there must be thirty ways to steal your id.pdf

8/18/2019 There Must be Thirty Ways to Steal Your ID.pdf

1/16

This article was downloaded by: [Swapan Purkait]On: 11 April 2013, At: 03:56Publisher: Taylor & FrancisInforma Ltd Registered in England and Wales Registered Number: 1072954 Registered office: Mortimer House37-41 Mortimer Street, London W1T 3JH, UK

EDPACS: The EDP Audit, Control, and Security

Newsletter

Publication details, including instructions for authors and subscription information:http://www.tandfonline.com/loi/uedp20

There Must be Thirty Ways to Steal Your IDGary Hinson

Version of record first published: 09 Jan 2012.

To cite this article: Gary Hinson (2010): There Must be Thirty Ways to Steal Your ID, EDPACS: The EDP Audit, Control, andSecurity Newsletter, 41:5, 1-15

To link to this article: http://dx.doi.org/10.1080/07366981.2010.495677

PLEASE SCROLL DOWN FOR ARTICLE

Full terms and conditions of use: http://www.tandfonline.com/page/terms-and-conditions

This article may be used for research, teaching, and private study purposes. Any substantial or systematicreproduction, redistribution, reselling, loan, sub-licensing, systematic supply, or distribution in any form toanyone is expressly forbidden.

The publisher does not give any warranty express or implied or make any representation that the contents

will be complete or accurate or up to date. The accuracy of any instructions, formulae, and drug doses shouldbe independently verified with primary sources. The publisher shall not be liable for any loss, actions, claims,proceedings, demand, or costs or damages whatsoever or howsoever caused arising directly or indirectly inconnection with or arising out of the use of this material.

http://www.tandfonline.com/page/terms-and-conditionshttp://dx.doi.org/10.1080/07366981.2010.495677http://www.tandfonline.com/page/terms-and-conditionshttp://dx.doi.org/10.1080/07366981.2010.495677http://www.tandfonline.com/loi/uedp20


2/16

EDPACSTHE EDP AUDIT,

CONTROL,ANDSECURITY

NEWSLETTER

MAY 2010 VOL. 41, NO. 5

THERE MUST BE THIRTY WAYS

TO STEAL YOUR ID

GARY HINSON

Abstract. Thisarticle outlines somethirty ways thatfraudsterscommonly commit identity theft and exploit stolen identities,

with a little more information specifically on phishing using actual phishing e-mails to illustrate the techniques.

INTRODUCTION

Identity theft is a serious threat. Identity thieves steal personalinformation about you and use it to ‘‘assume your identity’’ (become you, or rather your clone). They quickly run up huge debts in yourname and just as quickly disappear into the ether, leaving you with the problem of persuading the banks that it wasn’t you who bought aFerrari and went on a gambling spree in Las Vegas . . .

Identity theft has been going on for ages but the Internet hasfuelled an explosion in the problem. Banks and authorities arevery worried about the trend, while organized criminals and ter-rorists are taking advantage. Whereas previously people had tovisit their bank and present bank cards in person to a teller toobtain cash, now they can move money between accounts through the Internet and obtain cash from Automated Teller Machines(ATM) without their identity being checked in person by a bank employee. Checking someone’s identity remotely online is moredifficult and hence is more vulnerable to fraudsters and imposters. Anyone who knows your name and credit card number, for exam-ple, can pretend to be you, using the information to pay for goodsonline. They get the goods, you get the bill.

IN THIS ISSUE

n There Must be Thirty Waysto Steal Your ID

EditorDAN SWANSON

Editor EmeritusBELDEN MENKUS, CISA

Important note: the information in this briefing is provided for educationalpurposes only. Use of the identity theft, phishing, counterfeiting, and othertechniques described in this briefing is unethical at best and almost cer-tainly illegal. You have been warned.

CELEBRATING OVER 3 DECADES OF PUBLICATION!


