This is a comprehensive exploration into
what identity theft and cybercrimes are
and how they are perpetrated; all from a
computing and networking perspective.
Table of Contents
Table of Contents
Identity Theft Statistics
Defining Identity Theft
Information Needed to Commit Identity Theft
What's in a Number?
Defining Hackers and Hacking
Correct Terminology for Malicious Programmers
Techniques for Identity Theft via Cybercrime
Social Engineering Exploited by Kevin Mitnick
Common Email Exploit Utilizing Social Engineering (Phishing)
Man in the Middle
Identity Theft via Cybercrime;
the Computing and Networking Perspective
Kari A. Locke, Honors Student, and McNair Scholar
Dr. Hal Berghel, Honors, and McNair Mentor
Professor and Chair of Computer Science
University of Nevada , Las Vegas
INTRODUCTION: Identity theft is a prevalent crime that costs victims extensive time and money. Cybercrime is a rapidly rising venue for identity theft. My research entails compilation, investigation, and documentation into the computing technologies used to commit these white-collar crimes. This research will provide a valuable tool for law enforcement, businesses, and private individuals; thus, helping them to identify trends and take appropriate defensive measures.
LITERATURE REVIEW: There are currently no public charts categorizing and exposing the prevalence of which computing technologies are used in the commission of these crimes. All of the current information on identity theft committed via cybercrime is disjointed; there are no consistent definitions, laws, and statistics for either identity theft or cybercrime. The terminology is inconsistent and the techniques remain unexposed. This research will provide innovative documentation that may be used as a tool to avert cybercrime.
METHODOLOGY: Extensive Internet research, library and publication research, personal interviews, and experimentation are being used in the compilation of this prose. As a compliment to this prose, an extensive website was created as a resource to anyone interested in identity theft. This site will be active and recurrently enhanced over the next several years.
FINDINGS: According to a Federal Trade Commission (FTC) survey, an estimated 10 million Americans were victims of identity theft in the year 2002, with losses totaling $50 billion and 300 million hours (FTC Survey 1). This estimate includes both reported and unreported cases of identity theft. Identity theft and cyber crime, considered white-collar crime, are on the top ten lists of priorities for most of the major government agencies; most cases have proven illusive to prosecution. The FTC has been declared as the federal clearinghouse for identity theft, and thus has been designated as the lead coordinating agency in the fight against identity theft (FBI 4). There has been a staggering increase in the reported cases of both identity theft and cybercrime over the past several years; from 1999 to 2004, the number of victims rose from 1,380 to 616,665 (FTC in 2005 22). This rise parallels the rise in the computer industry and the Internet. Techniques for identity theft range from dumpster diving to international cyber crime syndicates with large databases of identity information on current and future victims. This research comprehensively investigates identity theft, focusing on identity theft via cyber crime from a computing and networking perspective. It has also produced a publicly accessible website which may be used as a resource to help combat identity theft. The websites URL is http://web.cs.unlv.edu/unlvcybercrime. (But you already know this because you are here!)
SUMMARY, CONCLUSIONS, RECCOMENDATIONS: The reader will gain a comprehensive understanding of
identity theft, cybercrime, and the underlying technologies and trends of identity theft exploits via
cyber-crime. This research provides a vital tool in the struggle against these crimes.
Identity Theft Statistics
According to a Federal Trade Commission (FTC) survey, an estimated 10 million Americans were victims of identity theft in the year 2002, with losses totaling $50 billion and 300 million hours (FTC Survey 1). This estimate includes both reported and unreported cases of identity theft. The average financial victimization is $4,800, which cost the victim an average of $500 out of pocket and 30 hours to rectify. There are two major distinctions of identity theft, the takeover of existing accounts, and the creation of new accounts. If one is an unfortunate victim of the creation of new accounts, the average victimization is $10,200 with the out of pocket and time costs averaging $1200 and 60 hours (FTC Survey 2).
Identity theft and cybercrime are on the top ten list of priorities for most of the major government agencies including the Federal Bureau of Investigation, the Department of Homeland Security, the U.S. Department of Justice, the Federal Trade Commission, the Federal Communications Commission, the Social Security Administration, the U.S. Securities and Exchange Commission, etc. There has been a staggering increase in the reported complaints of both identity theft and cybercrime over the past several years, overwhelming most of the major government and local law enforcement agencies. The FTC has been declared as the federal clearinghouse for identity theft, and thus has been designated as the lead coordinating agency in the fight against identity theft (FBI 4). According to the FTC's statistical data on the reported cases of identity theft, from 1999 to 2004, the number of victims rose from 1,380 to 616,665. In 1999, there were 1,380 victim cases reported. In 2000, that number increased to 123,162 cases. In 2001, the number skyrocketed to 200,953, in 2002 the previous year almost doubled to 356,072, and from January 2003 through July 2003, there were 131,022 reported cases. In July 2003 the projected cases the entire year of 2003 was 210,000 victims (FTC ID Theft Statistics 3). The actual reported victims for 2003 were 518,814, and the reported victims for 2004 were 616,665 (FTC in 2005 22). This rise in reported identity theft parallels the rise in the computer industry and the Internet.
Cybercrime is considered a white-collar crime that has proven illusive to prosecution. The time
required for the awareness that a crime has occurred combined with the anonymity of computer
technology are major contributing factors in the ineffectiveness of legal prosecution. Another
contributing factor is that in the rapidly advancing technology industry, the laws have difficulty
keeping up with technological advancements. In addition, there are currently no national or
international standardized definitions for computer crimes. Both the names for the computer crimes
(i.e. high-tech crimes, information technology crimes, cybercrimes, computer crimes) and the
definition of what entails a computer crime (i.e. the physical theft of a computing device during a
robbery, the penetration of a network, stealing of account information during e-commerce) vary
greatly among different law enforcement agencies. This makes it extremely difficult to quantify these
crimes for statistical analysis and resource allocation. Resource allocation is vital to combat the
staggering increase in reported cases of both cybercrime and identity theft; most cases have failed
to be investigated due to the overwhelming increase in reported cases and a lack of investigative
personnel (FBI2 10).
