So every day we go about our usual business, we travel from home to work, we take money out at the bank, we receive letters, we turf letters….and a variety of other daily tasks. Funnily enough in this day and age people are still not being careful enough when it comes to fraud based attacks and identify theft attacks.
Let’s look at the impact…
Identity crime causes financial damage to consumers, lending institutions, retail establishments and the economy as a whole. Amongst its other impacts identity crime:
- fuels other criminal activity
- erodes trust in service providers
- causes emotional distress for victims
- increases investment in time and resources required by law enforcement
- increases business investment in methods of securing customer’s private information
- causes business/individual financial losses that are never recovered
- can threaten the safety of people who may have data exposed
- can lead to innocent people being refused employment, denied credit, receiving bills for items not purchased by them or even arrested for crimes they did not commit.
How Identity Criminals Work
Organised criminal groups capitalise on every opportunity to exploit new technology to commit identity crime. They will use professionals or facilitators to help them commit their crimes. They may use IT specialists, people who specialise in identity theft or just a random person to steal credit card numbers, and then hand them off to someone who makes fake cards.
Identity thieves use a wide range of methods:
- Stealing a wallet or purse – to gain access to identity documents such as driver’s licences, bank cards and membership cards.
- Rifling through rubbish – looking for bank and credit card statements, pre-approved credit offers and tax information, (common referred to as ‘dumpster diving’) even old gas and electricity bills that can contain personal information. Criminals have also realised that dumped or resold computers may contain files and data that can be used for financial gain.
- Mail forwarding – filling out a change of address form to redirect mail to them to gain information.
- Unsolicited contact – phone calls claiming to be from banks asking to update personal information, or criminals posing as market researchers.
- Card skimming – when someone at a commercial business copies information from the magnetic strip on your credit card as a purchase is made, selling the information to professional criminal gangs. This may also take place at an automatic teller machine (ATM) where an electronic device attached to the machine ‘copies’ the data from the card while the personal identification number (PIN) is observed via a hidden camera.
- Internet sites – sharing personal information to gain access to websites and buy goods. Criminals can take the personal information to fraudulently obtain credit. Social networking sites also present opportunities. While people don’t present personal information to strangers in the street, they will build online profiles that include detailed personal information such as their birthday and age, residential suburb, relationships and life stories.
- Phishing – sending an email to a user that falsely claims to be from an established legitimate business in an attempt to trick them into revealing private information so the criminal can obtain money from accounts.
- SMShing – Phishing via short message service (SMS).
- Corporate identity theft – by accessing publicly available company records, criminals can change names of company principals and registered addresses. They can then trade off the back of the real company’s good name and obtain goods and services on credit from suppliers, lodge tax returns and gain tax refunds, or even take money from company bank accounts.
- Impersonating a deceased person – criminals may note the age, date of birth and address of deceased people from announcements relating to the death or funeral and use those identities to commit crimes.
- Shoulder surfing – thieves observe people at ATMs while they are keying in their PINs or listening in while a person provides credit card numbers to a person at the other end of their mobile phone.
- Hacking – unsolicited access into a financial institution’s website to obtain e-banking details of customers or using keylogger programs to target online chatrooms and instant messaging systems and gain personal information.
- Lottery – a scam where a person is advised that they have won a lottery they have not entered. They are then asked to provide personal information to prove their identity and/or send a fee or bank account details in order to collect the prize.
Check out this blog from Brian Krebs to see what some skimming devices look like: http://krebsonsecurity.com/2012/07/atm-skimmers-get-wafer-thin/
Make sure you check your bank statements for any anomalies and take a quick look around the ATM before you use it. Simple things can make a big difference. Most ATM’s with skimmers look dodgy, they have lack of lights, pale front end, lack of bank symbols, some even have small pin hole cameras, or if you give the front panel a bit of a pull, sometimes you can feel it being loose. If in doubt don’t use it.
Lately there has been a rise in identify theft from portable skimmers, for example the ones used at restaurants. There are numerous dodgy suppliers out there where you can just provide the EFT model you want, and they will give you an exact duplicate but with all the nasty bits inside including the skimming components and storage medium. Most of these devices range between USD3000 and USD8000 – but the more you buy the more they are discounted.
I personally can’t understand how these suppliers operate, but clearly there is a loophole somewhere in the system, or they are operating from countries with lack of laws. At the end of the day it’s all just a matter of YOU being vigilant.
I have talked before about not putting your date of birth anywhere public on the net – common knowledge really – but your address and utility information also needs to be kept private. A date of birth, or a name/address and phone number is all someone needs to commit identity fraud as you. This can be easily mitigated by shredding documents or securing documents.
Recent crime statistics for Australia put the cost at over $1 billion per year in identity theft related crime (crimecommision.gov.au).
Passports (as we have seen recently in the news) are easily forged and obtained in the use of identity theft attacks. Let’s look at some examples.
Below is an image from the front page of a site that provides fake passports and driver’s licenses.
On their website they boast that they have a new option of document duplicates producing, i.e cloning of the real existing document but with your photo.
This is what their craftsmanship looks like:
and the scariest part..
How does that even happen!?
So now you have seen just how easy it is for people to create fake documents and steal your money via skimming, but there are some pretty simple ways to protect yourself:
Protect your personal information
- lock all personal documents in a safe container when you are not using them
- keep copies of key documents in a secure location
- only carry essential personal information
- destroy personal information before putting it in the bin
- put a lock on your letterbox
- do not respond to suspicious mail or email
- do not store personal details on mobile phones or wireless devices
- avoid giving personal or financial information over the phone
- ask questions
- activate caller ID on your phone and record the numbers of unusual calls
- contact the Do Not Call register on 1300 792 958 or www.donotcall.gov.au to opt out of receiving certain telemarketing calls
- treat requests for copying your personal documents with caution
- protect your documents when you are travelling
- protect your financial information
- order a copy of your credit report annually
- check your billing and account records carefully
- be wary about giving your personal or financial information to anybody with whom you have not initiated contact
- limit the credit you have in certain accounts
Protect information on your computer or mobile device
- use passwords and access controls
- use AV and phishing/malware protection
- choose strong passwords and change them regularly
- Use encryption!
- protect your passwords—do not select the ‘remember my password’ option
- avoid giving out personal information over the internet
- never click on a link or open an attachment in an email from someone you don’t know and trust
- exercise caution when using social networking sites
- avoid using public computers to access your personal information
- ensure no personal information remains on your computer hard drive before you sell or dispose of it (there are plenty of great Linux wiper tools out there)
- ensure no personal information remains on your mobile phone before you sell or dispose of it