3/16

THE THIRTY WAYS

Identity thieves are truly spoilt for choice of possible ways to stealidentities or the credentials needed to steal identities, and/or toexploit stolen identities/credentials. Here is an incomplete but wor-ryingly long list to ponder:

1. Abuse of privileges: privileged user identities (IDs) on mostsystems are meant to be used by trusted employees for legiti-mate system administration activities but can be abused forexample to change a user’s password and then login as them. Although this locks the legitimate user out, they are likely to justshrug their shoulders and call the IT Help/Service Desk for apassword reset. . . . So, implement your ‘‘least privilege’’ policyand securely log the use of privileges to counteract this risk;

2. Bogus password reset requests: the identity thief imperso-nates a real user and requests a new password. If the HelpDesk’s user authentication process is not up to scratch, or if an oh-so-helpful employee can be duped into short-circuiting it,the game’s over. Security awareness is the obvious control for

the latter, while careful process design helps with the former;3. Bogus vacancies: advertizing non-existent jobs is one way togather the personal details of applicants—remember this thenext time you update or send out your Curriculum Vitae /resumeand avoid disreputable agencies who pass on your detailswilly-nilly;

4. Brazen requests: some people are näıve enough to give up theirpasswords andother personal information simplywhen asked.Itmay take a little bribery or a legitimizing context (such asconducting some form of ‘‘survey’’ or ‘‘census’’) to persuadeothers. Security awareness works here too, and in fact is theprimary control for all the social engineering scams;

5. Card theft and skimming: beware pickpockets and any ATM

that has additional panels or covers over the card slot, additionalcard readers, and leaflet holders or other strategically placedequipment to conceal a tiny camera observing the PersonalIdentification Number (PIN) entry pad! Technologically compe-tent identitythieves have also modified point of sale card readersto extract and store or transmit credit card numbers and PINs,while it does not take much tech know-how to skim customers’cards with a hand-held magstripe reader if you work in retail;

If youhaveinformationof interest toEDPACS , contact Dan Swanson ([email protected]). EDPACS (Print ISSN 0736-6981/Online ISSN 1936-1009) is published monthly by Taylor & Francis Group, LLC., 325 Chestnut Street, Suite 800,Philadelphia, PA 19106. Periodicals postage is paid at Philadelphia, PA and additional mailing offices. Subscription rates: US$311/£187/E248. Printedin USA. Copyright 2010. EDPACS is a registered trademarkownedby Taylor& Francis Group, LLC. All

rights reserved. No part of this newsletter may be reproduced in any form — by microfilm, xerography, or otherwise — orincorporated into any information retrieval system without the written permission of the copyright owner. Requests to publish material or to incorporate material into computerized databases or any other electronic form, or for other than individual orinternal distribution, should be addressed to Editorial Services, 325 Chestnut Street, Suite 800, Philadelphia, PA 19106. Allrights, including translation into other languages, reserved by the publisher in the U.S., Great Britain, Mexico, and all countriesparticipating in the International Copyright Convention and the Pan American Copyright Convention. Authorization to photo-copy items for internal or personal use, or the personal or internal use of specific clients may be granted by Taylor & Francis,provided that $20.00 per article photocopied is paid directly to Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA01923 USA. The fee code for users of the Transactional Reporting Service is ISSN 0736-6981/06/$20.00+$0.00. The fee issubject to change without notice. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged. Product or corporate names may be trademarks or registered trademarks, and are only used foridentification and explanation, without intent to infringe. POSTMASTER: Send address change to EDPACS , Taylor & FrancisGroup, LLC., 325 Chestnut Street, Suite 800, Philadelphia, PA 19106.

E D P A C S MAY 2010

2 ª Copyright 2010 Taylor & Francis—All rights reserved.