Defining Identity Theft
The United States Department of Justice (DOJ) calls identity theft the crime of the new millennium. It can be accomplished with anonymity, ease, and through a variety of means. The impact on the victim can be devastating. In 2001, the DOJ estimated identity theft as the fastest growing crime in America (Hoar 1). The DOJ defines identity theft as the theft of identification information such as a name, a social security number, or a credit card number. Theft opportunities occur during mundane daily activities including buying gas, receiving email, or trading stocks online. The techniques for identity theft range from back street thefts to organized databases or bribing employees for personal information on customer or personnel records. The DOJ further states that the theft can result from careless sharing of personal information to intentional theft of digital information. The DOJ also reports that it only has limited information on the prevalence, cost, and Internet impact (Hoar 3). In 1995, 93% of the Secret Service Financial Crimes Division of the Department of Justice was dedicated to identity theft (Hoar 10). In 1997, MasterCard reported that 96% of all of its fraud cases were a consequent of identity theft, resulting in 407 million dollars in losses (Hoar 12). The report continues that identity theft cases generally involve multiple victims in multiple jurisdictions and that the crimes are not generally known until months after they have occurred (Hoar 20). This further hinders the prosecution of these crimes. Investigation is labor intensive and the individual cases are usually too small for federal prosecution. The DOJ finishes its report by stating that identity theft is a top priority for the DOJ, the U.S. Treasury, and the FTC to investigate, prosecute, and prevent (Hoar 28).
Identity theft, as defined by the FBI, is the criminal act of assuming someone else's identity for some gain, generally monetary (FBI 1). The FBI further breaks identity theft into two types, account takeover and account creation. Account takeover is defined as the use of a victims current accounts to make purchases, 38% of individuals have been victims of this form of identity theft (FBI 2). The second type of identity theft, account creation, is the use of personal identification data to open new accounts in the victim's name. The Identity Theft and Assumption Deterrence Act of 1998 declared that it is a federal crime whenever someone transfers or uses the identity documentation of another person without the legal authority and with the intent to commit, aid, or abet any unlawful activity is a felony (Economic 1). In 2002, the FBI considered identity theft to be one of the fastest growing crimes in the United States , affecting approximately 900,000 victims each year (FBI 1). This rise is attributed to the rise in telephone services and e-commerce; even though companies can secure the monetary transfer, they continue to have difficulty verifying the customer (FBI 3).
The statistical data presented by the FBI, when compared to the statistical data presented earlier
in this document, is an ideal example of how disjointed the statistical data is on identity theft. In
2002, the FBI estimated 900,000 victims, the FTC Survey estimated ten million victims, and the actual
number of identity theft cases reported to the FTC in 2002 was 356,072. Each organization presents
immensely different statistical data.
Information Needed to Commit Identity Theft
There are only a few items that a perpetrator needs to assume someone else's identity. Many different combinations of this information can be used; it depends on the intentions of the perpetrator and the requirements of the company or organization in which they are trying to use the false identity. To explain, say for an account takeover, the perpetrator may only need the victim's online bank account's login username and password to gain access to the victim's online banking. With online access to the victims account, the hacker can then access the bank account number, transfer funds, write electronic checks, apply for credit cards, change the victim's mailing address, etc. The hackers' available options depend on what online services the bank offers. Online banking connections offer secure connections between the user's computer and the banks server; however, the only way that they generally confirm the identity of the user is by their username and password. While banks offer a relatively secure connection, they cannot guarantee the identity of the user.
Commonly, an identity thief only needs a full name and a matching social security number to assume another's identity. If the perpetrator wants to obtain an official birth certificate, they need the mother's maiden name of the victim, the father's name of the victim, the date of birth of the victim, and the place of birth of the victim. With this information, a perpetrator can then get an official drivers license, passport, credit card, etc. Most counties, for the sake of convenience, offer online duplicate birth certificates. Clark County offers this service. The only information that is required to receive a duplicate birth certificate through Clark County is the victim's full name, the date of birth, the name of the birth hospital, the mother's maiden name, the father's name, and some sort of photo identification. It does not
state that the photo ID must be a driver's license. In addition, often times the birth county has no adult picture of the person to cross verify with the picture on the required photo ID. An example of this would be if the child moved out of state shortly after birth. The Clark County online order form is below.
Some of this information may seem difficult to obtain, but in fact, it is not that difficult to get. Most local newspapers are putting their papers online. They also offer search capabilities for their papers. With these search capabilities, perpetrators can obtain birth announcements (the Las Vegas Review Journal has recently removed this capability from their website). Even if this information is not available online, libraries contain archives of newspapers. Both of my children's birth announcements in the local newspaper show my maiden name, their fathers name, their date of birth, and the hospital where they were born. Most new parents, as I did, want to share their new additions arrival with the world. In addition to birth announcements, there are also pay investigation sites, genealogy sites, public records, such as divorce or crime records, etc. Many of the sites used to obtain the information needed to commit identity theft are legally operated websites that are not intended for the use of criminals. Individuals who make it their life to steal the identity of others become very adept at searching the Internet to find the necessary information to commit identity theft.
What's in a Number?
