and October 2007, these laptops contained information such as client medical histories, life assurance details, and bank account details. Bank of Ireland only notified the Data Protection Commissioner of the thefts in April 2008, ten months after the original thefts. Even at this stage the bank still had notified the customers who's details were compromised. Owen O'Connor, a security expert with the Information Systems Security Association (ISSA), says the danger those Bank of Ireland customers face is "These people could become victims of ID fraud at any point in the near- or long-term future. The bank says it will compensate any customer affected but what are the parameters on that? The burden of proof is on the customer to prove that if they were defrauded the fraud was due to the laptop theft. How are they going to do that?" [11]

Amazing as it may seem but the bank broke no laws with their behaviour, Brian Honan managing director of BH consulting, an independent IT consulting firm that specialises in information security notes that unlike the US, where there is an obligation on firms to disclose if they have lost data related to their clients or essential to the day to day running of their company, no similar law exists in Ireland. "There is no legal requirement for companies to take any actions upon discovering that data has fallen into the hands of others - the issue of disclosure is a hotly debated one with people arguing the pros and cons as to whether or not similar legislation should be introduced here." Legislation has been in place since 2003[12] In California and has spread though most US states that requires companies to inform customers who's data is compromised. This has proven to be a very successful law and one of the main benefits is that the consumer is notified a lot quicker and therefore is able to take the necessary measures they see fit to protect their identity.

In one way it's very difficult to isolate identity online to just Irish online consumers, websites are part of the World Wide Web and therefore it is a global issue, however the laws that govern us and protect us come from Irish and EU legislation, unfortunately these laws perhaps do not do all they can to protect us just yet. Other countries such as US have taken different measures when it comes to preventing identity theft such as the 2003 Californian Law where companies must notify customers when their data is compromised. What can be done in an Irish context is continue to educate and raise awareness of the threat of identity theft and enlighten people to the ways and means they can protect their identity online through various preventative measures and also by becoming more aware and far less trusting than we have been shown to be so far online in this country. In 2008, 36% of Irish people shopped on the Internet, compared with just 14% in 2004, this proves internet shopping has massively increased, so with this increased online activity, we can be sure the dangers of Identity theft will grow in equal proportion's. What this dissertation will ascertain is how aware are Irish consumers of online threats and what actions and measures would they take to protect themselves online.

1.5 The Internet's as an enabler in Identity theft.

Identity theft is a crime that has been around long before the Internet has. However it has become a crime of far greater proportions since the internet has enabled it to be so effortlessly executed on a global scale.

You can see from the conclusions drawn in the 2010 Javelin report that that the increase in existing card fraud indicates more computer theft of passwords, usernames, and other entry keys to persons' accounts. The number of fraudulent new credit card accounts also increased to 39 percent, up from 33 percent in 2008. Fraudulent new e-commerce accounts such as eBay and Amazon, and email payment accounts like PayPal, both increased by 12 percent, indicating that fraudsters are targeting online accounts. The Javelin report shows that online identity theft is still increasing every year.

Milne (2004) emphasises the importance of online protective measures to safeguard against identity theft. But even though online businesses continue to provide new solutions that combat the identity thieves, the perpetrators continue to innovate. Recent developments in quantum mechanics allow hackers to break into even the most secure financial institutions (Barnett 2008)[13]

Data collection of stolen identities can be easier and more efficient for thieves (Katyal 2001), with new approaches and scams being created and implemented under the cloak of electronic anonymity.

The Internet facilitates identity theft by generating more opportunities for crime because Internet identification is based only on two of "three factor authentications": something you know and something you have. (Clarke, 1997). http://www.allacademic.com/meta/p_mla_apa_research_citation/2/7/0/3/1/p270317_index.html

A study by Dinei Florencio, Comac Herley and Baris Coskun (http://www.usenix.org/event/hotsec07/tech/full_papers/florencio/florencio.pdf) has reported that the most common attack on passwords is done not by brute force (which is the reason for a complex password), but by phishing and keyloggers.

1.6 The role of the Internet in identity theft.

There are many different ways you can have your identity stolen online, thieves use a number of diverse way's to get you to inadvertently hand over all the relevant details they need. The following are just a few of the many ways your Personal information can get stolen:

Phishing: The act of obtaining personal information directly from the end user through the internet.[14] Users for example could get an email requesting they update their bank details via a weblink in the email. This website link is a fraudulent website designed to look exactly like the real banking website. Below image is an email snapshot is a real email a colleague received very recently.

