digital thieves - · pdf filewhat happens next? ... in digital thieves, ... the ratio of...
TRANSCRIPT
C I F A SThe UK’s Fraud Prevention Service
A special report on online fraud
Digital Thieveswww.cifas.org.uk | October 2010
CIFAS is proud to support National Identity Fraud Prevention Week 2010
In this Report . . .Is your identity a disposable asset? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
As our online lives evolve, don’t forget the basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Identity fraud – advice for the consumer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Stay one step ahead of the cybercriminals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
The ‘victimless’ crime? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
The fraud landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Account takeover: the other risk for internet users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
What happens next? The evolution of e-crime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
How even a business can fall victim to identity fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Internet enabled identity fraud – the police perspective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Have the rules changed? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Digital Thieves: a special report on online fraudThe world is changing all the time . From the economic conditions we find ourselves in, to the way we do our research, contact our friends and colleagues, and make our purchases, hardly a day goes by without a change from what went before .
Of course, some things never disappear – but they evolve . Only a few years ago, identity fraud was a crime that, although too frequent, was relatively stable . Over the past two years, however, it has shot up at an alarming rate, as has the takeover of accounts by fraudsters . Without doubt, the increasing speed and penetration of the internet into almost every layer of society has helped to fuel this acceleration – as well as change the ways in which we need to fight this threat .
In Digital Thieves, CIFAS and a wide range of fraud prevention experts have combined not only to focus on identity fraud and account takeover, but also to explain specifically the online dimension to these crimes . There are tips on staying safe and protected from online fraud; stories from the victims of fraud; a series of maps laying bare the true, alarming, scale of these crimes; an examination of how businesses can fall victim; and articles looking at how internet crime has developed and what may, or may not, happen next . In addition, interspersed throughout this report you will find definitions of many of the most common terms as well as statistics from a range of authoritative sources .
I hope that you will find this report helpful, practical and reader-friendly .
Peter Hurst, Chief ExecutiveCIFAS – the UK’s Fraud Prevention Service
CIFAS is a not-for-profit organisation, concerned solely with the prevention of fraud and is funded by subscription .
For further details about any of the articles in this report, please contact CIFAS at press@cifas .org .uk .
Website: www .cifas .org .uk www .identityfraud .org .uk C I F A S
3
Is your identity a disposable asset?
CIFAS Reports
In the first nine months of 2010, nearly 80,000 instances of identity fraud have been identified by CIFAS Member organisations . Many of these frauds will be the result of opportunist fraudsters taking advantage of a situation that presents itself: e .g . finding the personal information of their potential victim, or targeting friends and family where they already know everything they need to know to commit the fraud (and since the victim will not actually lose out financially, they wrongly think that this makes their dishonesty ‘OK’) . There are, however, those victims of identity fraud who have fallen prey to a professional . These fraudsters are highly organised and dedicate a lot of time and effort into accumulating the greatest return – either for personal gain or, in some instances, financing further criminal activity .
Traditionally, organised fraudsters’ identity fraud victims of choice have been middle-aged men: earning good money and probably owning their own home . Fraudsters did, indeed, pursue the stereotype of who was a ‘good credit risk’ and, therefore, targeted the identities of those they thought most likely to provide a good source of income . And if, as a fraudster, you’ve put the effort into finding this identity you might as well make the most of it and use it again: several times, in fact . A good identity to abuse is a valuable commodity for the fraudster . Sadly, it
has always been the case that identity fraud victims could expect to have their good name abused several times with different organisations . This meant that, if you were the victim of identity fraud, you could expect to spend hours of your time unravelling and undoing the mess that the fraudster would have made of your credit file .
The bad news is that instances of identity fraud have been increasing over the last few years . More people are being victimised . It is possible, however, that the pain is being spread more thinly (not that this is, necessarily, any comfort) .
One reason for the increase is the availability to fraudsters of large quantities of personal details . Some of this data will have entered the criminal domain through staff fraud (company
employees either paid or coerced into disclosing to criminals the personal details of customers or other staff members) . The majority, however, are likely to be as a result of the compromise of personal data over the internet . This compromise could occur through phishing or the deployment of malware (see page 4 definitions) . Whichever way criminals collect their
victims’ data, the key aspect is that they can collect a lot of it . This is not the specific identification of a target: it is far more random . The fraudster will be happy to take the personal details of whoever is deceived by the phishing scam, or whose computer protection can’t keep up with those creating the malware . This change in identity fraudsters’ tactics can be seen manifesting itself in a number of different ways:
The bad news is that instances of identity fraud have been increasing over the last few years. More people are being victimised.
Definition: Identity Fraud
Identity Fraud is the use of a stolen or completely false identity to obtain goods or services by deception . This was traditionally facilitated by the use of stolen or forged identity documents such as a passport or driving licence .
Digital Thieves
>>
4
1 - Over the last couple of years, the ratio of female to male identity fraud victims has been changing . In the first 9 months of 2010, women accounted for just over a third of victims: a gradual increase that has been building up over the past few years . While it would be nice to believe that fraudsters have acknowledged the greater equality in society between men and women, it is probably more likely that this is a symptom of the source of the identity compromise rather than enlightened attitudes to gender .
2 - Another reason for the belief that randomisation is increasing in e-enabled identity crime can be seen in Figs . 1 and 2 . These maps show the location of the victims of identity fraud where the offences fit the profile of frauds that have been e-enabled, and those that have not . For each part of the country with roughly equal populations, the number of people per identity fraud was calculated, and
this was graded according to whether there were fewer people per fraud than average (i .e . more fraud per person) or more people per fraud (less fraud per person) . Red colours indicate that the fraud problem is worse than average in an area, and green indicates that the problem is less than average .
What these maps show is that where the fraud is believed to be e-enabled (Fig .1), the instances of victimisation are more evenly distributed than where there is less evidence of e-involvement in the fraud (Fig .2) . Fig .2 (frauds not believed to be e-enabled) shows evidence of far greater variation and extremes of colours: with far more ‘safe’ areas than
Definition: Phishing
Phishing attacks involve the mass distribution of emails which appear to originate from legitimate sources – including financial institutions, charities or even government departments . Victims are often directed to fake websites and are tricked into revealing information that gives an attacker access to the victim’s bank account, payment card details or personal information .
Fig.1: Risk of identity fraud being enabled by e-crime
© CIFAS 2010 . See back cover for attribution
Highest Risk
Lowest Risk
Definition: Malware
Malware is malicious software that infects a victim’s computer . It can capture private information stored on an individual’s computer and send it to fraudsters, who can use that information to impersonate the individual and commit fraud . Malware can also hijack your web browser, redirect your search engine attempts, bombard your screen with pop-up advertisements and even monitor your web activity . Most malware programs will reinstall themselves even after you think they have been removed . Types of malware include viruses and spyware (page 6), worms (page 19) and trojans (page 24) among others .
>>
5
can be seen on Fig .1 . While the maps cannot be considered a perfect and definitive split between what is e-crime and what is not (some cases ‘fit the profile’ but the source of the data compromise is not the internet, and vice versa), they give a good indication that where the crime is e-enabled there is a greater distribution of the location of victims; while there are more ‘very bad’ and ‘very safe’ areas where the fraud is not e-enabled .