4/16

6. Chimeras: thieves sometimes fabricate bogus identities bycombining elements from more than one real person; for exam-ple, linking a name and birthdate from a birth certificate or birth announcement, with a tax or social security number fromsomeone else (possibly someone with a similar name to exploitour natural tolerance for those little data integrity failuresknown as typos). Chimeras can be trapped with appropriate

technical controls, primarily data validation;7. Con-tricks: confidence tricksters are rather unlikely to oper-

ate under their own names, so they invent or ‘‘borrow’’ iden-tities to suit their purposes. This creates a vulnerability forthem in having to remember all their personas, and being caught in possession of a stack of different credentials inevi-tably leads to some awkward questions from the authorities;

8. Copyright abuse and plagiarism: brazen identity thieves sim-ply pass off intellectual property from books, the TV/radio, orthe Internet as their own without attributing or acknowledging the originators. This abuses the identities of the true authorsand/or their organizations (corporate identity theft). The leastsophisticated low-lifers simply put their names in place of the

original authors. If they add any new content, it is unlikely tomatch the quality and so reflects badly on the originators. Vigilance (particularly using online search engines) is the keyto spotting copyright abuse and plagiarism, but resolving such incidents may take more than just the threat of legal action;

9. Counterfeiting of credentials: drivinglicenses andstaff passesare easily if crudely faked using a scanner, graphics package,printer, and laminator. With a bit of effort and skill, barcodes,magstripes, and smartcard chips may be transplanted fromlegitimate but stolen IDs onto the fraudster’s own. Professionalcounterfeiters with sufficient skills and resources can producecredentials that will fool even close inspection, although it may be easier for identity thieves to obtain the genuine articlesthrough misrepresentation, coercion, or bribery. Anti-counter-feiting techniques are many and varied—just explore the waypassports and banknotes are protected for plenty of controlideas. Vigilance by those who check credentials makes a big difference, and do not forget that an identity thief’s nervous body language may be a bigger giveaway than they realize;

10. Counterfeiting of products: arguably theorganizational equiva-lent of mimicry and impersonation (method #20), poor qualitycounterfeit products devalue the brand. Even watermarks andholographic authentication stamps can be faked if the prize issufficiently valuable. None of the controls is perfect but it pays tomake the counterfeiters’ job as tough and expensive as possible;

11. Dumpster diving: finding sufficient information pertaining tovictims in the trash or on discarded/sold/stolen information technology (IT) equipment to use as credentials for identitytheft. Thecontrolhere is obvious: never throw anythingawayJ;

12. Grazing public records: limited personal information is pub-lished by authorities for the public record; for instance, elec-toral rolls, court notices, appointments to public office, andother official organs. Telephone books and many an onlinesearch engine are goldmines of personal information on thosewho do not withhold their details. Again, the risk can be

MAY 2010 E D P A C S

3ª Copyright 2010 Taylor & Francis—All rights reserved.


5/16

reduced but not eliminated with care over what personaldetails you disclose or allow to be published;

13. Hacking: any system or network (wired or wireless) carrying personal data, credit card numbers, and so on is an obvioustarget for identity thieving hackers, but so too are all other ITsystems that identify and authenticate users with usernamesand passwords, not least because users often re-use the same

credentials on multiple systems. If I can hack or simply guess your password on, say, your Hotmail account, how many othersystems will that allow me to access as you? Individuals can help themselves by choosing long, strong passwords, ideally unique ones for every system (which implies the use of a pass-word vault program to generate and recall them all, securely).Organizations can help by employing a few IT professionalswho have more than merely a vague familiarity with informa-tion security;

14. Housebreaking and plain old fashioned thievery: thieveshave been known to pass-by valuable consumer electronics(which are more difficult to carry off and much less valuableon the black market) in favor of more portable and lucrative

bank and credit card statements, birth certificates, utility bills,and other credentials. Pickpockets and bag snatchers are nolonger just after cash, mobile phones, and similar items fortheir tangible value—a smart phone or personal digital assis-tant (PDA) for instance may reveal loads of personal informa-tion. Aside from never going out, ask your local crimeprevention people for tips to counter these risks;

