Identity Theft & Prevention

Identity theft occurs by one of two means: technical and non-technical schemes. The non-technical variety of theft has been employed by criminals for years and years but thankfully many structural precautions have been put in place to avoid this “low hanging fruit” for thieves. (Remember when receipts printed out your entire credit card number—not just the last four digits?)

However, basic methods of identity theft remain prolific:

• Mail Theft & Dumpster Diving These occur when someone targets your mail or trash to obtain items with pertinent information such as bank statements and credit card offers. Most people don’t realize that thieves are most interested in your outgoing mail. It is the easiest, fastest, and most productive way for them to obtain personal information on a range of forms, applications, and checks!
• Theft of Personal Items When a wallet or purse is stolen or a vehicle broken into, thieves instantly have access to loads of personal information. (Never carry your social security card in a wallet or purse!). Enough said here.
• The Old Fashioned Scam This one is trickier and requires some finesse. The movie Now You See Me about bank robbing magicians comes to mind. There is a scene where, in casual conversation, the con artists deftly learn the “first pet” and “mother’s maiden name” of a high net worth individual. I would not give the entire movie high marks, but this dialogue was quite clever. If people you don’t know well are asking you these types of questions, beware—they are the standard forgot your password questions—though a clever con artist will disguise them as a stroll down memory lane or some distant cousin once-removed farce.

The technological schemes are more complex and always evolving, thus enabling the perpetrators of identity theft to victimize approximately 15 million people annually in the United States alone. Here are some of the most prolific and profitable scams:

• Skimming A skimmer is a small portable device that scans a credit/debit card and stores the information contained on the magnetic strip. Skimming frequently takes place during legitimate business transactions. (Example: at restaurants where it is common for the server to take your form of payment away to complete the transaction). The skimmer captures your information in seconds to be used by the thief or sold to other criminals. A skimming device can also be attached to gas pay stations or ATMs—if something looks out of place, do not swipe your card.
• Pretext & Social Engineering Think of Sun Tzu’s Art of War principle: all warfare is based on deception. Behind every successful social engineering attack is a good pretext. Pretext is the art of manipulating people so that they disclose confidential information. These attacks vary widely in planning, detail, aim and target (compare the Nigerian prince who emails you needing your bank account details to the 2012 Verizon breach by which a “third party marketer” obtained three million customer records), but at the individual level, these types of incidents typically incorporate a scenario in which 1) there is a problem and you need to “verify” some information, 2) you are a winner and must provide banking information so they can wire you the “prize,” 3) the message asks for help, preying on your kindness and generosity. When you are contacted, the caller will already know your name and certain (perhaps many) details about you, making their story (pretext) very plausible. Do not give any information away over the phone or via email. Ask for their contact details. Hang up. Verify everything before revealing anything.

Pharming Takes place when a hacker tampers with a website host file or domain name system so that URL address requests are rerouted to a fake or spoofed website created by the hacker to capture personal identifying information from victims. The victim then thinks that they are on a trusted website, and are more willing to enter their personal information, such as credit card numbers, social security numbers, and addresses. The hacker then uses that information to commit identity theft.

Search Engine Phishing This type of phishing occurs when thieves create websites that contain “too good to be true” offers, services, or other incentives. The website is legitimately indexed into search engines like Yahoo and Google so that during the normal course of searching for products or services individuals see these offers. Once you access the website you are enticed to give up your personal information in order to take advantage of the offer being given.

An example might look like this: you are purchasing a fairly high priced item over the internet—perhaps an electronic device—and you find a website that has a much lower price. You may be tempted to purchase this item at a lower price because you do not realize that you are accessing a fake website. The schemer is just trying to obtain credit card/debit card information from individuals.

Malware Based Phishing This scheme occurs when the thief attaches a harmful computer program made to look helpful onto emails, websites, and other electronic documents on the Internet. This type of computer program is called malware. The malware uses key loggers and screen loggers to record your keyboard strokes and sites that you visit on the Internet. The malware sends the information to the schemer who is located at another location using an Internet terminal.

An example of this type of phishing is an email from MacKeeper (which is malware) or disguised as coming from Norton Anti-Virus. The message prompts you to install an update to increase your computer security. When you download the ‘supposed update’ you have really just downloaded malware.

RFID Scanners RFID-enabled credit card data can be undetectably stolen and used for fraudulent transactions. Since this type of theft gained much attention in 2012, many credit card issuers have implemented precautions (so that the CCV code does not transmit). And RFID scanners now require closer proximity to be effective. However, there are still plenty of on-line merchants who only require a credit card number and expiration date to complete a transaction.

Cloning When it comes to cloning credit cards, there are several options for thieves, and they are not hard to come by. A quick Google search revealed hacking forums where people – who refer to themselves by their inmate number– openly discussed these questions. In the U.S., credit card information is stored in a binary format on the magnetic strip at the back of the credit card. Thieves use a magnetizing tool to copy this digital information onto a fake credit card, much as you would copy information from a computer to a USB stick. Similar technology enables them to copy the physical characteristics of the card, complete with credit card number, name and CVV code as well. Hackers, of course, are aware of U.S. card vulnerability (European and Asian card security is more advanced and difficult to breach). Experts believe overseas hackers orchestrated the recent theft of millions of credit card records from Target, highlighting the fact that weak security technology in the U.S. is attracting worldwide hacker attention to U.S. cards.

Unsettling isn’t it? Stay tuned to the conclusion of this series next week with ideas and advice on how to prevent and protect your personal information.