When you click the link in email it brought me to this webpage:

http://bsnninc.org/home/components/1/hsbc.co.uk12personal/httpwww.hsbc.co.uk12personalcredit-cards;jsessionid=0000pDFvvK08lyoIpQOFOAhC_Ct11j74l29q/

The above webpage is very sophisticated designed to fool the user into thinking they are on the HSBC website. Only the URL would indicate it is not HSBC but even this has managed to incorporate HSBC into it. It was possible to follow the logon screens all the way through by entering a fake account number in the login window, then a false Credit Card entered was taken from the known credit card bin range for the first 6 digits for HSBC cards and entered in false information, not once did it prompt for any incorrect data entry . When all the information was entered it redirected to the real HSBC website.

This is the real HSBC homepage: http://www.hsbc.com/1/2/, the Phishing webpage is very similar to the below genuine webpage of HSBC.

The APWG (Anti-Phishing Working Group), founded in 2003 is a global industry, law enforcement, and government coalition focused on eliminating the identity theft and fraud caused from phishing, email spoofing, and crimeware. Their July-September (Q3) 2009 report[15] shows that Phishing is a crime that is still on the increase. The key finding's from that report are:

* The number of unique phishing reports reached a record 40,621 in August - 10 percent more than the previous record in September, 2007.

* The number of unique phishing websites reported reached a record 56,362 in August, displacing the previous reported high of 55,643 in April, 2007 by 1.3 percent.

* The number of hijacked brands rose to a record 341 in August, up more than 10 percent from the previous record of 310 in March 2009.

* The most targeted sector for Phishing attacked was the financial sector which accounted for 54% of all attacks. See breakdown of sectors affected below:

There are many tools available to counteract Phishing websites such as WOT (Web of Trust) add-on for Mozilla web browsers. Web site ratings are continuously updated by millions of members of the WOT community and from numerous trusted sources, such as phishing site listings. This is a tool that notifies the user if they encounter a website WOT has flagged as potentially dangerous.

Despite the numerous tools there are to help the users, Egelman, Cranor & Hong 2008[16] found that 97% of users trusted phishing emails enough to visit the Phishing URL's. Part of this research will ascertain if the Irish consumer pays heed to warnings they receive before accessing a Phishing website or if they ignore this warning and proceed anyway.

Pharming: Where a Hacker redirects a websites traffic to another bogus website. Similar to phishing only the fraudsters do not require a lure to attract the targets. Pharming occurs without the victim having clicked any links or visited the wrong site. Also known as DNS poisoning, it inserts false information into the DNS server, resulting in a user's request being redirected elsewhere. Your web browser will show you are at the correct Web site, which makes pharming more difficult to detect. Once on the bogus website, the victim unwittingly gives the thieves valuable information they then use to steal from the victim. Man in the middle attack: intercept data from a user being sent to a legitimate site. Here the hacker listens in on the communication from the user to a genuine website.

Marsh Ray and Steve Dispensa of PhoneFactor, and researcher, Martin Rex from the IETF, discovered a vulnerability in the SSL protocol that allows a man-in-the-middle attack, which if exploited could leave businesses and end users exposed to any number of malicious attacks. "SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. SSL is an industry standard and is used by millions of websites in the protection of their online transactions with their customers."[17] The vulnerability results from a weakness in the SSL protocol standard. As such, most SSL implementations are vulnerable in one way or another. Affected scenarios include web surfers doing online banking, back-office systems using web services-based protocols, and non-HTTP applications such as some mail servers, database servers, and so on.

"In general, these problems allow an MITM to inject an arbitrary amount of chosen plaintext into the beginning of the application protocol stream, leading to a variety of abuse possibilities. In particular, practical attacks against HTTPS client certificate authentication have been demonstrated against recent versions of both Microsoft IIS and Apache httpd on a variety of platforms and in conjunction with a variety of client applications. Cases not involving client certificates have been demonstrated as well," Ray and Dispensa note. http://www.thetechherald.com/article.php/200945/4738/SSL-flaw-allows-man-in-the-middle-attacks

Malware such as Keystroke logging, viruses and Trojans: "Malware" is short for malicious software and is typically used as a catch-all term to refer to any software designed to cause damage to a single computer, server, or computer network, whether it's a virus, spyware, et al.[18]

A virus is a program that has infected some executable software and that causes that software, when run, to spread the virus to other executable software. Viruses may also contain software that performs other actions, often malicious. Viruses can easily infect a computer via software downloads from the internet or opening an attachment in an email.