Everyone knows that their social security number is their primary identification with a wide variety of government agencies and businesses, but the question is, exactly how much power does a nine-digit number have? According to Sara Baase,
“We use our social security number (SSN) for identification for numerous services, yet its insecurity compromises our privacy and exposes us to fraud. Because the SSN is an identifier in so many databases, someone who knows your name and has your SSN can, with varying degrees of ease, get access to your work earnings history, credit report, driving record, bank account, and other personal data. The potential for both privacy invasion and fraud (particularly identity theft) is clear.” (Baase 61)
Baase continues by pointing out that social security numbers appear on a wide variety of publicly available documents or otherwise openly displayed items like, property deeds, driver's licenses, court records, employee or student ID cards, medical ID cards, hospital bracelets, etc. Baase finishes by pointing out that these sources do not need to use social security numbers for unique identification purposes within their databases, and that in doing so they are compromising its security (Baase 62). The FTC proclaims, “ Social Security numbers play a pivotal role in identity theft. Identity thieves use the Social Security number as a key to access the financial benefits available to their victims. Preventing identity thieves from obtaining Social Security numbers will help to protect consumers from this pernicious crime” (FTC Prepared 2). Institutions have placed such an extreme importance on a single identifier, the social security number, that if, or rather when, it is compromised the individual's entire identity and lifestyle is also compromised. With all of these different organizations using social security numbers as identification, many appearing publicly, names and social security numbers are already out there just waiting for a hacker to latch on to them and identity.
On April 2, 2005 , I was pulled over for a traffic violation. The officer took my drivers license to run on his computer. Upon his return, he began calling me Tami Jo Thompson and asked me to step out of the vehicle. Leaving my two young children in the car, he asked me to put my hands on the hood of the police car and began yelling at me that he was going to take me to jail for outstanding warrants, and that I needed to start telling him the truth. As he continued threatening to take me to jail for outstanding warrants for prostitution charges, he revealed some of the story. Because I have never been a prostitute, I have no warrants for my arrest. He eventually, after much insistence on my part, let me go. After three days of investigation, lawyers, police stations, and the district attorneys office, I have a general idea of what happened. In 1996, a woman named Tami Jo Thompson was arrested for prostitution. At the time of her arrest, she gave my name and social security number. Both of these identifiers where off by one; my name was spelled wrong, and my social security number was off by one, but that was close enough to associate the name and number to me. She never fulfilled her court obligations and thus a warrant was issued for her arrest. In the official records it states that her and I are not the same person; her fingerprint identification, and my fingerprint identification (on file from previous work cards) did not match. However, from this point forward, whenever an officer runs my name in the computer, her record will show. I forever have to carry my official metro identification number so they can cross-reference that I am not her; there is no way to remove this person, or her warrants, from my record. This is a precaution on the part of metro, just in case she ever decides to give my identification information again. It also creates a complication for me because, an officer in the field does not know if I am really myself or if I am Tami Jo Thompson pretending to be Keri Locke. Therefore, at any time, I can be arrested and taken to the station in order to prove my identity as Kari Locke. Other than the ultimate irony that this is my honors thesis, there are several points of interest here. First, I, the victim, have to live in constant fear of being arrested for something that I never did. Second, that they automatically associated the name that she gave, Keri Locke, with my name, Kari Locke. Third, that the social security number she gave was incorrect and they still associated her with me. Fourth, when filing out the police report I was never informed to notify the FTC that I am a victim of identity theft. This calls into question the accuracy of the FTC statistical data on the number of reported cases of identity theft. Fifth, that when she was arrested for the prostitution charge, that they did not immediately know that she was not me. They had finger print records and drivers license pictures of me dating back ten years at the time of her arrest. In addition to monetary loss, there is a serious threat to one's freedom and lifestyle with identity theft. If I held a high-powered job, and it was released that I had been arrested for a prostitution charge, how understanding would a company be. Would they hold my job until the mess was cleared up? This new experience causes me to re-evaluate the previous government definitions of identity theft.
Identifying an individual on a computer is different than identifying an individual in person.
Generally, there are three different types of authentication, used in computing; something the user
knows, something the user possesses, and something that the user is. We are most familiar with the
first two of these, something that the user possesses and something that the user knows. Called a
two-factor authentication, we use this form of identification regularly at ATM's and when using our
bankcards (Holden 70). The something that we posses is our bankcard, and the something that we know
is our pin number. Identification of the future needs to be a combination of all three of the above
authentications, possibly with the biometric information (something that the user is) being a
thumbprint, and/or a picture. Better police access to identification information would have averted
my identity theft. However, before any national identification standard is implemented, the security
of this information and the consequences of it getting into the wrong hands need to be
comprehensively evaluated; this will be elaborated later in the What's New section.
Defining Hackers and Hacking
The term “hackers” is commonly used in today's media to refer to malicious computer programmers; individuals that write, modify, or download code that is then utilized to attack a network, computer, server, or router. These attacks cost individuals and companies millions of dollars each year. A “hack” or “hacking” is the action, or code, used to accomplish the malicious act; there are several different types, some of which will be discussed later. The news media has attached the negative connotation to the word hacking, it was not originally a derogatory term. Still today, computer scientists and computer enthusiast deem the term to be a compliment. Steven Levy originally popularized the term “hacker” with his book, Hackers: Heroes of the Computer Revolution. When he referred to “hackers”, he was referring to Ivy League college graduates (from Stanford and MIT) that were brilliant, genius, constructive programmers who were major contributors to the computer revolution. These were ethical, dedicated professionals that were dedicated to making technology open source (the source code is available for anyone to see and improve) and accessible. These “hackers” also prided themselves on confronting problems and producing solutions. This is why there is a distinguished honor in the term hacker within the industry; it is due to the associations with the original definition rather than the nonprofessionals understanding and the Medias usage (Jamsa 24).
Correct Terminology for Malicious Programmers
Another note of importance here are the correct terms for malicious programmers who attempt to tear down systems rather than build them up. Contrary the Media, the term crackers refers to individuals who specialize in breaking into, cracking into, proprietary systems with the intent to corrupt or steal data. Individuals who devote their time to producing programs that circumvent the telephone system, either to penetrate the telephone company's databases and computers or to receive free services, are called phrakers. Then phreakers use the information that phrakers have stolen to access other computers. Sometimes they simply use the information to post a bulletin board; however, other times they use the information to commit sabotage or industrial espionage (Jamsa 25).
