Cyber Crime: Identity Theft
In this era of globalization, one of many things that can distinguish a developed country to a developing country is its progress of science and technology. This is because along with the development of a country's science and technology, will also developed the country's ability to enrich their own potential.
Great advances in science and technology in developed country are due to their well-established information system. Meanwhile, in the developing country, the information system is still minimal, which make the development of science and technology become blocked. Thus, whether a country will become a developed country or not, is highly depend on their mastery of information system.
In times like these, the mastery of the information system will not enough by merely mastering. We need to conquer the speed and accuracy too, because there is almost no point in mastering outdated information. Moreover, the very rapid progress of information makes the age of the information shorted. In other words, substitution of old and new information becomes faster. Old information will be ignored because of the more recent information.
But, the development of science and technology, in which also means the development of information system, does not always have good effects. It has bad effects too. One of them is the increased rate of the computer crime.
B. Computer Crime
Computer crime issues have become high-profile, particularly those surrounding hacking, copyright infringement through warez, child pornography, and child grooming. There are also problems of privacy when confidential information is lost or intercepted, lawfully or otherwise.
A computer crime is any illegal action where the data on a computer is accesed without permission. This access does not have to result in loss of data or even data modifications.
Computer crime is often attributed to rogue hackers and crackers, but increasingly organized crime groups have realized the relative ease of stealing data with low-level of risk.
There are three major classes of criminal activity with computer:
1. Unauthorized use of a computer, which might involve stealing a username and password, or might involve accessing the victim's computer via the Internet through a backdoor operated by a Trojanhorse program.
Unauthorized use of computers tends generally takes the following forms:
a. Computer voyeur. The attackers read or copy confidential or propietary information, but the data is neither deleted nor changed.
b. Changing data. Example, changing a grade on a school transcript. Unauthorized changing of data is generally a fraudulent act.
c. Deleting data. Deleting entire files could be an act of vandalism or sabotage.
d. Denying service to authorized users.
2. Creating or releasing a malicious computer program (e.g., computer virus, worm, Trojanhorse).
Malicious computer program are divided into these following classes :
1) A virus is a program that "infects" an executable file. After infection, the executable file functions in a different way than before: maybe only displaying a benign message on the monitor, maybe deleting some or all files on the user's hard drive, or maybe altering data files.
There are two key features of a computer virus:
a. The ability to propagate by attaching itself to executable files (e.g., application programs, operating system, macros, scripts, bootsector of a hard disk or floppy disk, etc.) Running the executable file may make new copies of the virus.
b. The virus causes harm only after it has infected an executable file and the executable file is run.
2) A worm is a program that copies itself. The distinction between a virus and a worm, is that a virus never copies itself, a virus is copied only when the infected executable file is run.
In the pure, original form, a worm neither deleted nor changed files on the victim's computer, the worm simply made multiple copies of itself and sent those copies from the victim's computer, thus clogging disk drives and the Internet with multiple copies of the worm. Releasing such a worm into the Internet will slow the legitimate traffic on the Internet, as continuously increasing amounts of traffic are mere copies of the worm.
3) A Trojan Horse is a deceptively labeled program that contains at least one function that is unknown to the user and that harms the user. A Trojan Horse does not replicate, which distinguishes it from viruses and worms.
Some of the more serious Trojan horses allow a hacker to remotely control the victim's computer, perhaps to collect passwords and creditcard numbers and send them to the hacker, or perhaps to launch denial of service attacks on websites.
Some Trojan Horses are installed on a victim's computer by an intruder, without any knowledge of the victim. Other Trojan Horses are downloaded (perhaps in an attachment in e-mail) and installed by the user, who intends to acquire a benefit that is quite different from the undisclosed true purpose of the Trojan Horse.
4) A logic bomb is a program that "detonates" when some event occurs. The detonated program might stop working, crash the computer, release a virus, delete data files, or any of many other harmful possibilities. Atimebomb is a type of logicbomb, in which the program detonates when the computer's clock reaches some target date.
5) A hoax is a warning about a nonexistent malicious program.