A worm is a program that actively transmits itself over a network to infect other computers. Worms may also perform malicious actions like a computer virus.

A Trojan Horse is software that appears to perform one function for the user but is also facilitating unauthorised access to the computer from a hacker.

A keystroke logger can be a physical device or software attached to a computer that monitors every keystroke the user makes. Its a very simple method that enables the fraudsters to record the users login details for their bank, social network site or email for example. Keystroke loggers are easily available to download from the internet, advertising as a great tool for parents to monitor their children's activities on the internet. While they could be good for that purpose, they are far more useful to thieves.

An alarming statistic reported by PandaLabs, the research department of Panda Security shows that the number of users affected by malware designed for identity theft increased by 600% in the first half of 2009 compared to the same period in 2008.

They report that the percentage of malware designed to steal bank details, credit card details or passwords has increased dramatically. They have seen samples of 11 million new threats between January and July 2009, of which 71% were trojans, mainly designed for identity theft, against only 51% of new threats in the first half of 2009. The company estimates that around 3% of all internet users have been a victim of identity theft attacks.

Luis Corrons, technical director of PandaLabs said that the recession may be the main driver in increased attempts at financially-motivated identity theft. "Maybe one of the reasons of this increase is the economic crisis along with the big business that selling this information on the black market, such as credit card numbers, Paypal or Ebay accounts, etc. We have also seen an increase of the distribution and infection of this kind of malware through social networks," he said.

Two recent examples of Identity theft using malware are:

Researchers at security firm Finjan have discovered details of a new type of banking Trojan horse that doesn't just steal your bank log-in credentials but actually steals money from your account while you are logged in and displays a fake balance.

The bank Trojan, dubbed URLZone, has features designed to thwart fraud detection systems which are triggered by unusual transactions, Yuval Ben-Itzhak, chief technology officer at Finjan, said in an interview. For instance, the software is programmed to calculate on-the-fly how much money to steal from an account based on how much money is available.

It exploits a hole in Firefox, Internet Explorer 6, IE7, IE8, and Opera, and it is different from previously reported banking Trojans, said Ben-Itzhak. The Trojan runs an executable only on Windows systems, he said. The executable can come via a number of avenues, including malicious JavaScript or an Adobe PDF, he added.

The specific Trojan Finjan researchers analyzed targeted customers of unnamed German banks, according to the latest Finjan report. It was linked back to a command-and-control server in Ukraine that was used to send instructions to the Trojan software sitting inside infected PCs. Finjan has notified German law enforcement, Ben-Itzhak said.

"It's a next generation bank Trojan," he said. "This is part of a new trend of more sophisticated Trojans designed to evade antifraud systems."

Finjan researchers were able to trace the communications from the code on an infected machine back to the command-and-control server, which was left unsecured, according to Ben-Itzhak. On that server, they saw the LuckySploit administration console and were able to see exactly what types of rules the Trojan was written to follow and statistics on victims.

About 90,000 computers visited the sites housing the malware and 6,400 of them were infected, a 7.5 percent success rate, he said. Of those whose computers installed the Trojan, a few hundred had money stolen from their bank accounts, he said.

During the span of 22 days in mid-August, the criminals behind the Trojan stole the euro equivalent of nearly $438,000.[19]

Koobface, is a virus that attacks users with spyware and searches their system for sensitive passwords and credit card numbers, has now been found on the Facebook social networking site. After receiving a message in their Facebook in-box announcing, "You look funny in this new video" or something similar, recipients are then invited to click on a provided link. Once on the video site, a message says an update of Flash is needed before the video can be displayed. The viewer is prompted to open a file called flash_player.exe. If the viewer approves the Flash installation, Koobface attempts to download a program called tinyproxy.exe. This loads a proxy server called Security Accounts Manager (SamSs) the next time the computer boots up. Koobface then listens to traffic on TCP port 9090 and proxies all outgoing HTTP traffic. For example, a search performed on Google, Yahoo, MSN, or Live.com may be hijacked to other, lesser-known search sites.[20]

Top 10 countries hosting malware on the web[21]

Wireless Networks: Unsecured Wireless network make it very easy for criminals to access any computers within that network and once they are inside the network it's very easy to obtain financial information, business records or sensitive e-mails or other data. Even "secured" can be hacked into.