There is an ‘upside’ to the fraudsters getting their hands on data en masse . The chosen victim is no longer nursed through applications until their credit file is such a mess that the victim cannot legitimately obtain goods and services . If a fraudster has hundreds of identities, then they only need to use each identity once . The identity effectively becomes throw-away . In 2008, 17% of victims were victimised repeatedly while, in the first nine months of 2010, this is down to only 9% of victims . In a perverse way, this could be considered insulting (what’s so wrong with my identity that it’s only used once?!) . The advantage for the victim, however, is that the mess that is made of his or her credit history is much less than if they had been victim to more traditional identity fraud .
So, unsurprisingly, more people using the internet gives criminals more identities to compromise – but it appears that the criminal use of the internet is a great social leveller . Your ‘affluence’, gender and location no longer matter in quite the way that they used to . The elitism that had been prevalent in identity fraud victimisation has been diminished .
Anyone can be victimised, of course, and more people are . The silver lining, though, is that while you may be more likely to be a victim, the mess made of your financial life is likely to be less severe because, to some fraudsters, your good name is merely a disposable asset . ●
CIFAS Statistical Update
The following table shows the number of victims of impersonation and cases of account takeover recorded by CIFAS Members, together with the percentage change from the same period of the previous year .
Year Victims of Impersonation
Account Takeovers
2008 62,658 (-3 .70%) 19,275 (+207%)
2009 85,402 (+35 .65%) 22,434 (+16 .29%)
2010 (to 30 Sept) 70,233 (+18 .38%) 16,042 (-1 .97%)
Source: CIFAS National Fraud Database
Fig.2: Risk of identity fraud being enabled by means other than e-crime
© CIFAS 2010 . See back cover for attribution
Highest Risk
Lowest Risk
6
As our online lives evolve, don’t forget the basics
We are now so used to incorporating the internet into our daily lives that the boundaries between our online and offline selves are becoming more blurred than ever . The average person now spends at least 13 hours a week online1 and, with over 1 in 4 people now using their mobile phone to access the internet2, that figure is forecast to grow . It’s hard to remember that (at one point) we had to search through a dusty encyclopaedia for those random life questions – or pick up the phone to contact our friends rather than ‘pinging’, ‘poking’ or ‘BMing’ them!
Although a fun and rewarding place to be, it’s important to remember some of the threats of using the internet . We need to ensure that we have the tools and basic knowledge to protect ourselves from fraudsters – especially when using new technologies and
devices . For example, over two-thirds of mobile phone users leave themselves vulnerable to opportunistic identity fraudsters when using the internet3 . This is because they forget to take the same simple measures in protecting their mobile phones as they do with their home PCs . 67% of people accessing the web from their mobiles do not use the password or PIN function to secure their handsets4 – the first line of defence against fraudsters looking to harvest valuable identity information from lost or stolen devices .
With the online world moving so fast, it becomes confusing knowing how best to arm and defend ourselves from identity thieves . As technologies and trends develop, and we grow ever more skilled at integrating them into our lives, it is easy to forget some of the more basic security measures .
There are two key things to remember about being safe online: first, protect your computer; second, protect yourself by being careful about what you do .
Protecting your computer involves:
• Installing anti-virus software, anti-spyware software and a firewall
• Updating your operating system
• Using up-to-date applications, such as your web browser or word processing package
• Encrypting your wireless network
• Blocking spam emails .
>>
Tony NeateManaging DirectorGet Safe Online
The average person now spends at least 13 hours a week online and, with over 1 in 4 people now using their mobile phone to access the internet, that figure is forecast to grow.
Digital Thieves
Definition: Virus
A computer virus is a programme that can copy itself and infect another computer . A virus spreads from one computer to another; for instance, by being sent over a local network or the internet, or carried on a removable medium such as a CD, DVD or USB drive . Viruses generally target programmes or files .
Definition: Spyware
Spyware is the name for a specific type of malware that can be installed on computers, that collects little bits of information at any one time about users – without their knowledge . Spyware programs can collect various types of personal information, such as internet surfing habits including sites that have been visited . It can also interfere with user control of the computer, such as installing additional software and redirecting web browser activity .
1 Harris Interactive, 2009 2 Get Safe Online Week Report 2009 3 Get Safe Online Week Report 20094 Get Safe Online Week Report 2009
7
Once your computer is secured against potential threats, your online behaviour then becomes of paramount importancein protecting your identity . The rise in social media means we are much more open about ourselves online . 41% of people say they use a social networking site on a daily basis5, illustrating the central role that such sites now play in our lives . As we become more confident using these networks, we can begin to feel ‘untouchable’ . We forget that criminals will prey on those who are careless with their personal information .
Your date of birth and where you live is enough for someone to begin building the profile needed to apply for a credit card in your name . So while most people wouldn’t give this information to a stranger in real life, they will happily post it online where people they don’t know can see it .
Being careful online, involves:
• Using strong passwords (a mix of numbers and upper and lower case letters)
• Not giving away too much personal information on blogs and social networking sites
• Activating privacy settings on social networking sites
• Not opening email attachments from people you don’t know .
These foundations to online safety are what all internet users need to put in place in order to help protect themselves from some of the dangers . Think of them as the lock on your front door . You might have a complex and expensive alarm system, but that’s of little use if you then forget to lock your front door behind you in the morning! ●
For further information and advice, visit www.getsafeonline.org
5 Ofcom UK Adults’ Media Literacy, interim report, 2009
With over 30 years in the assistance market, CPP is a leader in identity protection products and services, including a range of identity protection services to offer companies as well as the individual.
CPP works with over 200 business partners including many of the world’s leading financial brands.
Call 07767 212212
for more information on how CPP can protect your customers’ identities and more information on our identity fraud protection service.
www.cpp.co.uk
8
Identity fraud – advice for the consumer
James JonesExperian’s Consumer Education Manager explains what you need to know about identity fraud, including some of the online threats, and how you can keep your identity safe.
Identity fraud explained
You are a victim of identity fraud if someone uses your personal details to commit a crime without your knowledge . This typically involves a fraudster applying for new credit, goods or services in your name . Fraudsters can also attempt to profit from your existing accounts, either through individual transactions or, in some cases, by completely taking control of an account and transferring it to a new address .
To succeed, the fraudster will first need to get hold of your personal details without your permission, or even by duping you into revealing them yourself .
Cases of identity fraud have risen steadily for a number of years, despite frequent publicity . In the first nine months of 2010, CIFAS Members reported an increase in identity fraud of 9 .68% compared to the same period in 2009, with a 18 .38% increase in the number of victims of impersonation . Therefore, we can see more people are being targeted by the fraudsters – suggesting that the use of completely fictitious identities is decreasing .
Banks, lenders and other financial organisations work hard to spot fraud, particularly at the point of application . The vast majority of attempted fraud is actually thwarted . However, the fake applications that manage to evade detection can bring handsome returns for the financial criminals .
Identity fraud is certainly not a victimless crime . For many people, discovering that someone has been using their name and other personal
details is a cause of worry and distress . In addition, there’s the inconvenience and cost of setting the record straight, including rectifying a damaged credit record .
Staying vigilant
The fraudster’s biggest weapon is public complacency . If fraud does strike, the more quickly it is spotted and reported, the easier it will be to resolve and the less inconvenience the victim will suffer . Unfortunately, many of us fail to look out for the common signs . This is one of the reasons why identity fraud is often referred to as a silent crime . Based on the victims who have contacted Experian for help, the average time taken for fraud to surface is close to 14 months .
You may be a victim of fraud if you spot any of the following warning signs:
• Unfamiliar items on your bank or credit card statements
• Entries on your credit report that you do not recognise
• Regular items of post not arriving
• Unexpected credit refusal
• Contact from a lender or debt collector about an unknown account or debt .