From this point forward, I will use the terms hacker and hack to refer to malicious people and actions respectively. It is not that I agree with the connotations associated with the terms, but I do accept that most people view them this way and it will ease in the understanding of the different techniques used to commit these crimes.
There are many different terms used to describe different the technologies employed to invade computers. A brief list of definitions is below. Some of these will be expanded later in this thesis.
Techniques for Identity Theft via Cybercrime
Techniques for identity theft range from dumpster diving, sifting through trash dumpsters to obtain personal information, to international cybercrime syndicates with large databases of identity information on current and future victims (Hoar 2). Of the different types of attacks, there are two subcategories, internal and external. A trusted, generally disgruntled, employee perpetrates an internal hack from inside of a company and external attacks are perpetrated from someone outside of company. No matter what the type of hack they are both difficult to quantify. Most companies find it difficult to admit publicly that they have been attacked. In admitting the security breach, they are risking their most valuable asset, their company name, and reputation. This fact further hinders the ability to quantify cybercrimes accurately.
Networks, including the Internet, use standard protocols. These protocols are simply standards that define how computers will communicate with each other for activities such as getting a requested webpage from a web server to a user's computer or how to transmit files from one computer to another. The standardization of these rules, protocols, allows a wide variety of computers to connect seamlessly. These networking protocols are available for anyone to view and offer suggestions, they are each defined in what is called a Request for Comment (RFCs). It is necessary for connectivity that these protocols, standards, are available for everyone to see; however, this means that these protocols are available for hackers too. Hackers spend their time trying to find ways to exploit these protocols rather than trying to improve them. There are numerous techniques employed by perpetrators to commit identity theft and cybercrimes. I have chosen a few of the most prevalent and the most applicable to identity theft to expose.
There are many different types of computer attacks. The one that is the most surprising and easiest to prevent through education is social engineering. With the explosion of the Internet and internal networks, social engineering has become a great deal more widespread and much more dangerous. Social engineering entails fooling or tricking individuals, into revealing their personal information; examples include deceiving them into revealing their user name, password, bank account numbers, address, and even their social security numbers. There are multitudes of methods used to trick individuals into relinquishing sensitive information. One common technique is to email or telephone users, claiming to be the system or network administrator. The hacker claims that the system needs to have work done over the weekend and that he/she needs their user name and password to accomplish this system work. The user naively tells the hacker their username and password, giving them complete access to all of the privileges of that user and access to the system. Once the perpetrator has access to the companies system, they can discover information such as personnel records or customer data. This was the case a couple of weeks ago here at the University of Nevada , Las Vegas . Although the exact technique used to crack the university system is still under investigation, a hacker did infiltrate the universities computer system, thus, putting thousands of students and faculty at risk for identity theft. There are numerous variations on the social engineering attack; however, they always entail persuading the user to do the desired act.
Social Engineering Exploited by Kevin Mitnick
Kevin Mitnick's name is synonymous with the term hacker. Mitnick was the very first hacker (technically he was a cracker) to appear on the FBI's most wanted list, he was also the first person convicted of “gaining access to an interstate computer network for criminal purposes” ( Delio 1 ). In 1992, Mitnick compromised the IRS and the Social Security Administration networks, for which he was never charged. In 1995, Mitnick was arrested for stealing code from high-tech companies such as Sun, Motorola, and Nokia. He was also accused of hitting San Diego 's Super Computing Center , the California DMV, and many more institutions. After pleading guilty, he spent 5 years in jail and was released in 2000. The damage was estimated at 300 million dollars (Testimony 1). Mitnick's name is also synonymous with social engineering; the primary attack that he used was social engineering. In his book The Art of Deception: Controlling the Human Element of Security, he states that the weakest link in a system is the people (Edmead 1). In his 1992 attack on the IRS, Mitnick phoned agency employees, and while utilizing social engineering techniques, obtained target computer systems and internal commands for accessing protected taxpayer information. Now familiar with the vernacular, he was able to pose as a fellow employee with computer problems, persuading employees to execute commands for him. Mitnick did not use a computer to accomplish this.
Common Email Exploit Utilizing Social Engineering (Phishing)
Email is an easy way for perpetrators to exploit social engineering. The perpetrator may send an email to a randomly selected group of individuals claiming to be their financial institution. The email requests that the individual go to a specific website and enter their personal account information. This social engineering technique is called phishing (phishing).These emails can appear surprisingly authentic, including the financial institutions logo and a URL, or link that actually contains the financial institutions name. To an unsuspecting individual the results can be devastating. I recently received one of these emails and will use it here as a demonstration.
I must note here that I am not and never have been a customer of Regions Bank; this was my first clue that the email may be a fraud. The email states that Regions bank is planning software updates and they earnestly want me to follow a link to confirm my customer data. I received this email.
It looks official enough, the email has the company logo, and even the link contains the name of the company. By viewing the full header for this email, we obtain more information about the sender. The email message containing the full header information follows.
An internet protocol address (IP address) is a unique number assigned to every connection to the Internet (I am ignoring subnetting and network address translation for the moment). Each network interface card also has a unique identification number called a machine address, or MAC address. The IP address combined with the MAC address is used to uniquely identify every computer and connection to the Internet. Both addresses are contained on each packet that is sent over the Internet (there are a couple of exceptions here that I am ignoring for simplicity). The sender of this email has an IP address of 18.104.22.168. There is a nonprofit organization called ARIN, American Registry for Internet Numbers, which offers a Whois tool to identify with whom an IP address is associated. Using the Whois tool provided by ARIN, I entered the senders IP address of the original email that I received, and found that it belongs to Comcast Cable Communications Holdings, Inc. The ARIN Whois search result follows.