In August 2008, the U.S. Department of Justice filed charges against 11 individuals who allegedly obtained identity information over wireless networks from nine major U.S. retailers, resulting in the theft and sale of more than 40 million credit and debit card numbers. The hackers apparently garnered tens of millions of dollars from a broad-based scheme that involved citizens of the United States, Estonia, Ukraine, China and Belarus. Attorney General Michael Mukasey said, "so far as we know, this is the single largest and most complex identity theft case ever charged in this country, which they then allegedly sold to others or used themselves. And in total, they caused widespread losses by banks, retailers, and consumers."

The hackers used a tactic known as "wardriving" that involves driving around with a laptop computer and trying to access wireless networks in the range of the car. After hacking into the networks, the hackers use programs to locate card numbers and PIN passwords that are then sent to servers in the U.S. and Eastern Europe for online sale. The stolen numbers are "cashed-out" by encoding them on magnetic strips of blank cards to steal money from ATMs. http://www.ibls.com/internet_law_news_portal_view.aspx?s=latestnews&id=2177

Eircom's broadband package supplies the user with a Netopia wireless router, In 2007 eircom was made aware of a potential wireless access security issue with the Netopia wireless modems. A possible vulnerability with the standard configuration or default setting of the WEP protocol was identified. This vulnerability makes it possible for a person with an advanced working knowledge of encryption and coding techniques to illegally access an eircom customer's wireless internet connection. However, when a customer generates their own unique WEP Key or password and does not use the default setting, this security risk is removed[22]. Home users may think they are secure having the WEP key enabled on their router, however there are webpages dedicated to hacking this key that provides the WEP key based on the Routers name. Example router name Eircom 6884 7865. Enter in the 8 digits into a website such as http://s4dd.yore.ma/eircom/ and this will give you the WEP key.

This generates the WEP key for the hacker:

This website in itself is not illegal and pays lip service to the illegality of hacking into someone's router. It also illustrates how easy it can be to generate a key to access a router the home owner believes to be secure. Note this example above was used on the authors router and no hacking took place.

Erik Tews, Ralf-Philipp Weinmann, and Andrei Pyshkin proved they could crack a 104 bit WEP code in 60 seconds using standard computer equipment. On a IEEE 802.11g network, the number of frames required can be obtained by re-injection in less than a minute.[23]

WPA was introduced as an improvement to WEP wireless network security, however Japanese computer scientists have developed a way to break the WPA encryption system in approximately one minute. The attack gives hackers a way to read encrypted traffic sent between computers and certain types of routers that use the WPA (Wi-Fi Protected Access) encryption system. The attack was developed by Toshihiro Ohigashi of Hiroshima University and Masakatu Morii of Kobe University.[24]

Social Networking Sites: Besides the virus software issues associated with social networking sites mentioned previously, Social networking sites (SNS) are a treasure trove of information waiting to be abused. Simply by viewing someone's profile, identity thieves may be able to obtain vital information on the person, their address, what their parents work at and other useful information that can be answers to security questions to that persons email for example. "The sheer amount of public data on sites like Facebook, LinkedIn, Bebo and even MySpace make it easier to impersonate, damage or misrepresent a personal or business identity on the Web," the report by Aladdin Attack Intelligence Center states.[25] Another simple fraud Identity thieves perpetrate is to contact the SNS user and pretend to be a friend of the users they know is on holiday in Australia from the SNS information they obtain. The identity thieves email the user using a newly created email address incorporating the users friends name in the address and request financial assistance for some financial crisis this "friend" has encountered. A western union money transfer later and the thieves make a tidy profit.

Scammers ask to be added to your profile as your friend, then they watch you and get some information about you. They then use this information to get to know you and pose as a "true" friend.

When they think they've earned your trust, they begin sending the scam emails. These emails tactics include:

Friend in Distress -- Something bad has happened and they need money quick!