While spotting fraud early will certainly help to minimise the damage, it’s far better to avoid becoming a victim in the first place . Fraudsters continue to use a range of methods to gather their victims’ personal details . This will include the physical approach (i .e . raiding dustbins and stealing people’s post) but they are increasingly turning their attention to the internet .
A recent survey by Experian’s ProtectMyID service revealed that 57% of people questioned admitted to using data easily available on their social networking sites as passwords for online and telephone accounts . We need to be much more careful .
Staying safe
There are many tips given by Tony Neate and Jayne Sankoh-Beacom(pages 6 and 10) regarding how to keep yourself safe online, but don’t forget
>>
Digital Thieves
57% of people questioned admitted to using data
easily available on their social networking sites as
passwords for online and telephone accounts.
Source: ProtectMyID survey by Experian
9
that you can reduce the risk of your details falling into the hands of criminals in many other ways:
• Check the credentials of anyone asking for your personal information, not only by email, but also by telephone or in the street
• Never share any passwords or PINs with other people, and ensure that you use different passwords and PINs for different accounts: making sure to avoid obvious choices such as mother’s maiden name or your year of birth
• Make sure that you know your billing dates and do not delay in contacting the appropriate organisation should statements or bills not arrive when expected
• A credit report plays a key role in a lender’s decision whether to lend to you, so it’s important to monitor it on a regular basis to check for any inaccuracies or signs of fraud
• If you move home, be sure to redirect all of your post for a minimum period of six months
• Take care to destroy securely any documents that contain your information before throwing them away .
It could happen to the person next to you. Or the one opposite. But you can keep your identity safe.
ProtectMyID monitors your identity 24/7. Our highly trained experts check key areas that identity thieves target most. Should we find anything, we’d alert you by text or email and stay on hand to solve any issues, from start to finish.
All this, and peace of mind, for just £4.99 a month at ProtectMyID.co.uk
1IN8peopleAReVICTIMS oFIDeNTITYTHeFT. pRoTeCTYoURSelFFoRJUST£4.99AMoNTHATpRoTeCTMYID.Co.UK
Source – Finextra September 2009.
Authorised and Regulated by the Financial Services Authority.
Sources of further advice
Bank Safe Online www .banksafeonline .org .uk
Identity theft advice www .identitytheft .org .uk
Credit reference agencies
Experian - 0844 481 8000www .experian .co .uk
Equifax - 0844 335 0550www .equifax .co .uk
Callcredit - 0870 060 1414www .callcredit .co .uk
Where to get help
If you discover fraud, act quickly but don’t panic – help is always at hand .
• Raise the alarm with all the organisations involved . They will tell you whether you need to contact the police .
• Contact one of the UK’s three credit reference agencies . They will help you to identify any fraudulent entries on your credit report, and will contact all of the organisations involved for you . They will also alert the other credit reference agencies .
• Consider a CIFAS Protective Registration . For a small fee this will alert the majority of lenders and other financial organisations to the fraud, so they can take extra care when dealing with new applications in your name .
• Alert your bank to the fraud, whether or not they are involved . They should be able to monitor your account or accounts more closely for you . ●
10
Stay one step ahead of the cybercriminals
Jayne Sankoh-BeacomHead of MarketingGarlik
The way in which we use the internet has evolved at a phenomenal pace . In the last five years, the mass adoption of social networking sites such as Twitter and Facebook (which now has over 500 million users) seems to have come from nowhere, and become the norm for web users of all ages . It’s an exciting time, with new opportunities to connect with people and new services arriving every day .
It is easy in this new world of online openness to forget that there are still fraudsters who seek to cause havoc and exploit us as we share more information about our lives . Garlik’s own monitoring suggests that over 40,000 pieces of sensitive and financial information are traded online through the black market every day – that’s 13 .2 million a year!Attacks using malware (page 4) and viruses (page 6) continue to increase despite the efforts of security vendors; and the risk to individuals is greater than ever, as the sophistication of attacks grows . Initial detection rates by most security software is less than 50%, while – in the last 12 months – more
malware has been developed than at any other time in the history of the internet!1
Some malware is designed to use your computer as part of a network to send out spam mail messages, but other types of malware include keyloggers (that record which keys you press) and trojans (page 24), designed to collect personal and financial data from your
machine . Fraudsters will then often sell this harvested information on the personal information black market to the highest bidder . Even phishing attacks, which are an attempt to trick users into parting with sensitive information (such as bank details), through carefully crafted e-mails, continue to grow . It is also becoming increasingly common for fraudsters to use phone call and SMS scams to acquire the same information .
Social engineering – the new threat
Social networking is increasingly a target for cybercriminals trying to
steal others’ identities . This is not necessarily achieved by gaining access to accounts, but by simply befriending potential victims online, or harvesting the information that users make publicly available . Items such as date of birth, family details, home town, phone numbers and e-mail addresses can all be used (either directly or as a starting point) to build a detailed profile that can be exploited or sold on to others .
While consumers are becoming more careful about what they post online, they do still share information with virtual ‘friends’ and observers that they would not share with someone in the street . This issue is magnified by the complexity of privacy settings on sites . Many users do not appreciate the level of access they may be giving to information about themselves through their extended friendships or publishing through search engines .
Mobile sewing it all together
The smartphone is becoming a window into our lives – somewhere we can manage everything we want on the move . This presents an obvious danger if your phone gets into the wrong hands – as the fraudster will have entry to a one-stop shop of YOUR details! With more than 16 million Brits accessing social networking sites and other online accounts through smartphones, how much attention do users pay to the security of their phones, when compared with their computers?2
>>
1 Qinetiq, 2009 2 bbc .co .uk and GSMA
Over 40,000 pieces of sensitive and financial information are traded online through the black market every day – that’s 13.2 million a year!
Source: data monitored by Garlik
Digital Thieves
11
Garlik’s award winning service DataPatrol monitors your personal and financial information online and helps to protect you from the risk of online identity fraud . For more information please visit www .garlik .com
Be prepared and proactively protect yourself
While there are risks, the best defence against becoming a victim of online fraud is to remain vigilant and suspicious of those ‘too good to be true’ offers and ‘update your login details’ scams . There are some other basic tips to help you stay safe online:
1. Use anti-virus and anti-malware software and keep it up to date .
2. Ensure that you use all security features, such as PIN locks, on your smartphones .
3. Don’t publish your address, phone numbers, emails, date of birth, place of birth, passport or driving licence numbers online – anywhere . This includes any sensitive information on friends’ social networking walls .
4. Be careful about disclosing any of your personal or sensitive information (such as your mother’s maiden name, log-in details or other account information) over the phone, by text or by email to anyone claiming to be from your bank . Vishing (phone phishing) and SMiShing (text phishing) attacks are increasing and it’s easy to be fooled by convincing fraudsters .
5. Check and regularly review your social networking privacy settings – and ensure that you only allow the friends in your network access to your profile . Other options could allow strangers to view your information .
6. Never email your bank account details to anyone, even trusted friends and family . If your email account is ever compromised this presents a goldmine of sensitive personal and financial information to a fraudster .
7. Be wary of any suspicious looking emails claiming to be from your bank and certainly do not open attachments or click on links in these emails .
8. Never access online banking or other sensitive accounts in a public wi-fi hotspot .
9. Make sure your home wi-fi network is set to the highest security settings, ideally WPA2 .
10. Before entering any payment details online, check that the site you are using begins with https (the ‘s’ stands for secure) and – if using a high security web browser – that the address bar is shaded green . ●
12
The ‘victimless’ crime?
