Identity theft begins when someone takes your personally identifiable information (PII) such as your name, Social Security number (SSN), date of birth, home address, without your knowledge or permission for their personal financial gain.
Identity theft has become a nightmare for all of us. Organizations
and institutions are investing a lot for identity management and prevention of
breaches and theft. As an individual, we need to understand the different
techniques used by criminals for identity theft so that we can not only raise
our awareness but also prevent it from being happened. I would go in details
with most common ways of theft and shade a light on prevention steps.
There are so many techniques used by hackers or criminals
that we should categorized them into offline or non-technical and online or technical
identity theft attacks. Let us find out how these attacks are carried out and
how we can prevent them.
Offline or non-technical attacks
Mail theft: This is when a thief targets your mailbox and searches through your documents in search of paperwork that may have sensitive personal identification information on it. Things like government files or credit card applications that are pre-filled out are just a few of the items that may be targeted. Identity theft criminals, at times, have been known to re-direct your mail by submitting a change of address to the post office.
Prevention: You
should monitor your mail regularly. If you suspect that someone has been taking
mail out of your mailbox, contact the post office immediately. Do not leave
your mail in the mailbox for extended periods. Use a locking mailbox if
possible, or rent a box at the post office. If possible, receive your bills and
make payment online.
Dumpster Diving:
Criminals will go through your trash looking for utilities bills, credit cards bills,
medical insurance, bank statement and other personally identifiable information.
This crime is surprisingly common.
Prevention: You
should shred everything before disposing of it with a cross-cut paper shredder.
Another method to use is to go paperless by receiving statements and making
your payments online. Keep track of your credit report and report any
discrepancies to your Credit Card Company and credit bureaus.
Social Engineering:
Social engineering is the practice of highly skilled criminals or actors either
in person, over the telephone, or computer, uses means to deceive someone else
into divulging sensitive information. Usually, social engineers know some
information that lead the victim to believe they are legitimate and give the
information asked. Pretexting is also part of social engineering.
Prevention: best approach is stay diligent. Do not give out any
personal information to anyone you do not know. If in doubt, do not be afraid
to obtain the person’s contact number; let him/her know that you will call
him/her back. Verify the person’s identification. Also verify with others or
verify with the company the person is representing that such information is
really needed.
Shoulder surfing:
The criminal attempts to get close enough to you so that when you enter
password information, such as a PIN number at an ATM, the thief records the password.
Although this can typically occurs in a public setting, where the victim is and
their credentials are in plain sight, it may also occur through a video camera
setup by the criminal.
Prevention: You
should be aware of your surroundings when you are accessing any accounts that
require you to enter a password or PIN in public. If someone stands too close
to you, do not be afraid to ask the person to move back. If he/she is not
willing to do so, let the person go first. Remember, it is better to be safe
than sorry. If you do not feel safe, leave the place immediately.
Old-Fashioned
Stealing: Criminals target wallets and purses, mail, bank and credit card
statements, pre-approved credit offers, new checks, tax information, personnel
records, or bribe employees who have access.
Prevention: Limit
the amount of personal information you carry with you. Do you not carry your
Social Security card, blank checks, old deposit slips, and any information that
may contains your login and password information. Women are advised to keep
their purses closed and secure at all times. Carry purse close to your body,
with the bag in front so that you can keep it within your sight.
Online or technical attacks
Social Networking: Criminals regularly search social networking sites to steal personal information like name, date of birth, address and other information so they can use to commit fraud.
Prevention: You should be careful when posting on social networking site such as Facebook, Twitter. You should avoid listing your personal information on sites. Always use the privacy settings of social networking site.
Skimming: Criminals
steal credit/debit card numbers by using a special storage device attached to
ATM machines. The device reads the magnetic strip on your card which thieves
use to commit fraud.