Phishing Friend -- Your new "friend" sends you an email that has a virus attached to it. This virus allows your friend to hack into your Facebook account and get personal information to steal your identity.

Viral Wall Scam -- This email has a virus attached to it that allows your "friend" to get not only your personal information, but the personal information of all of your real friends from your wall when you communicate with them.[26]

The following results are part of Sophos' 2010 Security Threat Report which explores current and emerging computer security trends:[27]

* 57% of users report they have been spammed via social networking sites, a rise of 70.6% from last year

* 36% reveal they have been sent malware via social networking sites, a rise of 69.8% from last year

* 72% of firms surveyed are worried that employee usage of social networking sites places their firms at risk

* Survey respondents identified Facebook as the social networking site posing the greatest security risks

* 49% of companies survey allow their employees unrestricted access to Facebook, up from 36% a year ago

Unpatched software: A lot of popular computer software continuously gets updated as an ongoing improvement to its performance but also to implement software fixes to security issues that have arisen. Using software that is not the latest version (down rev) is actually using software with potential security flaws.

Secunia are a leading software vunerability information provider, they state "Patching third party software is probably the most important thing a private user can do in relation to his/her IT-security. The criminals exploit vulnerabilities in third party applications to gain access to private users PCs in order to heist bank accounts and other criminal activities [...]," Secunia Partner Manager Mikkel Winther said in a statement. "This is where the lowest hanging fruit is found."

A well documented incident in January 2010 was the Google network was hacked in China. "This attack involved very advanced methods, with several pieces of malware working in concert to give the attackers full control of the infected system, at the same time it attempts to disguise itself as a common connection to a secure website. This way, the attackers were able to covertly gather all the information they wanted without being discovered."[28] Microsoft has admitted in a blog post that a vulnerability in its Internet Explorer 6 web browser was used by Chinese hackers to attack Google and recommended users upgrade to Internet Explorer8.

Insider trading: rogue employees who have access to peoples personal and payment information steal it from inside the company. dishonest employees with access to computer terminals connected to one of the credit reporting agencies. They might look for names similar to theirs, or just someone with good credit. Obviously what goes hand in hand with this type of access is the negligence of the company which is permitting such uses in an unmonitored environment.[29]

1.7 How can the consumer protect themselves online?

So far a number of online threats have been identified that threaten the user on a daily basis online. Awareness of the threats is the first victory in fighting identity theft online. Once the consumer is aware of the risks, there are a number of steps the user can take to protect themselves online.

* Ensure good anti-virus software is installed and is up to date on the computer. There are also other software tools such as spybot search and destroy that detects and removes spyware, a threat not yet covered by common anti-virus applications. Encryption software for any computer is also recommended, especially if a laptop gets stolen, unless the theif knows the key, he cannot access the data on the computer.

* If the web browser does not already have a phishing website alert toolbar, install one such as Web of Trust (WOT). This is a useful tool that highlights potential phishing websites when the user lands on their website.

* Any passwords used for the different websites the consumer uses should be unique and difficult to predict. It is bad practice to use the same password for different websites and also to use a password such as your name, address or birthday. Passwords should be long, alphanumeric if possible and appear to be random letters to a hacker. 12345678 or qwerty would also be considered poor practice.

* Do not save your username and password for a website on your browser. Firefox and IE offer the user the auto complete facility to save the username and password for a website when you enter it in.

* Apply for your credit report from the Irish Credit Bureau (ICB). Under Data Protection Acts 1988 and 2003, you are entitled to receive a full copy of any data held in your respect on ICB's database.[30] There is a €6 fee per application but this is worth it if it alerts you that your identity has been stolen. The sooner one is aware of the issue, the sooner it can be resolved.

* Do not give out your personal information online under any circumstances. As stated previously with regard to phishing, no credible business or bank would require you to enter in all your details online.

* Protect your wireless network from unwanted access. Take preventative measures such as placing router in a place which will limit its range, ensure the router has a good secure WPA encryption password, also the router may allow you to specify what MAC addresses you will allow use the router. Enter in your PC MAC address and any other devices you use on the wireless network. Only MAC addresses on this list can access the router. Install wireless intruder alert software such as Wi-Fi Manager which can alert you to what users are currently using the wireless network.