Dr Mark ButtonDirector, Centre of Counter Fraud StudiesUniversity of Portsmouth
The 2007 USA Crime Victimisation Survey found that 6 .6% of households in America had at least one person who had been a victim of one of the many guises of identity fraud . This was up from the 5 .5% found in 2005 . Unfortunately, the UK’s equivalent – the British Crime Survey – does not ask about this; what we get is a question on the fraudulent use of plastic cards in the last 12 months . The percentage of the population who have experienced this has gone up from 3 .4% in 2005/06 to 6 .4% in 2009/10 – a near doubling . Identity fraud, as explained in this report, could be considered as being a number of different crimes; and without an appropriate survey, it’s impossible to assess precisely how many in the UK have suffered .
Identity fraud is a crime that many wrongly think is victimless – solely associated with credit cards and merely a bureaucratic exercise in reporting it to the appropriate agencies and the victim receiving their money back . It would also be wrong to think that any one variation of identity fraud is more severe than another . This will always depend on the detail . An account takeover on a credit card might only amount to a few pounds which are quickly refunded by the card provider, but can have severe secondary consequences .
The impact, of course, is best illustrated by real victims . In research conducted for the National Fraud Authority/Association of Chief Police Officers1 (with Jacki Tapley and Chris Lewis) we interviewed a large number of victims – the most extreme of whom was Harold . What started as a minor credit card account takeover (where someone had used his details to pay for services on a website) seemed to be over when
he phoned his provider and they dealt with it speedily . A few months later, however, he was awoken in the early hours of the morning by the police, who arrested him and seized his computer on suspicion of downloading child pornography .
Suddenly his life was changed . From being a respected resident he’d become a suspected paedophile . Even though no charges were brought, his reputation has been seriously damaged and he still feels the effects of a small, fraudulent, financial transaction perpetrated by someone else .
David was another victim of identity fraud . A gentleman in his 60s, with a long and distinguished career, he was telephoned by his bank while on holiday . They asked if he had withdrawn £9,500 from one of his current accounts . He had not, of course, and he had never visited the branch where this had occurred, but the bank informed him that the person who had withdrawn this money had used his ‘passport’ . David eventually got his money back, but the possession of a fake passport was a great cause for concern . Could the fraudster be using this counterfeit passport to commit further crimes? Might David’s identity be used to ‘marry’ and fraudulently obtain British citizenship for someone? Rightly,
he was concerned not only about this but also about his professional reputation being compromised . David’s other concern was that his case seemed to be viewed as low priority by the police (in his opinion) .
If you consider that a case involving an individual going into a bank – with a piece of paper ‘saying’ he had a gun and getting the cashier to hand over the money – was investigated by the police and even featured on Crimewatch, while David’s fraudster was unlikely even to be investigated, it highlights the problem faced in dealing with it . This is not to say the robber should not have been investigated, but that they both should have been .
While these extreme cases highlight the need of individuals to take the risk seriously (by equipping themselves with appropriate protection) they also underline the need for greater attention from policy-makers and law enforcement . Identifying the true scale of the problem is a first step – whether this be from a separate study, British Crime Survey or another authoritative source . It is only then that we can gauge what is required, and what can be done to prevent the terrible impact that it can have on victims . ●
1 http://www .port .ac .uk/ccfs
11% of the online British population has been a
victim of online identity fraud in the last 12 months.
Source: YouGov survey commissioned by VeriSign Authentication (March 2010)
Digital Thieves
13
The fraud landscape– what’s happening in your neighbourhood?
www.ordnancesurvey.co.uk/cifas
Ordnance Survey marks the spotWhere claimants in the same neighbourhood are colluding
Our up-to-the-minute geographic intelligence provides banks and insurers with vital information, enabling them to analyse fraud hot spots, make better-informed decisions and protect themselves against fraudsters. In fact, organisations are seeing savings of up to 15% on the total cost of fraud investigation and prevention.
We help you discover more
Fraud detection
D07236_0910 CIFAS X marks the spot ad.indd 1 23/09/2010 10:45:17
Digital Thieves
Traditionally, London and the South-East are fraud hotspots . Even in the internet age (where fraudsters could be living at the opposite end of the country to the victim), it is no surprise that these hotspots remain – due to the higher population in these areas .
The maps on pages 14 and 15, however, (the result of continuing collaboration between CIFAS and Ordnance Survey) display national pictures for identity and account takeover fraud victims in 2009 and 2010 .
What is most noticeable is the ‘spreading out’ effect . In 2009, the distribution of areas with higher numbers of victims of fraud could be said to have followed the M6/M62 and M4/M5 corridors out of London . At that time, the entire East coast from Northumberland to Suffolk (with the exception of Tyne and Wear) was relatively free from fraudulent attacks . Similarly, in 2009, the Welsh/English border counties (from Shropshire down to Gloucestershire), east to Warwickshire and Oxfordshire contained far fewer victims .
The picture for 2010, however, is considerably worse . Throughout England, the number of victims has shot up noticeably – from Cornwall to Cumbria and Suffolk to Hereford and Worcestershire . Very few areas do not show a marked increase . In Wales, too, the hotspots for fraud victims are increasing in size .
Proof, if any were needed, that the location of the victim is becoming increasingly irrelevant to the fraudster .
>>
14
10,000 to 20,000
1,000 to 10,000
500 to 1,000
0 to 500
Number of victims
1. Tyne and Wear 2. Cleveland 3. Merseyside 4. Greater Manchester 5. Nottinghamshire 6. West Glamorgan 7. Mid Glamorgan 8. South Glamorgan 9. West Midlands10. Warwickshire11. Northamptonshire12. Bedfordshire13. Buckinghamshire14. Hertfordshire
Total number of Identity Fraud and Account Takeover Victims 2009 by County
County boundaries 1995 - prior to the introduction of Unitary Authorities
Highland Region GrampianRegion
OrkneyIslands
Area
ShetlandIslands
Area
Tayside Region
StrathclydeRegion
BordersRegion
Dumfries andGalloway Region
Northumberland
CentralRegion
Lothian Region
FifeRegion
CumbriaDurham
1
2
North Yorkshire
Humberside
Lincolnshire
Norfolk
Suffolk
Lancashire WestYorkshire
SouthYorkshire3
Cheshire
4
Derbyshire
Leicestershire
Cambrideshire
Staffordshire
9
5
Western IslesIslands Area
Shropshire
Clwyd
Powys
Gwynedd
Dyfed
Gwent
Hereford andWorcester
Gloucestershire
Avon
Essex
Kent
WestSussex
EastSussex
Isle of Wight
Hampshire
Dorset
Wiltshire
Somerset
Devon
Cornwall
Berkshire
Oxfordshire
Greater
London
Surrey
67
8
1011
13
12
14
Source: CIFAS 2009© Crown copyright 2009.