15. Inadvertent or inappropriate disclosure: many of us havefound a lost purse or wallet. Thankfully, most but not all of usare honestenoughtoreturn themto their owners or handthemin . . . in which case we are trusting that the recipient will Do TheRight Thing. No less common is someone disclosing their own personal information in personal Web pages, blogs, social net-working sites, and e-mails. Occasionally, a corporation acciden-tally publishes personal information, or at least makes itavailable to anyone who is capable of modifying a UniformResource Locator (URL) or injecting some Structured QueryLanguage (SQL) code into a form. And finally, deliberately shar-ing credit card numbers, PIN codes, and passwords with friendsand family will defeat all bar strong biometric authentication.The controls here are self-evident, wouldn’t you say?;

16. Insider access: peopleworking with personal data—which thesedays means many of us—have plenty of opportunities to abusetheir system and data access rights, while familiarity may breedcarelessness if not contempt for the access rules. Organizations

are obliged to protect the personal data they gather, store, andprocess, but do not necessarily take adequate account of theinsider threats. Whether identity thieves would go to the troubleof infiltrating an organization purely to steal identities dependson their guile and desperation as well as the prize at stake. In thecase of tradesmen, friends, and family members, insider physi-cal access to personal records in the home or office is straightfor-ward. Vigilance, human resources (HR) procedures (including pre-employment or pre-promotion background and ID checks)and compliance activities all help here;




6/16

17. Inspired guesswork : systems that accept weak user passwordsand allow unlimited login attempts are effectively inviting trou- ble from brute force attacks,or better still guessing inspiredby alittle knowledge of common weak passwords such as the namesof pets, sports team names, and pop artists, or simplistic key- board patterns. Systems that offer to reset users’ passwordsand e-mail them are vulnerable to e-mail redirection (see #26)

while users who choose weak passwords or easily guessed pass-word reset questions are saying ‘‘Hack me! Hack me!’’;

18. Leveraging credentials: by this I mean using low-grade, poorlycontrolled and/or easily faked credentials (such as library cardsand utility bills) to obtain higher-grade credentials. While would- be identity thieveshave a wide choice of techniques to obtainlow-grade credentials (see #3, 4, 7, 9, 11, 12, 14, 15 . . . you get thepicture), better authentication and validation techniques wouldmake it harder for to them to ‘‘trade up’’;

19. Malware and spyware: keylogging Trojans being the classicexample, capturing credentials and other information as it istyped by the victim into a PC. I will not insult your intelligence by even outlining anti-malware controls;

20. Mimicry, impersonation, and misrepresentation: these arepopular techniques for social engineers to pretend to be someauthority figure demanding access to an information asset— for instance, presenting a business card (whether a total fab-rication or a genuine card belonging to someone else) or wear-ing coveralls to gain access to an office. It’s not that hard for areceptionist or security guard to at least make the effort tocheck IDs, is it? Taking photographs of visitors, covertly(closed-circuit television [CCTV] surveillance) and/or openly(‘‘To prepare the visitor badge for you, sir’’. . .) will at leastprovide some evidence to follow-up after the fact;

21. Multimode/blended methods: several of the examplesalready in this list, and more besides, combine elements such as social engineering and hacking to great effect. Skillful fraud-sters, hackers, and social engineers are adept at changing theirmethods dynamically to suit the situation that unfolds beforethem. Keep up at the back: staying up to date with currentinformation security risks is a worthwhile investment andmay even be classed as ‘‘fun’’;

22. Online auctions: auction deals involve buyers and sellersexchanging personal information, ranging from names and e-mail addresses to bank account or credit card numbers. It doesnot take a genius to figure out the vulnerability to identitytheft. As to how to counter it, I am not so sure. Disposable e-mail addresses might help, and it’s not a bad idea to dedicate a

credit card, if not a separate bank account, specifically fordubious Internet-related transactions;23. Other social engineering techniques: whether simply trawling

Facebook and Linkedin for personal information or using socialnetworks to reach out to and fool new potential victims, identitythieves exploit such webs of trust to work their way into theirvictims’ confidence. This is just one selected example, of course.Social engineering is an important element in almost all identitytheft techniques, and a subject worthy of a separate article.