* When purchasing goods or services online, ensure the website payment security is secure. Be very wary of unfamiliar websites and always look for secure payment identifiers before entering in any data. Good identifiers would be websites beginning with https and/or displaying a padlock symbol. If possible stick to the big name websites such as amazon or ebay that uses paypal as an extra layer of payment security. As stated previously 2% of irish websites did not even have the most basic payment protection security enabled, leaving them wide open to abuse.

1.8 Impact of Identity theft on the victim.

While financial loss is the most obvious impact on most identity theft victims, there are other issues the victim must face:

* Damage to their good name and reputation.

* Encounter difficulty in the future when applying for credit. Due to the identity theft, the victims financial records will indicate poor financial dealings.

* The burden of proof lies with the victim, they have to prove it was not them who committed the fraud. This can prove to be extremely difficult and time consuming. Statistics show it can take up to 300 hours to clear the victims name. [31]

* The victim can also suffer emotionally, feelings of anger, betrayal and worry about their financial security.

1.9 Who are the online identity thieves?

This is not easy to answer, the fact that the chances of catching the thief are still so low. A Gartner analyst estimates only 1 in 700 offenders will get convicted, while some industry experts speculate the number is more like 1 in a 1000 (Mihm, 2003).

Many identity thefts are committed by opportunists or petty criminals, and organized crime gangs worldwide are also becoming increasingly involved. Organized crime is believed to be behind many of the large-scale cases of credit fraud and identity theft that involve hacking into major online databases. In Moscow, for example, there are an estimated 6,000 criminal gangs, and most are believed to be involved in identity theft at some level.

Many of these gangs are exploiting very bright computer students and graduates who are easily tempted by the high pay and relatively low risk, especially in a country where a teacher can often earn less than $1,000 a year. Organized crime has been linked to identity theft in Bulgaria, Romania and Albania, as well as the United States.

Employees are also a major threat, especially in smaller businesses, and most of the recent high-profile identity theft cases have involved trusted employees. One of the most costly identity theft cases happened at a small New York software business and is believed to have cost more than $100 million. According to investigators, over a two-year period, the former employee used an uncancelled password to steal the credit reports of thousands of consumers, and then sold the information to accomplices for around $30 a report.

And just to give you an idea of the potential return on identity theft fraud — if the culprit in that case had been more careful and determined, and maximized the potential profit on each stolen identity, his theft could have netted him closer to $500 million. And I've seen businesses large and small across the country hit with major losses because of identity theft by employees, whether it's stealing the identity of a co-worker, or stealing and selling customer files on a large scale.

And, of course, most petty criminals now recognize the potential upside in fraud and identity theft, whether it's simply selling a piece of information like a Social Security number for a few hundred dollars, or learning the basic skills to turn that small piece of information into a much bigger payoff.

Which is why we can also expect to see burglars, pickpockets, car thieves and all sorts of lower-level scam artists — including those who engage in dumpster diving — focus more on identity theft and get better at it. http://www.privacymatters.com/identity-theft-information/who-is-identity-theft.aspx

Research Objectives and Goals:

As shown in the literature review, there are multiple ways identity theft can occur both to businesses and individuals online. As with a lot of crimes, it is not something that will never be eradicated completely, new methods appear in the forms of new viruses or new found weaknesses thieves can exploit in software such as IE6 china hackers mentioned in this chapter. This research objective will concentrate on Irish online consumer's awareness of the threats of identity theft and investigate what steps they take to protect themselves online.

References:

Alan Brill and Troy Allen:- Identity Theft: How Companies - and Consumers - Can Protect Themselves MMC Viewpoint, Number 1, 2006 - The Marsh & McLennan Companies Journal

Consumers Want More Control Over Securing Their Identities and Personal Data Online, VeriSign Study Finds: http://www.verisign.co.uk/press/page_20090616.html (experian quote 467 days)

Foradori, Manuel. "Can Biometric Measures Prevent Internet Identity Theft? A Situational Crime Prevention Approach"Paper presented at the annual meeting of the ASC Annual Meeting, St. Louis Adam's Mark, St. Louis, Missouri, Nov 12, 2008 <Not Available>. 2010-01-23 <http://www.allacademic.com/meta/p270317_index.html>

http://www.siliconrepublic.com/news/article/10863/digital-life/fear-and-loathing-online

Keaney, A. (2009) 'Identity theft and privacy - consumer awareness in Ireland', Int. J. Networking and Virtual Organisations, Vol. 6, No. 6, pp.620-633.