All rights reserved
15
10,000 to 35,700
1,000 to 10,000
500 to 1,000
0 to 500
Number of victims
1. Tyne and Wear 2. Cleveland 3. Merseyside 4. Greater Manchester 5. Nottinghamshire 6. West Glamorgan 7. Mid Glamorgan 8. South Glamorgan 9. West Midlands10. Warwickshire11. Northamptonshire12. Bedfordshire13. Buckinghamshire14. Hertfordshire
Total number of Identity Fraud and Account Takeover Victims 2010 by County
County boundaries 1995 - prior to the introduction of Unitary Authorities
Highland Region GrampianRegion
OrkneyIslands
Area
ShetlandIslands
Area
Tayside Region
StrathclydeRegion
BordersRegion
Dumfries andGalloway Region
Northumberland
CentralRegion
Lothian Region
FifeRegion
CumbriaDurham
1
2
North Yorkshire
Humberside
Lincolnshire
Norfolk
Suffolk
Lancashire WestYorkshire
SouthYorkshire3
Cheshire
4
Derbyshire
Leicestershire
Cambrideshire
Staffordshire
9
5
Western IslesIslands Area
Shropshire
Clwyd
Powys
Gwynedd
Dyfed
Gwent
Hereford andWorcester
Gloucestershire
Avon
Essex
Kent
WestSussex
EastSussex
Isle of Wight
Hampshire
Dorset
Wiltshire
Somerset
Devon
Cornwall
Berkshire
Oxfordshire
Greater
London
Surrey
67
8
1011
13
12
14
Source: CIFAS 2010© Crown copyright 2010
All rights reserved
16
Account takeover: the other risk for internet usersJennifer PerryAuthor, e-crime expert and consumer advocate looks at the other fraud issues facing internet users today.
Consumers will often think of identity fraud as being whenever somebody else misuses the victim’s personal information online . Financial services and police, however, have a very clear and precise definition of identity fraud (when a third party impersonates you to obtain accounts such as credit cards or loans, goods or services in your name) . When it comes to online threats, therefore, consumers are right to be worried – not necessarily because of identity fraud, but because of threats such as scams or account takeover which is what many may think of as run-of-the-mill credit card fraud (someone else spending on your account) .
One of the greatest risks facing today’s internet user – of course – is when the user is duped into buying goods from a fake store, or a dodgy trader . Criminals are frequently turning their attention to the creation of websites that look legitimate . These sites could be used simply to take funds for goods that do not exist, or could be used to obtain your credit card details for use by the fraudster at a later date .
How to spot a dodgy website
Consumers look online for bargains . They want the latest smartphones and designer clothes at the best possible price . After all, we all see bargains on
the high street; so when we find them online, people will believe it really is possible to buy that designer handbag with 40% off its price . As a result, many just don’t look for the warning signs of a fake site, or maybe even just ignore them .
Hard-to-get items and gadgets are great for fraudsters . When the latest smartphone, games console or digital camera is announced, criminals immediately put up websites claiming they are selling them . They’ll tell you that they are unlocking/importing them from the USA and that you can be the first to get one in the UK . The obvious question remains, however: if a big retailer, with its buying power can’t get them, how can this small website?
Concert and festival tickets are another hard-to-get item that scammers like (and they frequently target the younger, less savvy, consumer), claiming that they still have tickets when the
>>
Sally is a 43 year old nurse, and mum to Alice and William:
“I have two little ones, so going around the shops can be a hassle, therefore I often shop online . I mostly shop from high-street names because I feel safer . I’ve signed up to get their sales and promotions emails .
“I’ve never had any problems until last Christmas . When an email arrived with a 25% discount and free shipping if I
bought £30 or more – it was a great offer so I clicked .
“There was nothing suspicious about the website . It looked just like the real one . I spent about £60 and I thought I’d saved £15 plus shipping . I even received an email confirming my order . “It was only when I sent the link to my sister that I realised something was wrong . She had tried to use the special offer website, but it was gone . So I went online to look at my account details
from the real retailer . I logged into my online account and my heart sank – there were no orders showing . I knew I had been conned .
“I immediately called my credit card company; they said there had been £250 billed to my account . I cancelled the card and I did get my money back in the end . I’m embarrassed that I was caught out by a scam . But it looked so real, how was I supposed to know it was a forged website?”
Case study
Digital Thieves
Definition: Account Takeover Fraud
Account Takeover (also known as Facility Takeover) Fraud occurs when a third party, rather than going to the effort of impersonating someone and making an application (i .e . for credit, insurance or other products or services), hijacks a person’s existing accounts, policies, etc, and uses them fraudulently .
17
legitimate agencies have sold out . As tickets are not sent out until the event is almost due (often weeks or months after the sale), the scammers have time to collect the money and disappear . The victim, however, if reporting the theft more than 60 days after the incident, may not be able to get his or her money back from the credit card company .
So what are the warning signs?
1. If it sold out everywhere else, but this no-name website has some .
2. If you know the item is sold everywhere else for £100 but this site will sell it for £75 .
3. Can you get in contact with them by phone if something goes wrong? Does it have a UK phone number (not a mobile or other 07 number)? Ring it – does someone answer?
4. Look in the Terms and Conditions – do they provide a physical address? This is required by law in the UK and EU .
5. Put the website address into http://whois .domaintools .com . Do they provide proper contact details? If they are using a proxy or anonymous service – don’t buy from them .
6. Do a Google search with the ‘website name’ and ‘complaints’ .
Safety tips1. Don’t click on links sent via email, instead go to
the website and log in .
2. It is better to pay a higher price for a product from a reputable website than save a few pounds and take a risk – think of it as paying extra for insurance .
3. Use different email addresses and passwords for financial and shopping websites from the ones you use for your email and social networking sites . Then, if one account gets compromised, it won’t compromise all your accounts . ●
CIFAS Statistical Update
Numbers and percentage breakdown of the types of account taken over by fraudsters since 2008 .
Account Type 2008 2009 2010 (end of Sept)
Numbers % of Total Numbers % of Total Numbers % of Total
Bank Account 721 3 .71% 4,051 18 .10% 1,351 8 .42%Plastic Cards 13,273 68 .99% 11,503 51 .38% 6,015 37 .50%Mail Order 4,350 22 .48% 2,816 12 .58% 3,184 19 .84%Mobile Phone 898 4 .65% 3,879 17 .33% 5,292 32 .99%Other 33 0 .17% 138 0 .61% 200 1 .25%
Total number for the year 19,275 22,387 16,042
Source: CIFAS National Fraud Database
£352 is the average amount lost by internet fraud victims.
Source: YouGov survey commissioned by VeriSign Authentication (March 2010)
18
What happens next?The evolution of e-crime
We live in a world still suffering from the fallout of the economic downturn . Businesses, organisations and individuals feel the effects . There is one sector, however, that seems unaffected and is enjoying significant growth; generating billions in revenue, and looking forward to a long and prosperous future . Welcome to the world of e-crime!
There has been much recent debate about the levels of cyber-risk faced by individuals, businesses, governments, and all levels of the interconnected ‘Global Village’ . The basic fact, however, is rather simple: if you use the internet, then you are potentially vulnerable, and exposed to the possibility of criminal exploitation .
Understanding the different threats is, of course, essential – and there are four basic categories that can be used:
1 . Those seeking targets for the purpose of grooming, abuse, or exploitation (e .g . paedophiles)
2 . Persons, or groups who use cyberspace to drive political, antisocial activities (e .g . hacktivists)
3 . Organised, or home grown cyber criminals seeking to profit from the exploitation of selected targets
4 . Cyber warfariens, acting as mercenaries, or state sponsored groups .
What will be clear is that these categories are not new: they existed long before the computer became a
household item . It’s just that the digital age has provided a wider arena, a larger audience and pool of victims, and the luxury of a more remote location from which to commit the crime .
In addition to the aforementioned activities and groups, what needs to be remembered is the increasing levels of sophistication in the crimeware, tools, and logical opportunities which are available for criminals to use . Having the right tools to do the job will increase the opportunities for any organisation or individual – whether their business is legal or not . What often surprises many people is how these tools of the trade can be sourced as COTS (criminal-off-the-shelf): in effect, flat pack criminal packages .