3. Crimes facilitated by computer networks or devices, the primary target of which is independent of the computer network or device (cyber crime)
Examples of crimes that merely use computer networks or devices would include :
1. Cyber stalking
2. Fraud and identity theft
3. Phishings scams
4. Information warfare
The third type of Computer Crime has become the most famous right now, because it produce more benefits than the other two.
C. Cyber Crime
The Internet is a new frontier. Just like the Wild, Wild West, the Internet frontier is wide open to both exploitation and exploration. There are no sheriffs on the Information Superhighway. No one is there to protect you or to to lock-up virtual desperados and bandits.This lack of supervision and enforcement leaves users to watch out for themselves and for each other.A loose standard called "netiquette" has developed but it is still very different from the standards found in "real life".Unfortunately, cyberspace remains wide open to faceless, nameless con artists that can carry out all sorts of mischief. And that is why the cyber crimes can be as they are right now.
Cyber Crime is a criminal activity done using a computers and the internet. This includes anything from downloading illegal music files to stealing millions of dollars from online bank accounts. Cyber crime also includes non-monetary offenses, such as creating and distributing viruses on other computers or posting confidential business information on the internet.
Below are some cases of cyber crime founded around the world between 1970 - 2005:
1970 - 1990
1. John Draper discovers the give-away whistle in Cap'n Crunch cereal boxes reproduces a 2600Hz tone. Draper builds a ‘blue box' that, when used with the whistle and sounded into a phone receiver, allows phreaks to make free calls
2. Robert T. Morris, Jr., graduate student at Cornell University and son of a chief scientist at the NSA, launches a self-replicating worm (the Morris Worm) on the government's ARPAnet (precursor to the Internet). The worm gets out of hand and spreads to over 6000 networked computers, clogging government and university systems. Morris is dismissed from Cornell, sentenced to three years' probation, and fined $10K.
3. After a prolonged sting investigation, Secret Service agents swoop down on organizers and members of BBS's in 14 US cities, including the Legion of Doom. The arrests are aimed at cracking down on credit-card theft and telephone and wire fraud.(1990)
1991 - 2000
1. Five members of the Aum Shinri Kyo cult's Ministry of Intelligence break into Mitsubishi Heavy Industry's mainframe and steal Megabytes of sensitive data. (1994)
2. Hackers adapt to emergence of the World Wide Web, moving all their how-to information and hacking programs from the old BBS's to new hacker Web sites.(1994)
3. Russian crackers steal $10 million from Citibank. Vladimir Levin, the ringleader, uses his work laptop after hours to transfer the funds to accounts in Finland and Israel. He is tried in the US and sentenced to 3 years in prison. All but $400K of the money is recovered. (1995)
4. The French Defense Ministry admits Hackers succeeded in stealing acoustic codes for aircraft carriers and submarines. (1995)
5. FBI establishes fake security start-up company in Seattle and lures two Russian citizens to U.S. soil on the pretense of offering them jobs, then arrests them. The Russians are accused of stealing credit card information, attempting to extort money from victims, and defrauding PayPal by using stolen credit cards to generate cash. (2000)
2001 - 2005
1. Microsoft become victim of a new type of attack against domain name servers, corrupting the DNS paths taking users to Microsoft's Web sites. This is a Denial of Service (DoS) attack. The hack is detected within hours, but prevents millions of users from reaching Microsoft Web pages for two days. (2001)
2. The Klez.H worm becomes the biggest malware outbreak in terms of machines infected, but causes little monetary damage. (2002)
3. Two men hack into wireless network at Lowe's store in Michigan and steal credit card information. (2003)
4. Brian Salcedo sentenced to 9 years for hacking into Lowe's home improvement stores and attempting to steal customer credit card information. Prosecutors said three men tapped into the wireless network of a Lowe's store and used that connection to enter the chain's central computer system in NC, installing a program to capture credit card information. (2004)
5. Secret Service seizes control of the Shadowcrew Web site and arrests 28 people in 8 states and 6 countries. They are charged with conspiracy to defraud the US. Nicolas Jacobsen, is charged with hacking into a T-Mobile computer system, exposing documents the Secret Service had e-mailed to an agent. (2004)
Base on Australian Institute of Criminology, cyber crime is divided into 9 types:
1. Theft of telecommunication service
The "phone phreakers" of three decades ago set a precedent for what has become a major criminal industry. By gaining access to an organisation's telephone switchboard (PBX) individuals or criminal organisations can obtain access to dial-in/dial-out circuits and then make their own calls or sell call time to third parties. Offenders may gain access to the switchboard by impersonating a technician, by fraudulently obtaining an employee's access code, or by using software available on the internet. Some sophisticated offenders loop between PBX systems to evade detection. Additional forms of service theft include capturing "calling card" details and on-selling calls charged to the calling card account, and counterfeiting or illicit reprogramming of stored value telephone cards.
