Who is Putting You at Risk for ID Theft?
© 2009 FrontLine Security (Vol 4, No 3)

When it comes to protecting their identities, consumers are being threatened and pressured from all sides. It’s not just scam artists who are doing everything they can to separate you from your birth date and social security number, it’s often the online Web sites you choose to use, and – most troubling – those in authority as well.

Let’s look at that last item in detail. In their interest to protect themselves or provide some level of public transparency, many authorities with whom we’re forced to entrust our information don’t trust us back, and in doing so, they’re putting our financial and physical security at risk.

Take, for example, a first visit to a doctor’s office. Nearly all doctors will insist on a copy of your medical insurance card. Then you’re asked to fill out a medical ­history form. Finally, almost every doctor’s office in the United States insists on taking a photocopy of your driver’s license. Whether you’re sick or not, if you refuse to provide all the information requested, you’re usually turned down for care.

So your choice is putting your identity at risk or seeing doctor.

How is that information protected? In most cases, it is put into your “file,” which is just that, a paper file. Hundreds of those files litter most doctors’ offices or live in unlocked file cabinets, just waiting to be stolen or copied. Do doctors’ offices perform background checks on every single employee and temp worker they hire? Of course not.

What about schools? The University of Central Florida automates all stages of the application process. If you want to go to school there (or many others in Canada and the United States), you need to get online and upload everything from ­application essays to references. UCF is extremely careful about online security, so every three months, without fail, you’re required to change your online password. If you don’t change your online password, the school simply deletes it.

To get back in is a simple process, though. Your identifying number for the school is your social security number. And your password is your birthdate. These are items, along with a scan of your driver’s license, that you’re required to provide to the school as part of establishing your account and filling out your application. If you choose to protect your identity and not provide a scan of your driver’s license or give them your SSN or birthdate, you don’t get to go there.

So your choice is putting your identity at risk or going to college.

Once a company “goes public,” meaning it can trade stock with the general ­public, there’s some expectation of public disclosure. But in most American states (and some provinces), if you incorporate even a small private company, your incorporation documents are stored online for all to see.

These documents include not only the home addresses of all the board members (a serious personal security risk), but scans of the actual signatures of the key individuals. As you might imagine, if you don’t sign your state forms, your application to start a company is going to be denied. And if you don’t sign your yearly state reports, you’re liable for fines and other punishment.

So your choice is putting your identity at risk or having your own company.

Sadly, when confronted with the risk to identity theft they’re subjecting you to, most state/provincial officials, school bureaucrats, and medical office clerical staff neither seem to understand the problem, nor care. Their interest is in getting what they need from you, and your need for self-protection is often way down on the list.

In today’s mostly virtual world, it’s not a physical lock or key that safeguards your life savings, your financial data, your most closely guarded secrets, and your potential for increased indebtedness – it’s your “account.” It could be your email account, your online banking account, your credit card account, your frequent flyer account, your online stock trading account, your insurance account, or even your World of Warcraft account.

Virtually all your wealth, your savings, your thoughts, your plans, and your history is “locked up” in one online account or another. With the right “keys,” all of that information is ripe for the taking.

Many levels of Hacking
In July, 2009, a Frenchman in his early 20s who goes by the handle “Hacker Croll” conducted a penetration attack of the Twitter company. He started by searching online for lists of Twitter employees and what public information he could find: information about their birth dates, their email addresses, names of pets, family members, etc. Once he compiled a large enough list, he was able to begin his attack.

It began by using the “I can’t remember my password” feature of Google’s Gmail. If you can’t remember your password, most online services will offer to give you access to your account if you can provide some other “secret” information – like your mother’s maiden name, your date of birth, your pet’s name, and so forth. Hacker Croll had compiled such a list, and was able to guess his way into the email account of a Twitter employee.

There, he found information that helped him guess and derive other passwords, and gain further access. Within a short time, he had access to a treasure trove of confidential information about the ­Twitter company and its employees – from corporate strategies and deals in progress to credit card numbers of employees and founders. Hacker Croll then packaged all this information up, and sent it to an online news site, which (although they should have known better) chose to publish some of the more juicier bits of news.