This is nothing new however: in the early days of computer viruses, virus creation kits were available which enabled the fledgling hacker to create his or her own brand of infection . The hacker’s handiwork could then be set loose to deliver its payload . Early viruses tended to be ‘noisy’ however . They had obvious associated attributes, such as causing the infected computer
to crash, or to display an obvious sign of infection . This has changed with time so that malicious programmes are now more commercially driven and no longer simply wish to announce their
presence . Why make the infected system crash when you can operate in the background, invisibly, and intercept any information within it for use on a future date?
But what are the tools used? And how? Well, they may be designed to push a botnet (page 19) into a selected or opportunistic target(s) . It may be that such attacks are seeking to exploit some new, or, yet-to-be-reported security exposure . In 2010, criminals launched malicious attacks based on the Stuxnet worm (page 19) which exploited four different security vulnerabilities of the Microsoft Operating System . This malware variant went on to exploit further aspects and, in the end, gain control of the infected system . Scary stuff, and it is impossible to specify the precise motives of the attackers . At this point, however, it may be useful to consider how e-crime has evolved . >>
In 2009 Kaspersky Lab reported that the spam generated by botnets (possibly an infected machine near you) accounted for 88% of email traffic.
Professor John Walker Cyber Security and IT Forensic ConsultantSecure Bastion Ltd
Digital Thieves
19
Fig .3 displays some of the key areas (there are others) to show how malicious cyber tools have evolved astechnology has developed . It is less than 30 years between the conceptual invention of a computer virus, through to the reported attacks on Google that emanated from China .
Many of the names may mean little to those who are not computing experts but – currently – there are some concerted attacks against more than just individuals’ domestic machines . Titan Rain (2007) was a series of cyber-attacks aimed at UK, US, and German governments’ cyber locations . There was also a number of attacks in the same period against the 13 ‘root servers’: effectively, the
backbone of the internet . However, more recently, readers may recall the Chinese attacks against an internet site as truly global as Google . If a site so embedded into the modern world can be attacked, what knock-on effect could this pose – to individuals, businesses and government bodies alike? Recent
reports1 have stated that millions of home and business computers have been compromised; recruited into botnets in order to pilfer information, financial details and more . The end result is the collection of an amount of capital that cannot be sniffed at and a societal impact that cannot be truly comprehended .
The chances are that, as you read this, botnets are manifesting themselves on a computer or system near you . Unsuspecting domestic and business computer users will have their >>
1 http://www .readwriteweb .com/archives/is_your_pc_part_
of_a_botnet .php
Fig.3: Tipping Point 2012?
In 2009 Kaspersky Lab reported that the spam generated by botnets (possibly an infected machine near you) accounted for 88% of email traffic.
Definition: Botnet
Botnet is a jargon term for a collection of software agents, or robots, that run autonomously and automatically . The term is most commonly associated with the way in which malicious software is distributed, but it can also refer to the network of computers using distributed computing software .
Definition: Worm
A computer worm is a self-replicating form of malware that will send copies of itself, automatically, to other computers on a network – by exploiting any security shortcomings on a targeted computer . Unlike viruses, worms do not need to attach themselves to an existing program and they will almost always cause some harm to the network – whereas viruses almost always target programmes and files .
Computer Viruses invented by Fred Cohen
Elk Cloner Apple II Virus
Ralph Burger Published
MOD Suffers infection
Backdoors 31337
GCHQ consider virus a nuisance only
Virus impact - Britain, Cascade, Vienna
Morris Worm
Log Cleaners
Josh Virus
Some AV providers drop Trojans from Detections
BackOrifice
Mitnick
Polymorphic epidemic Tequila Virus DIY Virus
Constructions Kits
Start of AV industry
MS Macro Epidemics
Polymorphic Generators
MS Excel Virus Laroux
Linux Virus Linux .Bliss
Esperanto Virus Cross Platform Mac-PC
Windows 95 Virus Win95 .Boza
Linux Rootkit
SunOS RootkitSniffer Backdoors
DoS against 13 root servers
Titan Rain
SPAM
Estonia Attacks
DoS impact 2 root servers
Rock Phish
Fast Flux
Sony BMG Rootkit
McKinnon extradition Sought post hack
Rootkits major in infections
MBR Pro Rootkit Meberoot
Commercials see DoS increase
Stoeworm
Kaminsky - DNS
NHS suffer large Scale Virus attacks
SPAM at 95%MBR Rootkit on rise
Easyhook
Darknet .com
US acknowledges need for Cyber Security Policy
Manchester Police conficker infection
Leeds NHS Conficker
Chinese attacks on Google
1981-83
1987-90
1991-952004-07
2010 (Q1)
1996-992000-04
Chaotic Era
Engineering Era
Smart Era
2008-09
Project Era
Organised Era
University of East Anglia Hacked
20
computers being infiltrated with malicious software (whether it is through phishing or scams), which could result in identity theft, or the botnet might target entire networks of computers and be trying to mount a ‘denial of service’ attack .
To put this into an understandable scenario, imagine if such an attack used your personal or business internet connection to download copyrighted software, films or music . Under the new Digital Economy Act (2010), you – the unaware user – are potentially guilty of an offence for any indiscretion! An example of an easy attack is more widespread than you may think: the average home user with an unsecured wireless network being used by a neighbour or passer-by . Or, to put it into hard numbers, in 2009 Kaspersky Lab reported that the spam generated by botnets (possibly an infected machine near you) accounted for 88% of email traffic . According to a report published by PC Plus in 2010, in 2008 spammers generated $780 million from their efforts . A nice little earner indeed!
The prospect of cyber war has been discounted until now as a matter of pure fiction: better associated with the
writings of H .G . Wells or John Le Carré . However, in 2010, this is no longer the case . Given the level of reported cyber attacks, it is evident that exposed and vulnerable systems and computers are everywhere . And it is not unreasonable to assume that the criminals behind them are just waiting for the next opportunity/technical development to exploit . Computers being used as a weapon are now a reality, and such use of computers may only be limited by the imagination of the attacker . Maybe cyber attackers will only look to target individual machines or a business’s infrastructure, but maybe they will think bigger?
Will they think about attacking SCADAs (Supervisory Control, and Data Acquisition – an industrial control
system)? To explain this, look up at the light in your office, or the computer on your desk: both enjoy the life-blood of an electrical current . It may be safely asserted that, somewhere along their delivery chain, that current has some form of SCADA playing its part . Remember the Stuxnet worm mentioned earlier? It was recently discovered that this had been used as a weapon to attack Iranian nuclear power plants . Suddenly, the line between reality and possibility looms a little closer to the cold facts .
There is no doubt that technology, and the interdependencies of the internet, are everywhere . But, do we really understand the implications for such dependencies of the genie that we let out of the bottle some years ago!? ●
$8.94 (£5.99) an hour: the amount that a botnet can be rented for through criminal online forums
Source: VeriSign iDefense (May 2010)
Top 10 postcode areas involved in identity fraud recorded by CIFAS Members in 2010 (to end of Sept)
Postcode Area
Number of ID frauds recorded by CIFAS Members
1 SE - South East London 5,4812 SW - South West London 2,5253 E - East London 2,4114 N - North London 2,0435 B - Birmingham 1,9096 M - Manchester 1,5527 W - West London 1,3358 RG - Reading 1,2409 SL - Slough 1,17310 NW - North West London 1,142
Top 10 postcode areas involved in account takeoverrecorded by CIFAS Members in 2010 (to end of Sept)
Postcode Area
Number of account takeovers recorded by CIFAS Members
1 SE - South East London 8722 E - East London 6703 SW - South West London 5474 N - North London 5265 B - Birmingham 3576 HA - Harrow 3287 DA - Dartford 2898 RM - Romford 2759 EN - Enfield 24610 W - West London 245
Source: CIFAS National Fraud Database
CIFAS Statistical Update - Top Postcode Areas
In addition to the maps showing the geographical spread of victims, analysis of the CIFAS database for the first nine months of 2010 reveals some surprises regarding the most common postcode areas with addresses actively involved in fraud .