This is not the same company as Regions Bank. Further investigation is required. A Google search for Comcast Cable Communications Holdings, Inc shows that it is an internet service provider (ISP), not a bank.
Admittedly, it is possible that Regions bank uses Comcast Cable Communications for their ISP and this is the explanation for the different IP address. Maybe we should take another approach. The next thing that I did was to look back at the email. If you look at the original email that I received, there is a copy write symbol followed by, “2005 Regions and Union Planters”, in the bottom right. When a mouse is hovered over it, it becomes a link. When clicked, it links to the following page.
This is not at all, what I expected, and learning another language is beyond the scope of this thesis; however, I will next investigate this pages' IP address, again using ARIN's Whois. This reveals the IP address 22.214.171.124, found in the address bar, is registered to Asia Pacific Network Information Centre. I suspect that this is typical error page, “The page cannot be found … HTTP Error 404 – File or directory not found”, which we have all seen.
Doing a domain name service (DNS) lookup, the reverse of what I have done so far, the results of which produce an IP address based on the domain name (i.e. www.regions.com). For this, I used a company called register.com, which is used to request certain domain names be reserved. A display of the result follows shortly.
The results from register.com state that Region Banks domain servers IP address is actually 126.96.36.199. This is not the same as the source IP address (188.8.131.52) that originally sent me the email message. I must say here that it is a little scary that I was so easily able to obtain the domain servers IP address for Regions Bank. If I were a malicious programmer, I could repeatedly attack this server to try to find weaknesses, which could be exploited. The ARIN, Whois lookup for the Regions Bank IP address that I acquired through register.com verifies that the IP address 184.108.40.206 is indeed Regions Bank. The results from both the register.com and the ARIN inquiries follow, respectively.
So, from the information obtained so far this email requesting my personal information leaves many doubts to its validity. Doing another Google search for Regions Bank produces the following webpage.
Notice that the company logo is the same as the one that was in the original email that I received. On this site, there is a link to the states where Regions bank does business. Their locations are in all southern United States ; I could find no evidence that this company has any branches in Asia .
The above research was done some time after I actually received the email; however, when I first received the email I followed the links and saved screen images of the pages that they led to. The page that was originally displayed when I followed the requested link is below.
Notice that the URL displayed in the status bar at the bottom left of the browser is https://secure.regions.com/utilities/agreement.com, but in the browsers address bar it shows the
http://220.127.116.11 (this was the address that was assigned to Asia Pacific Network Information Centre) . The URL displayed in the status bar, if typed into the address bar, actually links to the Regions Bank website. The address in the status bar does not necessarily reflect the actual page's address. Even the browsers title shows Regions – Customer Details Confirmation. This page also states “Secure Confirmation”, leading the victim into believing that the webpage is secure. A simple element that is missing is the secure (lock) symbol that generally appears in the bottom right of the browser's status bar. To state that a webpage is secure does not make it secure. While scrutinizing this webpage there are many inconsistencies; however, the hacker also included many details that could easily fool the average consumer.
This webpage is of extreme importance because of the information that they are requesting. They are requesting my complete name, my ATM Debit card number, my PIN number, my login ID, my password, and my email address. Does a perpetrator need any more of my information to steal the funds in my bank? With this account as a reference, they can readily open new non- Regions accounts in my name, recall that this is called account creation. Another point of interest is that many banks use their customers' social security number as their login ID. With the full name and social security number, identity theft is easy.
As an added bonus, this link downloaded a Trojan horse to my computer. A Trojan horse is a back door, which can be used to report information obtained from my computer via keystroke logging or data mining (both will be covered in the next section, spyware). My Norton antivirus software caught this attempt, and while Norton cannot currently cure the Trojan, it has quarantined it. A screen print of the warning message follows.
Social engineering, including phishing, is the most prevalent way to obtain personal information
from individuals. Why go to all of the trouble and risk of breaking in if someone will readily give
you a key? Social engineering is also the easiest to prevent through education. There are several
tips to help avert a social engineering attack. Use extreme caution when relinquishing personal
information. Never give out your passwords or pin numbers to anyone; no one should ever ask.
Financial institutions never ask customers to confirm their customer data online. Employees need to
be kept abreast of the latest threats and how to intelligently evaluate them. Nothing is free, any
offer that sounds to good to be true, probably is. A combination of common sense, suspicion, and
education can save much time and money.
Another technique used by hackers to commit identity theft utilizes spyware. Spyware is often lumped together with adware; adware is defined previously in the Hack Terminology section. Generally, spyware is used to improve marketing efficiency and the effectiveness of advertising. Spyware is malicious code; it is generally a small program, applet, or cookie, which is self installed on a user's computer without his/her consent or knowledge. What classifies it as malicious code is that it installs itself on a user's computer and runs on the user's computer without his consent or knowledge. Spyware can also change Windows Registry settings, change browser settings, monitor websites that the user visits, and even record personal data and report it back to some source (Whitman 221). Companies or parents often use Spyware, to monitor the online activity of their employees and children, respectively. Spyware comes in varying degrees of maliciousness, from relatively benign to downright tyrannical. It is usually piggybacked on some other software, freeware, free service or a popup. Examples of software that may piggyback Spyware include, peer to peer file sharing programs like Kaaza (where its presence is revealed in the license agreement), free screensavers or other freeware. Spyware can also be automatically downloaded when a popup window is closed (hackers like to switch the action of the buttons, so that when you click “No Thanks” you are really clicking “Yes”).
Spyware is especially important to identity theft because it can capture keystrokes entered by the user, including login names, passwords, and account numbers. It can also mine the user's computer to retrieve any stored personal data. Some spyware programs can then silently report this information back to some source via a Trojan horse, or back door, on the user's computer.