2. Communication in furtherance of criminal conspiracies
There is evidence of telecommunications equipment being used to facilitate organised drug trafficking, gambling, prostitution, money laundering, child pornography and trade in weapons (in those jurisdictions where such activities are illegal). The use of encryption technology may place criminal communications beyond the reach of law enforcement.
3. Telecommunications privacy
Digital technology permits perfect reproduction and easy dissemination of print, graphics, sound, and multimedia combinations. The temptation to reproduce copyrighted material for personal use, for sale at a lower price, or indeed, for free distribution, has proven irresistable to many.
4. Dissemination of offensive materials
Content considered by some to be objectionable exists in abundance in cyberspace. This includes, among much else, sexually explicit materials, racist propaganda, and instructions for the fabrication of incendiary and explosive devices. Telecommunications systems can also be used for harassing, threatening or intrusive communications, from the traditional obscene telephone call to its contemporary manifestation in "cyber-stalking", in which persistent messages are sent to an unwilling recipient.
5. Electronic money laundering and tax evasion
With the emergence and proliferation of various technologies of electronic commerce, one can easily envisage how traditional countermeasures against money laundering and tax evasion may soon be of limited value. I may soon be able to sell you a quantity of heroin, in return for an untraceable transfer of stored value to my "smart-card", which I then download anonymously to my account in a financial institution situated in an overseas jurisdiction which protects the privacy of banking clients. I can discreetly draw upon these funds as and when I may require, downloading them back to my stored value card (Wahlert 1996).
6. Electronic vandalism, terrorism and extortion
As never before, western industrial society is dependent upon complex data processing and telecommunications systems. Damage to, or interference with, any of these systems can lead to catastrophic consequences. Whether motivated by curiosity or vindictiveness electronic intruders cause inconvenience at best, and have the potential for inflicting massive harm (Hundley and Anderson 1995, Schwartau 1994).
While this potential has yet to be realised, a number of individuals and protest groups have hacked the official web pages of various governmental and commercial organisations (Rathmell 1997). http://www.2600.com/hacked_pages/ (visited 4 January 2000). This may also operate in reverse: early in 1999 an organised hacking incident was apparently directed at a server which hosted the Internet domain for East Timor, which at the time was seeking its independence from Indonesia (Creed 1999).
7. Sales and investment fraud
As electronic commerce becomes more prevalent, the application of digital technology to fraudulent endeavours will be that much greater. The use of the telephone for fraudulent sales pitches, deceptive charitable solicitations, or bogus investment overtures is increasingly common. Cyberspace now abounds with a wide variety of investment opportunities, from traditional securities such as stocks and bonds, to more exotic opportunities such as coconut farming, the sale and leaseback of automatic teller machines, and worldwide telephone lotteries (Cella and Stark 1997 837-844). Indeed, the digital age has been accompanied by unprecedented opportunities for misinformation. Fraudsters now enjoy direct access to millions of prospective victims around the world, instantaneously and at minimal cost.
8. Illegal Interception of telecommunications
Developments in telecommunications provide new opportunities for electronic eavesdropping. From activities as time-honoured as surveillance of an unfaithful spouse, to the newest forms of political and industrial espionage, telecommunications interception has increasing applications. Here again, technological developments create new vulnerabilities. The electromagnetic signals emitted by a computer may themselves be intercepted. Cables may act as broadcast antennas. Existing law does not prevent the remote monitoring of computer radiation.