Mihm, S. (2003, December 21). Dumpster-Diving for your identity. The New York

Times Magazine.

[1] Sean B Hoar, "Identity theft: The crime of the New Millennium" (2001) 80 Oregon L at 1423.

[2] Charles M. Kahn & William Roberds, 2005. "Credit and identity Theft," Working Paper 2005-19, Federal Reserve Bank of Atlanta.

[3] Graeme R. Newman & Megan M. McNally, Identity Theft Literature Review, July 2005 at 46: online http://www.ncjrs.gov/pdffiles1/nii/grants/210459.pdf

[4] Jeremy Scott-Joynt, "No more Mr Nice Guy?" BBC News (10 May 2006). http://news.bbc.co.uk/2/hi/business/4758501.stm

[5] OECD Policy Guidance on Online Identity Theft page 2 http://www.oecd.org/dataoecd/49/39/40879136.pdf

[6] Identity theft definition: http://www.makeitsecure.org/en/identityTheft.html

[7] Sunday Business Post, "Irish firms confused on computer law" Sunday, March 09, 2008 - By Dick O'Brien

[8] a global manufacturer and marketer of business machines, records storage solutions and technology accessories http://www.fellowes.co.uk/gb/site/aboutus/about_main.aspx?culture=en&loc=top

[9] By Marie Boran http://www.realex.ie/news/65pc-of-irish-websites-put-consumers-at-risk

[10] Irish times "payment-security insufficient on many websites - survey. By Charlie Taylor. Nov 19th 2008

[11] (http://www.siliconrepublic.com/news/article/10863/digital-life/fear-and-loathing-online)

[12] (http://www.thepost.ie/story/text/eycwgbkfid/)

[13] Barnett Stephen., Identity Fraud to be debated http://news.scotsman.com/education/identity-fraud-to-be-debated.3617954.jp

[14] (Lininger and Vines 2005 Phishing, cutting the identity theft line)

[15] July - September 2009 Q3 APWG report: http://www.antiphishing.org/reports/apwg_report_Q3_2009.pdf

[16] You've been warned:an empirical study of the effectiveness of web browser phishing warnings

April 2008 Serge Egelman, Lorrie Faith Cranor, Jason Hong

[17] http://info.ssl.com/Article.aspx?id=10241

[18] http://technet.microsoft.com/en-us/library/dd632948.aspx

[19] http://news.cnet.com/8301-27080_3-10363836-245.html

[20] http://news.cnet.com/koobface-virus-hits-facebook/

[21] http://www.sophos.com/sophos/docs/eng/papers/sophos-security-threat-report-jan-2010-wpna.pdf

[22] http://broadbandsupport.eircom.net/SRVS/CGI-BIN/WEBCGI.EXE/&/?St=191&E=0000000000220005544&K=5953&SXI=19&E=0000000000220005544&St=191&K=5953&SXI=19&case=9161&branch=4

[23] Breaking 104 bit WEP in less than 60 seconds, Erik Tews, Ralf-Philipp Weinmann, and Andrei Pyshkin (2007)

[24] How to hack WPA wireless security in one minute, Robert McMillan, http://www.computerworlduk.com/technology/networking/security/news/index.cfm?newsid=16351

[25] http://www.aladdin.com/pdf/airc/AIRC-Annual-Threat-Report2008.pdf

[26] http://www.identitytheftfixes.com/beware_of_identity_theft_scams_on_facebook.html

[27] http://www.sophos.com/sophos/docs/eng/papers/sophos-security-threat-report-jan-2010-wpna.pdf

[28] McAfee researcher Guilherme Venere.

[29] http://www.privacyrights.org/ar/id_theft.htm

[30] http://www.icb.ie/cr_options.php

[31] http://www.europ-assistance.co.uk/Template.aspx?ID=229

Print Email Download Reference This Send to Kindle Reddit This

Share This Essay

To share this essay on Reddit, Facebook, Twitter, or Google+ just click on the buttons below:

Request Removal

If you are the original writer of this essay and no longer wish to have the essay published on the UK Essays website then please click on the link below to request removal:

Request the removal of this essay.


More from UK Essays