Of the numerous Spyware programs circulating the Internet, one of the most famous is Gator. Gator has recently changed their name to Gator Advertising Information Network (GAIN). They are notorious for their questionable business practices, especially what is called drive-by-downloads. A drive-by-download is when a piece of software is downloaded automatically, say when a pop-up window opens or during a normal banner display. The service that Gator openly offers is a digital wallet, an encrypted electronic storage for usernames, identification names and numbers, passwords, and any other personal data that a user would need to enter on electronic forms (Edelman 2). The problem is that Gator also installs additional software called OfferCompanion, which reports personal information back to the Gator server. Another problem with Gator is that it is often bundled, piggybacked, with a different software application. When the user downloads the requested software a trickler, a small install program, installs a run key in the Windows Registry. This allows the unwanted program to install silently and slowly every time you start Windows. Gator is bundled, piggybacked, with many popular freeware programs like, GotSmiley, WeatherBug, Precision Time, and Date Manager (Foistware 1). The Gator/GAIN website is below.
Gator has had many legal conflicts due to their poor business practices. The Interactive Advertising Bureau (IAB) declared that Gator is “malicious disparagement”, and Gator sued the IAB (Foistware 1). More recently, ten publishers including, The Washington Post, the New York Times, and the Dow Jones sued Gator . The June 2002 suit claimed that Gator stole revenue and violated their copyrights, a temporary injunction was placed on Gator (Olsen Judge 1). The suit was confidentially settled in February of 2003 (Olsen Web 1). Gator has obtained notoriety because it infringes upon major web publishing companies business practices; however, many other Spyware programs do not receive this much attention and thus go undetected.
An estimated 300,000+ Spyware programs can steal data and give a hacker access to a user's computer with an estimated 1,000 new alterations being developed each week (Hulme 1). In June of 2004, CNET reported that a new pop-up program installed Spyware that logged keystrokes to steal passwords and usernames when users visited any of several major financial institutions such as Citibank, and Barclays Bank. The article specifically stated that although these financial institutions offer secure connections, the keystroke logging happens between the keyboard and the computer, not between the user's browser and the financial institution. This means that the data is captured before it is encrypted. The article continues that Trojan horses, which they call RATs (remote-access Trojan horse), are more of a threat than high profile worms (Lemos 1). This is a model representation of the escalation of identity theft via cybercrime. Spyware, which seems like a simple annoyance to most people, is a very serious threat to our cyber security.
There are several freeware programs available to help combat the Spyware and pop-up problems. I have switched to Mozilla Firefox web-browser, which I regard as a great improvement on Microsoft's Internet Explorer. Firefox offers a built-in pop-up blocker and firewall. Microsoft is currently offering a beta version of their Spyware tool, it is rumored to be included with their next version of Internet Explorer. There are also two other tools worth mentioning, Ad-Aware by Lavasoft and Spybot Search and Destroy. I have found both of these tools to be very effective in identifying and removing Spyware from my personal computers. It is not that I am advocating these products; it is simply that I have found them to be helpful. I have included a screen prints of both Ad-Aware and Spybot below.
Man in the Middle
The man in the middle attack is another hack that is of great importance to identity theft. Due to ethical considerations, I cannot do an experimental demonstration of this type of cybercrime. To complete a scientific experiment I would need to intercept a secure session between a user and a server. This would be illegal and interpreted as malicious, so, for this type of cybercrime exploitation I will simply explain the technique. For the explanation of this, we will assume that there is a two-way encrypted, secure, online connection being established between a user and a bank. We will call the user A, and the bank B. Most secure online sessions use public-private key encryption algorithms where the public key is transferred between the two parties and the individual parties private keys are used to decode them. This practice is based on mathematical encryption algorithms. Generally, what happens is that a hacker is able to intercept the public key exchanged during the public-private key exchange portion of the encryption session. Now that the hacker has the public key information from the user, they forward the user's (A's) request to the bank (B), substituting their own public key in place of the users public key. This allows the hacker to pose as the user (A) to the bank (B) and as the bank (B) to the user, thus the term man in the middle. With the two separate public keys the hacker can then intercept and decipher messages between the user (A) and the bank (B). The messages that the hacker receives from the user (A) can be deciphered using the public key that they intercepted, re-encoded using the public key that they sent to the bank (B) and then forwarded to the bank (B). The response messages that the bank (B) sends, which were encoded using the public key that the hacker sent to the bank (B), can be deciphered using the hackers private key, then re-encoded again using the public key the hacker intercepted from the user (A), and forwarded on to the user (A). The difficult part of this type of attack is that neither the user (A) nor the bank (B) knows that someone is intercepting his or her messages. This means that any information that is transferred between the two parties, the user and the bank, during this transaction (i.e. usernames, password, account numbers, account balances, credit card numbers) are now in the hands of the hacker. Above is a diagram demonstrating the man in the middle attack (Holden 53).
The Secure Socket Layer (SSL) protocol, originally designed in 1994, was specifically designed to avert man-in-the-middle attacks using digital certificates. In 1996, the open stream encryption standard was established and called Transport Layer Security (TSL) by the Internet Engineering Task Force (IETF). However, browsers hide the digital certificate information from the user, thus continuing the ambiguity that the man-in-the-middle ordinarily enjoys. Garfinkel states that SSL/TLS does not protect against the attack when in, “encrypt only mode with the SSL_DH_anon cipher suite. That is because this mode allows neither the server nor the client to authenticate each other” (Garfinkel 111). Garfinkel also points out that SSL/TLS actually does little to protect from the most common and most difficult security problems, threats against clients and merchants (Garfinkel 112).
There are several programs readily available on the Internet to commit these man-in-the-middle attacks. One common program used to commit this attack is Ettercap. A website explaining Ettercap and containing a link to a free download follows.