21
Harrow
Sutton
Merton
Wandsworth
1 2
Brent
Barnet
Enfield
Haringey
Camden 4
3 5
Lambeth
Southwark
Lewisham
Croydon
Bromley
Greenwich
Tower Hamlets
Hackney
Redbridge
Newham
Barking and
Dagenham
Bexley
Havering
Waltham Forest
Hillingdon
Ealing
Hounslow
Richmond upon Thames
Kingston upon Thames
Fraud Risk Management• Uncover more fraud
• Reduce false positives
• Accelerate investigations
• Support regulatory compliance
Find out more by visiting www.deticanetreveal.com
1 Hammersmith and Fulham
2 Kensington and Chelsea
3 City of Westminster
4 Islington
5 City of London
Fig.4 : Number of people per victim of identity fraud or account takeover by London Borough
CIFAS Statistical Update
37 - 59
60 - 96
97 - 119
120 - 165
166 - 234
Number of people per victim
© CIFAS 2010 . See back cover for attribution
(Highest Rate of victimisation)
(Lowest Rate of victimisation)
22
How even a business can fall victim to identity fraud
There is one form of identity fraud that is frequently overlooked, but causes considerable damage to those who fall victim: company identity fraud or company hijacking .
CPP looked into this issue in some detail and were surprised to see how easy it is to defraud companies through loop-holes in the registration of company records, together with businesses’ own limited understanding of the issue .
Documentary research of Companies House shows that ‘company hijacking’ occurs with the submission of false documents to Companies House . This normally involves changing the details of a company’s registered office address or the details of its directors or company secretary . The amendments to company records can be done via the simple submission of a paper form .
Companies House is a registry of corporate information, but (as it receives around half a million paper documents every month) it cannot check the details on the paper forms for validity . Nor does it have the resources to notify existing company directors, or company secretaries, that paper forms have been filed for their company . As a result, such forms are taken at face value and the register of companies updated accordingly, even if the updated information turns out to be false . This fraudulently updated data, however, has now become a part of the public record .
Any checks made on the company will be against fraudulently updated details, which would – therefore – appear to be legitimate (in relation to any
director/address checks undertaken on the company) and any credit search against the company would show the credit rating of the genuine company . Providing this rating is healthy, the fraudster can now place orders which are to be dispatched to a false address, while the legitimate business and directors won’t know that the order had been placed until the supplier chased for payment . This fraud affects both the hijacked company (in terms of
adverse impact to its credit rating) and the supplier through loss of income .
Companies House estimates that it receives 50–100 fraudulent documents each month . While this is only 0 .02% of all documents received, the Metropolitan Police estimates that the loss to industry resulting from company hijacking is in excess of £50 million .
The Metropolitan Police estimates that the loss to industry resulting from company hijacking is in excess of £50 million.
Nick JonesHead of CommunicationsCPP Group Plc
Digital Thieves
>>
23
Separately, when we questioned small and medium sized enterprises (SMEs) directly about company identity theft, the results confirmed that there is a lack of understanding of the issue, and of suitable preventative measures . 22% of SMEs admit that they may be vulnerable to corporate identity fraud due to lax procedures: 47% of whom said their current employees have access to sensitive company data, 61% that don’t encrypt company data, and 22% that allow employees to take sensitive documents out of the office .
Reverting to the issue of Companies House, 87% of company directors are not aware of the loop-holes and only 14% claim to take advantage of the PROOF scheme offered by Companies House, which offers secure electronic filing of documents to protect them from potential fraud .
With 2% of SMEs in the UK reported to have fallen victim to corporate identity fraud, this equates to over 100,000 companies defrauded, costing them an average £13,500 each: enough to put some smaller businesses out of operation entirely . In turn, this could affect you: through loss of income, reputation and even employment .
Clearly, much needs to be done . Most obviously, SMEs need to be aware of any security shortcomings and the associated risks . They also need to be aware of the steps that they can take to guard against the threat: such as the PROOF scheme and other monitoring services that warn them of any changes to their company details . Companies need a range of facts and figures to call upon, rather than simply relying on a single source such as Companies House . After all, if a person is required to show more than one ‘proof of identity’ upon opening a bank account, why shouldn’t a company? ●
CIFAS Statistical Update
The pie charts below show the distribution of age and the gender of victims of impersonation, as identified by CIFAS Members, in the first nine months of 2010 .
Source: CIFAS National Fraud Database
Victims of impersonation by gender
Victims of impersonation by age
16-25 26-35
46-60 60+
36-45
21%
32%24%
17%
6%
Chart 1
Male Female
66%
34%
24
Internet enabled identity fraud– the police perspective
Organised criminals exploit the internet extensively . It provides secure, cheap, reliable and high-speed communication, and offers criminals access to new markets and new victims . Soberingly, information and communication technology is an enabler for almost all types of organised crime, including identity fraud .
A target of particular interest to fraudsters and other online criminals is the financial and personal data held about us all . Organised criminals seek to obtain that data either through hacking attacks against data stores held by bona fide organisations, or through targeted attacks against individuals . However it is obtained, private, detailed financial information is exploited by criminals in order to perpetrate identity fraud, and other
crimes . Another risk is that the compromised data can be bought and sold between criminals in secretive, closed online forums such as DarkMarket .
Online criminals steal login credentials for systems and services . These can be used to assist in identity
fraud . Phishing and malware remain the
key methods of data compromise
used to capture essential user
information and, while phishing – though increasingly sophisticated – is well known and more ‘visible’ to many, malware represents an altogether more invisible threat .
Current trends show that many variants of malware are being installed covertly on targets – including home PCs . Active malware can detect when a customer opens a secure internet connection (such as an online banking website) and capture login details and passwords before remotely sending the information back to the fraudster without the knowledge of the victim . Malware variants are increasingly complex, and able to harvest many types of personal information from an infected system . Furthermore, once in place, malware can be extremely difficult to detect and to clean from the machine especially when security definitions are not fully updated .
Online criminals also continue to refine software (known as ‘exploits’) that enables the security features within the browser to be falsified; giving the end-user the impression
Lee MilesSenior ManagerSOCA E-Crime
Digital Thieves
Definition: Trojan
A trojan is a programme that may appear to be legitimate, but in fact does something malicious . Trojans are often used to gain back door access to a user’s system, and do not replicate as viruses do, nor make copies of themselves as worms do . They are just another programme that can be installed on your computer, albeit a malicious one (see malware - page 4) . Most trojans are remote access trojans and are intent on controlling your PC to give a criminal complete access to your machine so that they can record your sensitive and financial details .
>>
25
that they are actually accessing a secure site, when they are not .
Secure websites most commonly use the ‘padlock’ icon or display https in the address bar to signify and give confidence to users that the website is secure .