Prevention: Make
it a habit to periodically check your credit reports. This helps you discover
if anyone made unauthorized purchases or has stolen your identity to access
your bank accounts or open other lines of credit in your name. Try to minimize
credit transactions and use cash instead.
Pretexting: Criminals
use false pretenses to obtain your personal information from financial
institutions, telephone companies, and other sources. This is when a thief
dupes their victim into giving up personal information by playing the “con
game.” Whether by phone‚ in person or over the internet‚ they will use a piece
of info they already have about you to make them seem legitimate. Criminals will
call you on telephone, and make you to believe they are business that require
this information.
Prevention: Verify
who you are speaking to. Ask for a call back number, and question why they need
this information. Look for the telephone number of the company the individual
says he/she works for. Call the company. See also Social Engineering
Man-in-the-Middle:
Criminals are involved in intercepting communication between the two parties
and record the information without the knowledge of both parties. Criminals use
this information to steal the personal identifiable information.
A common scenario is searching for URL of the company, say http://mybank.com.
Once found, click on the link to access the website. However when the website
appeared on screen, you did not notice that URL has changed to something like http://badguys.com/http://myvictim.com.
This is the website that redirected you to criminal’s website. Any information
you enter here is recorded by criminals now.
Prevention: You
should be more diligent when access a website from the web search results.
Always check that website address is legitimate by verifying the URL in address
bar. Do not create or enter your information such login information if the
website is not “https”.
Phishing schemes:
Increasingly popular now that almost all business is conducted via the
internet‚ this crime is committed when hackers access files on your computer
that could contain the keys to your identity. By pretending to be financial
institutions or companies, criminals can send spam or pop-up messages to get
you to reveal your personal information. These types of attacks occur in number
of ways, cell phone texting, social networks, and emails with or without
attachment, SMS and standard mail in your mailbox.
- Malware based: Criminals attached harmful computer program onto emails, websites and other electronic documents on internet such as PDF, DOC, XLS, PIN or JPEB type of files. Criminals will make you feel that these emails are from legitimate person, company or organizations that you are known to.
- SMShing: Criminals also send span text messages pretending as financial institutions or other legitimate organization. These text messages has sense urgency that may lead you to disclose your personal information by clicking on the link that appear on text message.
- Vishing: This is also known as “voice phishing”. Criminals often contact you over the telephone, pretending that the call is from legitimate organization or government agencies. You may have received calls or voice message, pretending from IRS regarding a serious audit issue and can lead to arrest by FBI.
- Spam based: In this type of attacks, criminals, known as spammers, send repeated spam emails to you. These emails offer you scholarships, free product, business partnership etc. Spammers also pretends to be financial institution or organization you might belong to.
- Spear phishing: this attack is similar to email spamming but it target businesses. Criminals or spammers send emails to almost every employee of the organization and can be written to look like that it is sent by a division within the organization
Prevention:
Protect yourself by contacting the security administrator or help desk in
organization. Do not reply back the email. Do not open any attachment. Do not
click any link provided in the email. If you accidentally open the attachment
or click the link, immediately notify the security team for further
investigation. Be caution when downloading or installing programs from the Web.
Do not click or fall into the trap for free games, movies, software on
internet.
Check out the website www.antiphisihign.org
or www.spamhaus.org which contains an
active list of phishing schemes or allows you to check if the website is suspected
of phishing.
For network or system administrators, if you are fan of free
tools to do your job, always check if the downloaded file is legitimate or not.
Check out at www.virustotal.com
Employment scams:
These scams advertise a bogus job with high salary and benefits compare to
other companies for same job. Criminal’s website will ask you to enter personal
information such SSN in addition to other personal information.
Prevention: Do
not fall into the trap and always verify that posting company is legitimate. Research
the company before submitting any information or downloading attachment. If you
are not sure, just avoid it. Never give out personal identification information
without knowing whom you are dealing with.
Resource to find if a website is legitimate is www.scambusters.org. this website
contains review of the website along with message board.