It has been reported that the notorious American hacker Kevin Poulsen was able to gain access to law enforcement and national security wiretap data prior to his arrest in 1991 (Littman 1997). In 1995, hackers employed by a criminal organisation attacked the communications system of the Amsterdam Police. The hackers succeeded in gaining police operational intelligence, and in disrupting police communications
9. Electronic funds transfer fraud
Electronic funds transfer systems have begun to proliferate, and so has the risk that such transactions may be intercepted and diverted. Valid credit card numbers can be intercepted electronically, as well as physically; the digital information stored on a card can be counterfeited.
Right now electronic funds transfer fraud is the most famous type of cyber crime. Every year the rate of case about electronic funds transfer fraud always increasing especially in credit card information stealing. From www.spamlaws.com they wrote about credit card stealing in 2005,”Credit card fraud statistics show that about $2.8 million was lost due to credit card fraud, from fraudulent use of MasterCard and Visa alone. In total, credit card fraud costs cardholders and credit card issuers as much as $500 million a year.”
D. Identity Theft
Identity theft is really identity fraud.This criminal uses someone else's identity for their own illegal purposes.Examples include fraudulently obtaining credit, stealing money from the victim's bank accounts, using the victim's credit card number, establishing accounts with utility companies, renting an apartment, or even filing bankruptcy using the victim's name. The cyberimpersonator can steal unlimited funds in the victim's name without the victim even knowing about it for months, or even years.
Anyone who relies heavily on credit cards, Social Security Numbers or network blogging is more susceptible to credit identity theft. Many of our modern conveniences also come with a risk and less protection. The digital age is the perfect age for the Cyber criminal to commit it. Think of the internet as a dark alley in the middle of the night. And these cyber criminals are those people hiding there waiting for the victims to make a mistake.
Credit identity theft is a very damaging crime because it not only damages the person financially but also damages the person's reputation as well. Imagine someone borrowing money using your name and never telling you. You will both bear with the burden of paying back the money he borrowed and suffer the humiliation of having this blunder under your name.
Identity theft has been referred to by some as the crime of the new millennium. It can be accomplished anonymously, easily, with a variety of means, and the impact upon the victim can be devastating. Identity theft is simply the theft of identity information such as a name, date of birth, Social Security number (SSN), or a credit card number. The mundane activities of a typical consumer during the course of a regular day may provide tremendous opportunities for an identity thief: purchasing gasoline, meals, clothes, or tickets to an athletic event; renting a car, a video, or home-improvement tools; purchasing gifts or trading stock on-line; receiving mail; or taking out the garbage or recycling. Any activity in which identity information is shared or made available to others creates an opportunity for identity theft.
It is estimated that identity theft has become the fastest-growing financial crime in America and perhaps the fastest-growing crime of any kind in our society. The illegal use of identity information has increased exponentially in recent years. In fiscal year 1999 alone, the Social Security Administration (SSA) Office of Inspector General (OIG) Fraud Hotline received approximately 62,000 allegations involving SSN misuse. The widespread use of SSNs as identifiers has reduced their security and increased the likelihood that they will be the object of identity theft. The expansion and popularity of the Internet to effect commercial transactions has increased the opportunities to commit crimes involving identity theft. The expansion and popularity of the Internet to post official information for the benefit of citizens and customers has also increased opportunities to obtain SSNs for illegal purposes.
Victims of identity theft often do not realize they have become victims until they attempt to obtain financing on a home or a vehicle. Only then, when the lender tells them that their credit history makes them ineligible for a loan, do they realize something is terribly wrong. When they review their credit report, they first become aware of credit cards for which they have never applied, bills long overdue, unfamiliar billing addresses, and inquiries from unfamiliar creditors. Even if they are able to identify the culprit, it may take months or years, tremendous emotional anguish, many lost financial opportunities, and large legal fees, to clear up their credit history.
Identity theft occurs in many ways, ranging from careless sharing of personal information, to intentional theft of purses, wallets, mail, or digital information.
There are some reasons why the attacker can steal the credit card information:
1. Unsecured network
Poisoning technique is quiet complicated. First, the attackers need to connect to the same network with the target. After that, the attackers have to look for the IP address of the target. The next step, the attackers should poison the target computer with ARP poisoning or with trojan horse. Then the computer target will move following the attackers track. The attackers will bring the target into fake shop site, and make the target unrealized that he/she has entered the credit card information.