Notice that this program is a suite of programs specifically designed to commit man-in-the-middle-attacks on local area networks (LAN). Ettercap even proclaims that it can dissect encrypted protocols. It is also available for most common computing systems platforms.
Another example of a program used to commit man-in-the-middle attacks is dsniff. It too claims to be a collection of tools to monitor “interesting data” such as passwords, emails, and files. A website explaining its functionality and offering a link to a free download site follows.
The bottom line is that secure connections or PKIs (private-key infrastructures such as pretty good privacy or SSL) have faults, besides the fact that they are CPU intensive, they all have weaknesses that can be exploited by hackers (Holden 70). The best way to ensure that a secure connection is secure is to transfer the keys in person, not online. This will reduce the chance that a hacker can intercept the key information; however, that only covers external attack, it still does not protect against internal attacks, where the security breach comes from a trusted employee with access to confidential files.
Since the beginning of this project in the summer of 2003, there have been some new improvements in the area of identity theft. Most of which involve the FTC. As previously stated, the FTC was declared as the federal clearinghouse for identity theft and as such was directed by Congress to issue rules to implement a number of new statutes to help combat identity theft and protect the privacy of customers. Since summer of 2003, the FTC has compiled new statistical data on identity theft. Where appropriate, I have revised the statistical data in this thesis according to the new statistics offered by the FTC. The current FTC data, nevertheless, only accounts for the cases reported to the FTC, it does not account for the cases that are handled by the individual, or the ones that are only reported locally and not reported nationally. It does however; give a general idea of the prevalence and the rise in this crime. A chart from the FTC follows.
The dark gray is identity theft and the light gray is fraud complaints. The figures are, 123,162 for the year 2000, 200,953 for the year 2001, 356,072 for the year 2002, 518,814 for the year 2003, and 616,665 for the year 2004 (FTC in 2005 22).
The most profound impact of the FTC has been the FACT Act. The Fair and Accurate Credit Transactions Act was enacted December 4, 2003 . This act was intended as an improvement on the Fair Credit Reporting Act, and it is expected to be completed in September 2005. When completed, it will be comprised of eighteen rules specifically designed to protect the privacy of consumers, improve credit reports accuracy, help the victims of identity theft, and help prevent identity theft. Ten of the eighteen rules have already been issued. The first is, “Free Annual File Disclosures”, which means that the major three credit reporting agencies must provide consumers a free copy of their credit report once per year, upon request (FTC in 2005 12). The second is the instantiation of a National Fraud Alert System, which is designed to warn potential creditors to proceed with caution when granting a consumer credit, as they may be a victim of identity theft. A third provision is that credit card receipts be truncated so that the entire credit card number is not visible on the receipt. A fourth provision works in concert with financial institutions to identify ‘red flags' that could be used to identify potential identity theft patterns. Three provisions of the FACT Act were designed specifically to help identity theft victims. The first of these is that once a victim has established that they are a victim, then the credit reporting agencies must stop reporting the information as allegedly fraudulent. Another provision requires businesses to provide copies of any fraudulent accounts or transactions, thus assisting the victim in proving that they are a victim of identity theft. The third provision allows consumers to report identity theft to both the creditors and the credit reporting agencies, instead of only to the credit reporting agencies (FTC Provisions 1). Other rules of the FACT Act include the CAN-SPAM Act that requires that sexually explicit emails be identified as such within their subject line. FACT also defined specific guidelines for exposing an email as commercial. Another rule within the FACT grouping involves amending the Do Not Call Rule (FTC in 2005 26).
Other bills that influence cybercrime include the Internet Spyware (I-Spy) Prevention Act of 2004, which adds up to five years to the sentence of guilty perpetrators, on top of their original sentence, if they committed their crimes while using spyware. It also defines that hackers who use spyware or phishing attacks for stealing personal information with the intent of misusing it, or hackers who use spyware or phishing, which compromises computers defenses, could face a sentence of up to two years in prison. The I-Spy bill also allocates ten million dollars to the Department of Justice to help combat both spyware and phishing attacks. Prior to the I-Spy bill the House of Representatives approved a separate bill which imposes spyware perpetrators with multimillion dollar fines (Spyware: An 1).
Another technological innovation is Biometrics. Biometrics offers new technological advancements for positively identifying individuals. Biometrics identification involves using biological information, such as a retinal scan, thumbprint, or DNA to positively identify a person. While biometrics offers a new form of identification, there are several complications. If someone's credit card number is lost or stolen, then the old one can be canceled and a new one can be issued. Also, if a criminal gets a hold of a victim's social security number, then that number (with great difficulty) can be changed. However, if a hacker gets a hold of the biometric data of a victim, that victim's biometric data cannot be changed. On this, Baase states, “Identity theft might become easier to prevent, but much worse for a victim when it occurs” (Baase 319). In addition, if the biometric data were used in a hack, it would be extremely difficult for the victim to prove their innocence. This is especially true if the victim has limited computer knowledge. There are also concerns about the ability of companies or government agencies to track our activities; the potential for privacy violations are great (Baase 320).
With this thesis, one may be petrified of becoming a victim of identity theft. That is not my intention. As with any crime, there is always a risk, but that does not mean one should not participate in ecommerce or any other activity in which their identity could be stolen. Conscientious businesses are continually improving their security practices to ensure the safety and security of their customers. There are also several things that individuals can do to help secure their personal information. The most obvious are use extreme caution when giving out personal information and never give out unsolicited personal information. A system/network administrator will never ask for your password and they generally do not do system work on the weekend. Choose complex passwords with a minimum of eight characters, which include special characters and at lease one alternation between upper and lower case letters. A bank will never send you an email asking you to confirm your personal information. No one will ever ask for your pin number. Nothing is ever free; an offer that seems to good to be true probably is. Do not give someone your online banking information, i.e. your username, password, account number, and/or routing number. Do not store your social security number in your wallet or purse, and do not allow anyone to display this information on an identification badge. Remember, most identity theft is committed through social engineering, coercing an individual to divulge their personal information, and this is the easiest for you to prevent. Check your credit report regularly, every three months is recommended, so that if you are a victim then it is easier to rectify.