7/16

[Please pester the author or editor if you would like to read more inthis vein];

24. ‘‘Persuasion,’’ coercion, threats, and violence: thumbscrewsare evidently just as effective today as they ever were in medie-val times. Which secrets would you retain even under extremedigital pressure? In some jurisdictions, the authorities have per-mission to use violence to ‘‘persuade’’ suspects to reveal pass-

words/encryption keys (hence ‘‘rubber hose cryptanalysis’’). Avoid visiting such places if you have anything serious to hidefrom the authorities;

25. Phishing: using spam e-mails, targeted e-mails, short messageservice (SMS) text messages, phone calls, and even leaflets on the windscreen to fool victims into visiting fake websites anddisclosing their login credentials or other personal information (more on this below);

26. Redirection: redirecting and selectively forwarding or simplystealing someone’s e-mail or post gives theidentity thief thefirst bite at any personal information that arrives, and the opportu-nity to filter out those giveaway ‘‘welcome to your new account’’letters from the banks and credit companies for new accounts

theidentity thief has openedin their name. While we areadvisedto be alert to the possibility of identity theft if our bank state-ments or bills suddenly go missing, what stops the identity thief with access to our post, a scanner, and desktop publishing soft-ware simply generating and substituting bogus statements, bills, and other documents in their place? Would we even noticethat the paperwork was fake until it was too late? Primaryresponsibility for controls against this risk falls to the PostOffice, but individuals are welladvised to secure their mailboxesand clear them soon after the mailperson has called;

27. Shoulder surfing: casually looking on as someone openly typestheir PIN/password into a system in a public place is the no-tech way of stealing their credentials. Shielding the PIN-pad orkeyboard with one’s body or some convenient appendage is theno-tech response;

28. Spoofing: most e-mail spam arrives with a spoofed sender’sname. Spammers often misuse the names of genuine peopleand organizations in the hope that recipients will have white-listed them, or maybe will simply recognize them and assumethat they endorse the content. Call me professionally paranoidif you like but I instantly doubt all e-mails by default;

29. Undermining: just as one way to enter a fortified castle might be to tunnel underneath, bypassing authentication mechan-isms means you can become anyone you choose, or nobody atall as you prefer. One way might be to spoof the ‘‘authenti-

cated’’ message or signal to the access control subsystemsdownstream of the authentication step, which may be easy orhard to do depending on the quality of the system securityarchitecture and implementation (clue for those designing or using such systems: employ the best security architects moneycan buy);

30. Unknowns: by this I mean future cunning schemes yet to beidentified or cooked-up by creative identity thieves. As poten-tial victims become aware of the previous items on this listthanks to security awareness items such as ,ahem. this




8/16

very article, those techniques gradually lose their gloss and become less effective. Therefore there is a premium on discreetand novel methods of identity theft, a ‘‘honeymoon period’’ before too many people catch on. Well done to those of youwho are still reading at this point: you are already ahead of the pack. For others, the unknowns remain unknown.

PHISHING

The term ‘‘phishing’’ relates to the way that fraudsters trawl andlure their victims using the net, rather like trawlermen at sea(Figure 1). Put simply, phisher or phishing e-mails look as if theyhave come from a trustworthy organization such as a bank, creditcard company, or PayPal. They normally ask the recipient to click alink and visit a website to ‘‘update’’ or ‘‘verify’’ or ‘‘confirm’’ cer-tain information. If the recipient becomes a victim by clicking thelink, the screen looks like the authentic website they were expecting to visit but in reality it is a fake. Any information typed in by thevictim is captured by the fraudsters and may well be used to commitidentity theft. If they are really unlucky, they pick up a keylogging Trojan or two at the same time.

Like any fraud, there are two essential elements to phishing— deceit and theft:

Figure 1 Steps in a phishing attack.