This technique is unstable, why? Because it's depend on the attackers luck. Just like poisoning, the attackers have to connect to the same network with the target. After that, the attackers should scan all of MAC address in the network. Next, the attackers start the sniffing program, such as Cain and Able or Wireshark. Last, the attackers should wait until someone in the network open a shop site and enter the information of the credit card.
2. Vulnerabilities on the site
1. SQL Injection
With this vulnerability the attacker can enter admin panel without knowing the username and password. They just need to enter a right syntax as username and password to enter the admin panel. If they are already in admin panel they can see the complete information of the buyer.
2. Blind SQL Injection
Blind SQL injection is the most favorite vulnerability for the attackers. The attackers will only need the web browser to do this technique. First, the attackers have to found a right page to be injected with some syntax. After that the attackers should drop all database table, and looking for user table or admin table. If there is user table the attackers can drop the column and the attackers could get the full data of the user, included the credit card information. But, if user table doesn't exist, the attackers should use the admin table. The attackers should drop the admin column and search for the admin password. After the attackers cracks the admin's username and password, the attackers could go to the admin panel and look for the information of the buyer.
3. Order log
Order log is an old vulnerability, but there's still websites that have this vulnerability. With this vulnerability the attackers only need to use search engine and look for the order log. If the order log has already founded the attacker will open it, and suddenly get full information about the buyer.
4. Admin Directory
This vulnerability makes visitor of the site be able to open admin directory freely. So, the attacker could use this chance to see the database. Order database is always in the database. In the order database, the data of the buyer will be saved completely, including credit card information.
3. Human error
Social Engineering or Human Manipulating
Attacker could use security weakness which is human. Why? Because human is easy to be manipulated. First, the attackers could request the target to do something unimportant, and then set a trap for the target. Attackers will manipulate the target to follow the attacker's scheme. Then, if the target has already been trapped, the attacker could make the target gives the complete information about the credit card.
There are several ways that can be done to avoid the potential victims from identity theft :
1. The potential victims should request a complete credit report every once a year and check it closely.
2. When get unwanted pre-approved credit card offers, shred them up before tossing them.
3. When in public, do not recite social security number outloud to a bank teller or store cashier.
4. Use a secure mailbox that locks.
5. When asked to give mother's maiden name as a code access, use another key word instead.
6. Change the personal identification numbers on accounts regularly.
7. Pick up and keep printed receipts at bank machines or gas pumps.
Even if have been victimized, there are still things that can be done :
1. Before calling the police, contact bank or credit card company and freeze the account. The reason for this is twofold: first, it will help minimize monetary loss, and two, most banks and creditors have a time period in which the notification still valid and can be used to protect the victims.
2. Then call the police department. It does not matter if the identification is being used in the victim's city or halfway across the world because the police are required by federal law to take the report.
3. After making police reports, the victim could contact any of national credit bureaus and put a fraud alert on their account.
4. While dealing with the credit bureau, the victim should get a current copy of their credit report. And read it carefully.
5. Then, the victims can contact their insurance company and ask for compensation. At least one insurance company has developed an insurance policy to help deal with identity theft.
Anonymous. Computer Crime Definition. cited from http://www.mariosalexandrou.com/definition/ computer-crime.asp [21 November 2009]
Anonymous. Cybercrime. cited from http://www.techterms.com/definition/cybercrime [21 November 2009]
Australian Institute of Criminology. Nine Types of Cybercrime. cited from http://www.crime.hku.hk/ cybercrime.htm [21 November 2009]
Hoar SB. Identity Theft: The Crime of The New Millennium. cited from http://www.cybercrime.gov/ usamarch2001_3.htm [5 December 2009]
Karnow CEA. Cybercrime. cited from http://www.davislogic.com/cybercrime.htm [5 December 2009]
Herries S. Overcoming Identity Theft: What to Do After You Have Been Comprimised. cited from http://www.associatedcontent.com/article/272448/overcoming_identity_theft_what_to_do_pg2.html?cat=17 [5 December 2009]