Identity theft will continue to be a major concern of law enforcement agencies both nationally and abroad for many years to come. National security is of extreme importance since 9/11. Some of the terrorist carried false, but legal, American documents obtained via identity theft (Baase 64). With the anonymity of computers, the advancements and acceptance of ecommerce, and the wealth of information available on the Internet, cybercrime is a ideal venue to commit identity theft. Today's cyber-criminals are not stupid and should not be underestimated. National and even global definitions for both identity theft and cybercrime must be established in order to effectively quantify, combat, and prosecute these crimes. Technological advances and legal connotations associated with white-collar crime make it difficult enough prosecute offenders; without these universal definitions in place, perpetrators can easily hide within the ambiguity of the legal system. While the establishment of the FTC as the federal clearinghouse for identity theft is a great idea, there is a long way to go. The FACT Act provides that individuals can get their credit report free once a year; however, my research shows that individuals need to check their credit reports every three months. If an individual only checks their credit report one time every twelve months that potentially leaves eleven months for the identity theft to go undetected. In addition, my experience shows that the FTC is not working to its full potential. I was not informed about the FTC when I filed my identity theft report, this calls into question the statistics that they provide on the reported cases of identity theft. Identity theft via cybercrime is not a crime that is going to disappear. It is only through the cooperative efforts of businesses improving security, improvements in identification techniques, educating consumers, refining and standardizing definitions, and enacting and enforcing federal and global laws that we can hope to minimize the effects of and reduce the occurrences of identity theft via cybercrime.
adware. Podanoffsky, Mike. “Spyware, Maleware, Adware – Definitions.” ShareCube . 24 November 2004. March 2005 <http://www.sharecube.com/definitions.html>.
Baase Sara. “A Gift of Fire.” Prentice Hall . New Jersey , 2003.
Campbell, Paul. “Security+ Guide to Network Security Fundamentals.” Cisco Learning Institute . Canada , 2003.
Delio, Michelle. “The Greatest Hacks of All Time . ” Wired News . 6 February. 2001. January. 2005 <http://www.wired.com/news/technology/0,1282,41630,00.html>.
“Economic and High-Tech Crime Papers, Publications, Reports.” NW3C . June. 2003
Edmead, Mark T. “Social Engineering Attacks: What we can learn from Kevin Mitnick.”
Information Security . 18 Nov 2002 . January. 2005 <http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci865450,00.html>.
Edelman, Benjamin. “Declaration of Benjamin G. Edelman.” June. 2002. 30 March.
FBI. “FBI Law Enforcement Bulletin.” Federal Bureau of Investigation . 2002. July.
FBI2. “FBI Law Enforcement Bulletin.” Federal Bureau of Investigation . 2001. July. 2003
Federal Trade Commission. “Federal Trade Commission ID Theft Statistics.” July 2003.
September. 2003 <http://www.consumer.gov/idtheft/>.
Federal Trade Commission. “Provisions of New Fair and Accurate Credit Transactions Act Will Help
Reduce Identity Theft and Help Victims Recover: FTC.” 15 June. 2004. March.
Federal Trade Commission. “Prepared Statement of the Federal Trade Commission on Identity Theft and Social Security Numbers.” March. 2005 <http://www.ftc.gov/os/testimony/040615idtheftssntest.pdf>.
Federal Trade Commission. “The FTC in 2005: Standing Up for Consumers and Competition.”
2 April. 2005. March. 2005 <http://www.ftc.gov/os/2005/04/0504abareportfinal.pdf>.
“Foistware/ Spyware – Gator, OfferCompanion, Trickler, GAIN.” Cexx. 30 March 2005
Garfinkel Simson. “Web Security, Privacy & Commerce”. O'Reilly Media Inc. 2002.CA.
Hoar, Sean B. “Identity Theft: The Crime of the New Millennium.” U.S. Department of
March. 2001. August. 2003
Holden Greg. “Guide to Network Defense and Countermeasures”. Thompson Course Technology . Canada , 2003.
Hulme, George. “Tiny, Evil Things.” InformationWeek . 26 April 2004 . 28 March 2005 <http://www.informationweek.com/showArticle.jhtml?articleID=19200218>.
Lemos, Robert. “Pop-up program reads keystrokes, steals passwords.” CNET News.Com . 29
June. 2004. 30 March.
malware. Podanoffsky, Mike. “Spyware, Maleware, Adware – Definitions.” ShareCube . 24
November. 2004. March. 2005. <http://www.sharecube.com/definitions.html>.
Olsen, Stefanie. “Judge: See ya Later, Gator.” CNET News.Com . 12 July. 2002.
30 March. 2005 <http://news.com.com/2100-1023-943515.html?tag=fd_top>.
Olsen, Stefanie. “Web publishers settle with Gator.” CNET News.Com . 7 February. 2003. 30 March.
phishing. 30 March 2005 <http://encyclopedia.thefreedictionary.com/Phishing>.
“The Testimony of an Ex-Hacker.” Frontline . PBS. 2 March. 2000. January.
“Spyware: An Update.” Symantec . 19 October 2004 . March
Whitman Michael E., et al. “Information Security Lab Manual”. Thompson Course Technology . 2006. Boston Massachusetts , USA .
Jamsa, Kris Ph.D, M.B.A. “Hacker Proof: The Ultimate Guide to Network Security.” Delmar Learning . 2002. Canada .
spyware. Podanoffsky, Mike. “Spyware, Maleware, Adware – Definitions.” ShareCube . 24
November. 2004. March 2005 <http://www.sharecube.com/definitions.html>.