Stage 1:

Prepare the bait

Stage 2:

Cast

Stage 3:

Hook the victim

Stage 4:

Reel them in

Stage 5:

In for the kill

Stage 6:

Off to market

Real

website

Fake

website

B

Fake

website

C

Fake

website

A

DNS

I P a d d r e

s s e s

Persona l da ta

V i c t i m

P h i s h e r




9/16

The unfortunate victim is tricked into believing that thefake e-mailand URL/website are legitimate, while some hard-done-by finan-cial institution falls for the identity thief’s false credentials;

The fraudster hopes to steal valuables from the victims (e.g., bycommitting identity theft, by directly transferring money fromthe victim’s bank account, or by stealing other valuable andexploitable information assets using malware).

Please review the genuine phishing e-mails and deconstruction notes that follow for some simple illustrations of the phishers’ art.

Example Phishing E-Mails 1—A Classic PayPal Phisher

The e-mail shown in Figure 2, if viewed as an HTML formatted mes-sage (Figure 3), uses the PayPal logo and colors for good effect, andtypicalsocial engineering techniques to persuade therecipient thatnotonly is this a genuine PayPal request butit’s somethingthey shouldacton right away! HTML also allows the phisher to conceal the actual URL under that authentic-looking link text for any recipient who neitherreads all e-mails as plaintext, nor takes a moment to read the actual URL shown when they hover their mouse over the link text.

Example Phishing E-Mails 2—A Typical BankingPhisher

Clues that the e-mail in Figure 4 is a phisher include:

1. My e-mail address not shown in the To: line (just ‘‘undisclosed-recipients’’).

2. Curious and unprofessional title in the message with superflu-ous exclamation marks (‘‘FNB Online Banking Verification!!!’’).

Figure 2 Phishing email with HTML interpreted.




10/16

3. The ‘‘Click here to update your account’’ hyperlink would havetaken me to an unrelated Mexican domain (note ‘‘.mx’’ just beforethe third slash). That is where the phishers are hoping to capturemy online banking username and password. [Note: if I had been reading the fancy HTML version of this message instead of the

plain text, I may not have spotted thatdubious URL whenI hoveredmy mouse over the ‘‘Click here to update your account’’ link text.]4. Spurious request for personal information—legitimate, secur-

ity-conscious banks never request information in this way.5. Vague reasoning (‘‘we have decided to review your account

details’’).6. Spurious justification to hurry up ‘‘within 24 hours.’’7. E-mail not addressed to me personally, nor signed by someone

specific (just the anonymous ‘‘Security Department’’).

Figure 3 Phishing email HTML code.

HTML code in this example

From: [email protected]

Sent: Wednesday, February 25, 2004 21:46

To: [Recipient address was here]

Subject:Information Update

Dear PayPal member,

At PayPal, we value the trust you have placed in us by using our service to conduct yourtransactions
online. Because our relationship with you is financial in nature, the protectionof your privacy is particularly
important to us.

We are sending this verification notice to provide you with information about how PayPalsafeguards
your privacy, as well as to comply with U.S. federal privacy guidelines that applyto financial institutions
such as PayPal. The full terms of PayPal's privacy policy areavailable on the PayPal website, which you
are welcome to review at any time.

Please verify your account and financial information by clicking on the link below:

https://www.paypal.com/cgi-

bin/webscr?cmd=verify

*** DO NOT REPLY TO THIS email ***

Copyright© 2003 PayPal, Inc. All rights reserved. Designated trademarks and brands arethe property
of their respective owners.




11/16

Example Phishing E-Mails 3—Malicious Attachment

The attachment in Figure 5 was just an HTML file presenting sometext, images, and a link to a phishing site. Phishers often use e-mailto deliver:

More complex HTML and scripting attacks, designed to exploitvulnerable browsers;

Executables, typically with double file extensions, hoping that users’ PCs will hide the final .exe, .com, or whatever;

ZIP files or other archive formats holding malware, in the hopethat users’ antivirus software will not scan inside them (this isoften supplemented by encrypting the ZIP content, and giving the

user the password in the e-mail—a creative but dastardly abuseof the beautiful science of encryption!);

Various other file formats that exploit vulnerabilities in programs such as Adobe Acrobat reader, Flash, and so on.