In September, 2008, shortly after having been nominated as the Vice Presidential candidate for the U.S. Republican Party, Sarah Palin found the contents of her Yahoo email account published widely on the Internet. Using her birthday published on Wikipedia, a young hacker named “Rubico” published information on her Yahoo account to a site called Wikileaks. The FBI investigated and linked Rubico to one David Kernell, who was later indicted.

Both of these incidents were made possible because email accounts are often the “gateway accounts” to much more confidential information. Many of our more financially secure accounts use email as the ultimate way to reset passwords and gain access in case login information is forgotten. So if a hacker can get into your email account, he has a much better chance of getting into your financial data.

More than 10,000 stolen Hotmail logins and their associated passwords were recently posted on the sharing site Pastebin. Two days later, the BBC reported that the same site contained more than 20,000 stolen account names and passwords for Gmail, Yahoo, AOL, EarthLink and Comcast. Although the exact method of ­acquisition for these lists is still unclear, authorities have indicated that it was likely through a combination of phishing schemes and trojans (programs hosted on unsuspecting computers, sending information back to a master database).

So why were the passwords posted online? They were mostly accounts beginning with “A” and “B” and were probably a deranged form of advertisement. The posting effectively said, “Look, we have the A’s and B’s. Don’t you want the rest?”

This was followed by a surge in spam related to a fake Chinese electronics shopping site, where the overall goal of the scheme was to separate consumers from their credit card numbers. And that’s really the most common goal of all identity theft: to separate you from your money. Oh, sure, sometimes there’s a “Hacker Croll” out there who wants to show off what he can find, or a David Kernell who has a twisted political motivation, but the primary reason your identity is stolen is money, pure and simple.

Lately, there has been a surge in medical ID theft, particularly in the United States. Medical ID theft occurs when your personal information is stolen and used to gain access to medical care and drugs. In addition to the potential for financial ruin, use of your identity for medical procedures and drugs can “jeopardize your own future treatment,” according to notices from the American Association of Retired Persons.

In solving the identity theft problem, we have created something of a Gordian Knot of inter-entangled interests. Many of our authorities (schools, governments, doctors, hospitals) insist that we provide more and more proof that we are who we claim we are. Online services and even financial institutions want to make our lives easier, making it possible for us to recover account information when we inevitably lose our passwords – and crooks want to take advantage of it all.

According to the nonprofit Indentity Theft Resource Center, consumers now spend an average of 600 hours (about $16,000 in equivalent work time) to recover from a single instance of identity theft. As far back as 2003, the U.S. Federal Trade Commission said that more than 10 million customers were victims of identity theft every year (and you know that’s increased a lot over the past years).

So what do we do about it? Consumers need to become more diligent. Instead of using obvious passwords, you should start to use random combinations of letters, numbers, and symbols. I know it’s a lot harder to keep track of those passwords, but there are a many free password tracking programs that can help. Change your passwords regularly. You should also get regular credit reports and check all your accounts at least monthly to make sure there’s no unexpected activity.

Banks and online services are constantly working on improving security. Many banks now require users to choose a picture password, as well as an alphanumeric one. If you can’t pick the correct picture, you’re not allowed into your account.

But the real improvement needs to be with those in authority who seem to think their own security is more important than that of consumers.

Governments, agencies, schools, doctors, and hospitals need to be trained on identity theft risks and they need to understand that they are potentially hugely liable if their records, often containing thousands of pieces of confidential information, fall into the wrong hands.

It’s not enough just to improve the security of record keeping. More, they need to stop putting citizens at risk, stop posting confidential and identity information to the Internet, and stop collecting copies of thousands of drivers’ licenses and other ID that could then fall into the wrong hands.

Bottom line: identity theft is a huge mess. We need to be on the same side, and we need to do everything we can to make sure consumers’ identity information is ­protected.

David Gewirtz is the Cyberterrorism Advisor for the International Association for Counterterrorism and Security Professionals, a member of the FBI’s InfraGard program, and a member of the U.S. Naval Institute. He can be reached at [email protected].
© FrontLine Security 2009