The economic climate, of course, has witnessed criminals taking advantage of people in new ways: creating fictitious recruitment and other similar websites, to dupe vulnerable victims into revealing private and personal information . Not only is identity information acquired, but these sites are also popular for criminals to recruit unwitting ‘money mules’ who believe they are working for
legitimate companies, but in reality are receiving and laundering the proceeds of crime .
With the increasing popularity of social networking, many people publish personal information online without necessarily recognising the potential risks . Online criminals are known to employ sophisticated ‘social engineering’ techniques to harvest personal data from social networking sites . Recent media reporting has highlighted one example of a large scale fraud which obtained data through social networking sites1 . The increasing penetration of high speed broadband across the UK, and
use of internet systems for applications, etc, will offer further avenues for criminals to explore . SOCA, together with its partners in the public, private and voluntary sectors, is working to reduce the harm caused by online enabled identity fraud and internet crime . Raising public awareness of the risks posed by criminal abuse of personal information held online is an essential first step to reducing the threat . All computer users should deploy (and regularly upgrade) effective computer security to protect themselves . ●
1 ‘Facebook users fleeced by hackers’ (The Sunday Times, 5 September 2010)
The economic climate has witnessed criminals taking advantage of people in new ways: creating fictitious recruitment and other similar websites, to dupe vulnerable victims into revealing private and personal information.
Advanced application fraud prevention solution
Transactional monitoring for effective fraud detection
Integrated case management system
Automated fraud network & data mining modules
Risk ranking & sophisticated scoring capability
Employee fraud screening
Procurement fraud identification
Real-time and batch infrastructure
01782 [email protected]
Revolutionary solutions for fraud and risk management
26
How many times, as a child, did you want to point out to your elders – when you were being regaled with the ‘You could leave your door unlocked’ story – that “It was a different world then”? Probably too many to count . But, how far back do you have to go for that response to be true: 25, 20 or 10 years? How about five?!
Back in the ‘old days’ (circa 2005), how many people banked online, or knew what a social networking site
was or had a touch screen, portable, communications device with internet capabilities, camera and pocket sized jukebox that was not straight out of an episode of Doctor Who? You see, even the smallest details, when combined with other small details, show that the landscape of society has changed in a mere five years: and so have the rules, but not completely!
Identity fraud is the same: in 2005, far fewer people would have been aware
of what this meant . Nowadays, most of us do . But, there are varying definitions: so what might be identity fraud to one, is something else to another . In terms of financial services providers, identity fraud has a strict meaning: where a third party uses the identity of an innocent victim (or a completely false name) in order to obtain goods and services . Effectively, it’s impersonation by a fraudster to get a new account for money, products or services . But, isn’t a fraudster spending on a victim’s existing account exactly the same thing? For the victim it is, but from a financial services perspective that is account takeover: two slightly different crimes – both having the same effect upon victims . But, what about someone setting up a Facebook account in your name? It’s a problem many high profile celebrities have suffered – and there are cases where the non-famous also have endured this type of impersonation: creating problems with family, friends, colleagues and to their good name . Has identity fraud not occurred here too?
The issue is brought into much sharper focus when you consider the law itself, and that there is no criminal offence (currently) called identity fraud . Under the Fraud Act 2006, a criminal offence of Fraud by False Representation exists – and this would cover any cases otherwise defined as identity fraud . But, it would also include any situation where a person makes “any representation as to fact or law . . .
Have the rules changed?
“We must become the change we want to see”– Mahatma Gandhi
Richard HurleyCommunications ManagerCIFAS – The UK’s Fraud Prevention Service
C I F A SThe UK’s Fraud Prevention Service
Digital Thieves
But – it isn’t all ‘out with the old and in with the new’ and it isn’t just the processes of institutions that need to be examined. The internet, after all, is merely a part of our society.
>>
27
express or implied” which they know to be untrue or misleading, with the intention of making a gain or causing/risking loss to another . Cynically, does this not simply mean lying with intent to make profit or damage another party? Victims of Facebook impersonation do argue that this form of identity fraud causes them loss: whether it is financial, reputational or professional . Considering all of these issues, we
see how existing regulations don’t reflect the world in which we now find ourselves . How can we truly understand a problem, if we don’t agree on what the problem actually is, and if the complexities that can arise are not fully scoped?
But – it isn’t all ‘out with the old and in with the new’ and it isn’t just the processes of institutions that need to be examined . The internet, after all, is
merely a part of our society . As Tony Neate explains on page 6, there is no point having a fancy alarm system, if you then forget to lock your doors . In an age where speed of access to information and services is favoured, how would we (the consumers) feel if – in order to apply for a service or product online – our applications were delayed by the need to provide proofs of identity, income etc .? We’d probably
complain . And, if businesses make it too easy for fraudulent applications to be made without checking, we have the right to complain . As the recent stories regarding online bank account plundering prove1, as the world changes, the safeguards used (by ourselves and organisations) are left playing catch-up .
A part of our approach needs to be making use of old maxims such as
‘look before you leap’ . With high speed broadband offering instant purchasing options, do we need to remember to be more cautious than we have become accustomed to? Similarly, when in an unfamiliar area, many will take additional care in shielding PINs when withdrawing cash: so why carry out financial transactions in unsecured public wi-fi hotspots, or call the bank from a train, when we would not dream of having a sensitive domestic discussion on the phone in the same place? So, must businesses increase security checks (are a mother’s maiden name and a ‘chosen word’ ever enough?) and provide increased branch access that is out of hours? Is there an argument to increase regulation? If so, how do we all feel about what that would mean in practice?
It is necessary to look at parallels to get a new perspective . If your car was stolen from a garage forecourt, we could say that a geographical area was unsafe, or that there were not enough police around and so on . However, if we left our keys in that car, did we fail to help ourselves? Insurers would certainly say so! Of course, the victim of such a crime does not deserve to be a victim and, equally, attributing fault is an action that fails to address the actual issue . In such a case, it becomes everyone’s problem . Isn’t it the same for identity fraud too? ●
1 http://www .bbc .co .uk/news/uk-11431989
CIFAS Protective RegistrationProtective Registration is a service offered by CIFAS that helps to protect those whose identity is at risk due to crime or loss of data .
Visit www.cifas.org.uk/pr to find out more
C I F A SThe UK’s Fraud Prevention Service
When in an unfamiliar area, many will take additional care in shielding PINs when withdrawing cash: so why carry out financial transactions in unsecured public wi-fi hotspots, or call the bank from a train, when we would not dream of having a sensitive domestic discussion on the phone in the same place?
CIFAS - The UK’s Fraud Prevention Service6th Floor, Lynton House7-12 Tavistock SquareLondonWC1H 9LT
www.cifas.org.ukC I F A S
The UK’s Fraud Prevention Service
Thank youCIFAS wishes to thank the following for their assistance in preparing this Special Report:
All authors and advertisers
and in addition,Crawford and Co (Nikki Grieve-Top)Experian (Lucy Davies and Anna Harry)Garlik (Andrew Thomas) Ordnance Survey (Sarah Adams, Jamie Clark and Greg Davis)SOCA (Gareth Rees)VeriSign Authentication (Victoria Henry)Weber Shandwick (Lydia Curtis)and all CIFAS Members who have shared their insights into the frauds currently being committed .
The maps on pages 4-5 and 21 contain public sector information licensed under the Open Government Licence v1 .0 . Contains Ordnance Survey data © Crown copyright and database right 2010 . Contains Royal Mail data © Royal Mail copyright and database right 2010 . Source: Office for National Statistics .