Example Phishing E-Mails 4—Saved by a Second Glance

The lucky recipient of the phishing message in Figure 6 tells us:‘‘This one nearly got me! I had not long since got out of bed and

Figure 4 Classic banking phisher.




12/16

started using the PC before I was fully awake. I use Twitter occa-sionally and wondered what the ‘3 information message(s)’ might be. The first link a the top and the link text to the left of middle both say twitter.com so I thought ‘OK, that’s Twitter, I’ll just click andfind out’ . . . but then, luckily, I took a second glance at the actual URL to the right—now ringed in pink but not so blatantly obviousoriginally! ‘meghack.buy.ru’ seems rather unlikely to be Twitter,

and much more likely to be a Russian hacker group. That secondglance saved my bacon! I deleted the message and made myself astrong cup of coffee!’’

If our sleepy user had actually clicked that link, his PC wouldprobably have been infected with spyware in a flash, or literally in Flash if that hacker website uses one of the many Adobe Flash exploits going around. If the Flash exploit had failed, an automatedscript on the Web page may well have tried various other browsersecurity loopholes until it found one that worked, and all of this

Figure 5 Phishing email with HTML attachment.




13/16

would happen in the blink of an eye. With a Trojan keylogger,remote control software or some other form of malware or spywareon his PC, the hacker might have compromised his digital identity,stolen his or his employer’s money (since he had online access tothe corporate bank accounts), sent tons of vile spam, copied private

personal and proprietary information from the PC and who knowswhat other mischief would have ensued . . .Remember: a second glance takes but a moment. Disinfecting

your PC and reconstructing your identity will take months .Remember also that if you have a privileged user ID, you have a

greater obligation to protect your ID since the consequences could be so much worse than if an ordinary non-privileged user ID wascompromised. This could certainly be a career-limiting factor.

Other Phishing Tricks

Other than the simple social-engineering-by-e-mail form of phishing attacks, phishers occasionally try more innovative approaches . . .

1. Browser tricks.Some phisher e-mails deliberately manipulate the users’ brow-sers to conceal the real destination address after they haveclicked on a hyperlink. ‘‘Features’’ in browsers such as InternetExplorer allow users to include additional arbitrary text in the URL, for example, username and password to login to a website(http://username:[email protected]). The username:password bit may contain something likewww.paypal.com:XXXXXXXXXXX where the paypal bit

Figure 6 Saved by a second glance.




14/16

appearsonthebrowserURLboxbutisirrelevantandtheXsarealong string of characters that force the real address off the edgeof the victim’s screen. The Xs may be replaced with a control-Acharacter (%01) which fools old unpatched versions of InternetExplorer into not displaying the remaining characters to theright at all. Pop-up boxes and other tricks are used to concealthe true URLs. Either way, our hapless victim is left looking at a

fake website while the apparent URL in the address box looksentirely legitimate.

2. Spear phishing and pharming‘‘Spear phishing’’ is the use of phishing techniques to target cer-tain individuals, perhaps employees of an organization or even asingle person. ‘‘Pharming’’ involves the deliberate manipulation of Domain Name System (DNS) records to mis-direct visitorsfrom legitimate websites to fake sites, exploiting weak authenti-cation/security protocols in the original DNS implementations.The malicious creativity of fraudsters and hackers is evident in these attacks and no doubt others that will emerge in time.

3. VOIP phishing (‘‘vishing’’)The term ‘‘vishing’’ (a contraction of ‘‘voice phishing’’) describes

phishing-style attacks that persuade victims to call voice phonenumbers controlled by the fraudsters. In one recent example, an automated answering service asked victims for personal infor-mation to ‘‘validate their accounts.’’ The initial contact may beviae-mail, SMStext message, telephone call, or perhaps even oldfashioned post.

The antivirus company that coined the word ‘‘vishing’’claimed that fraudsters are using VoIP (Voice over InternetProtocol) services such as Skype because it is so easy forthem to fake their caller-IDs. They also get free calls of course.

For essentially the same reason, beware of calling telephone‘‘customer service’’ numbers included in suspicious e-mails— they may be under the control of the fraudsters. Considerchecking and noting down the true customer service numbersfor your banks, credit card companies, and so on in order to beable to call them quickly in an emergency.

4. *-ishing Journalists and vendors of security products sometimesstretch the bounds of sensibility by labeling phishing-likeattacks using other media or modes of dissemination with similarly derived names, hence we have the moniker ‘‘smish-ing’’ for example, referring to phishing attacks over SMS cell-phone text messaging, and ‘‘blishing’’—phishing by seeding blog postings or more likely comments with embedded URLs.Cringe-worthy labels aside, the scams are essentially the

same. The latest scare story we have seen concerns leafleting legally parked vehicles with official-looking parking finenotices inviting victims to ‘‘Visit the following website to dis-pute this penalty notice: . . .’’—‘‘pishing‘‘ anyone?

CONCLUSION

Although I have mentioned a broad range of common security con-trols against identity theft, I freely admit that those




15/16

countermeasures are imperfect, hence contingency arrangementsdeserve your due consideration. As identity theft techniques become ever more sophisticated, it is inevitable that more victimswill be caught out. Awareness of the risks is itself a key control,hence the reason for publishing this article. Please do your bit toavoid being taken in yourself, and to help spread the word aboutthose thirty, dirty ways.

REFERENCES AND FURTHER READING

There are numerous websites offering additional information aboutidentity theft and related matters: the short list that follows is just astarter set. Google knows of many more . . .

Bankrate.com discusses synthetic identity fraud involving thecreation of chimaeras: http://www.bankrate.com/brm/news/pf/identity_theft_20070516_a1.asp

CIFAS, a British company, distinguishes identity theft from identityfraud and discusses both in the context of the financial industry andits customers: http://www.cifas.org.uk/default.asp?edit_id=566-56

Fighting Back Against Identity Theft is the U.S. Federal TradeCommission’s microsite on identity theft: http://www.ftc.gov/ bcp/edu/microsites/idtheft/ while the FTC’s OnGuard Onlinehas further information for consumers on identity theft, phish-ing, and other online hazards: http://www.onguardonline.gov/topics/identity-theft.aspx

Identity Theft and Identity Fraud is the U.S. Department of Justice’s microsite on identity theft: http://www.justice.gov/criminal/fraud/websites/idtheft.html

Identity Theft is an awareness initiative supported by severalBritish organizations offering information for both the generalpublic and businesses: https://www.identitytheft.org.uk/

Identity Theft Resource Center is a not-for-profit organization

supporting the victims of identity theft and advising others on howto reducethe risk of beingvictimized:http://www.idtheftcenter.org/ NoticeBored , the author’s security awareness subscription ser-

vice, has a page of links to identity theft–related websites: http://www.noticebored.com/html/IDtheft.html

The Office of the Privacy Commissioner of Canada is but oneexample of a government regulator providing information on identity theft: http://www.priv.gc.ca/fs-fi/02_05_d_10_e.cfm

Similarly, the Royal Canadian Mounted Police is one of manypolice forces understandably concerned about identity theft andother such frauds and scams: http://www.rcmp-grc.gc.ca/scams-fraudes/id-theft-vol-eng.htm

World Privacy Forum offers information and advice on medical

identity theft: http://www.worldprivacyforum.org/medidtheft_consumertips.html

Dr. Gary Hinson, CISSP, MBA, has more than two decades’ experience as

practitioner, manager and consultant in the field of information security, risk

and IT audit, originally in Europe and latterly New Zealand. He originally wrote

this article for the NoticeBored security awareness subscription service as part

of the monthly stream of materials aimed at IT professionals. Seminar




16/16

presentations, guidelines, policies, newsletters, puzzles, quizzes and posters

complete the set, two thirds of which are less technical materials aimed at

ordinary employees and managers. Gary is also actively involved in developing

and promoting the ISO/IEC 27000-series information security management

standards and shares his passion through www.ISO27001security.com. He

can be reached at [email protected]



there must be thirty ways to steal your id.pdf

Documents