Worried about identity theft this guide from MessageLabs should help
MESSAGELABS END USER IT SECURITY GUIDE
National Identity Fraud Prevention Week
ONLINE IDENTITY THEFT: RECOGNITION, PREVENTION, PROTECTION
CONTENTS
WHAT IS ONLINE IDENTITY THEFT?
IDENTIFYING THE DANGERS
SOME TYPICAL STORIES
THWARTING THE THREAT - DO'S AND DON'TS
FURTHER READING
Identity theft is as old as history. But the Internet has given it a new lease of life. Exploiting the anonymity inherent in email, instant messaging (IM) and web-based communication, online identity theft involves fraudulently gathering confidential information from the vast data pool that the virtual world has become. The information can then be used to the thief's gain - and the victim's loss. The different ways this can happen are almost limitless. But the key to combating it is always the same - developing the knowledge and awareness that enable you to make the right decisions whenever using the Internet. This guide highlights the key dangers. But it also suggests practical measures you can take to protect yourself and your company from a crime whose devastating potential - in terms of destroying corporate balance sheets and individual careers - should not be underestimated.
In 2007, the UK's Fraud Prevention Service CIFAS identified over 65,000 victims of identity theft. So how could so many people be so careless or gullible? Quite simply, identity thieves (including those plying their 'trade' online) exploit basic psychology. Thanks to nature and nurture, a part of us wants to be open, co-operative and trustful. And that part can prompt us to divulge confidential information about ourselves or our organisations when we're online, without really knowing who we're sharing it with or who may ultimately end up in possession of that data. Everyone is a potential target - from the most senior to the most junior employee. The 'bad guys' know they just need to pinpoint one weak link, one slight chink and an organisation's entire edifice of confidentiality can start to unravel.
So who exactly are these 'bad guys'? Increasingly, they are well-organised, highly professional international gangs who inhabit a shadowy, multi-billion-dollar world of online crime - a world that now outstrips the global drugs trade in scale. Typically operating beyond the reach of law and order, these gangs devote enormous resources to identifying weak points in defences and developing ingenious ways of feeding the huge online black market in company and personal information that now exists.
Despite its 'virtual' nature, online identity theft is far from a victimless crime. It impacts on organisations: - Stolen data can be used to access or take over bank accounts, or open new ones. - Corporate reputation and customer/investor relations may be irreparably harmed. - Credit ratings may be affected. - A company's registered details may even be changed without its knowledge. It impacts on individual employees: - Since it can lead to financial loss, profit erosion and lost orders, online identity theft may ultimately result in lower salaries etc. - Employees found responsible for leaking confidential information online may find their own careers compromised. Alert IT departments, effective email/web security systems and fit-for-purpose acceptable use policies can only be part of the solution. In the final analysis, it is the awareness and vigilance of individual employees that will decide whether a company maintains the integrity of its key data. And the 'bad guys' know it.
IDENTIFYING THE DANGERS
'Phishing' involves sending out an email that fools the recipient into thinking it comes from their bank or another financial institution. Duped by the email's realistic appearance - right down to the logo and sender name - the recipient is directed to a website where they are asked to update or confirm account information (account number, password etc). But the website too is bogus. Sensitive data and unhindered bank account access have been delivered straight into the hands of cyber-criminals - even though no real bank would ask a customer to confirm their account or login details in an email. Although there has been a decline in 'spear phishing' (where an externally spoofed email purporting to come from an internal source is delivered to a recipient in a specific company), sophisticated phishing scams are still targeting the business sector. Phishers are devising increasingly clever ways of cloning the pages of companies' bank accounts to capture their user verification data.A targeted trojan is a computer virus designed to infiltrate a particular company, access sensitive data and leak it out to an external controller. Once it has installed itself, the trojan may await a chance to log the keystrokes used during the two-factor authentication that protects business bank accounts. Or it may hook into the computer's web browser, let its victim complete authentication on a banking website and then turn the session over to the external controller. Consummate industrial espionage weapons, targeted trojans are also well-suited to pilfering confidential data on products, services and customers. Targeted trojans may lurk in unsolicited emails ('spam') or wait for the victim to download infected software or toolbars from a rogue website. Often they are embedded in an email attachment apparently from a trustworthy source - a supplier perhaps, or the victim's CEO or Finance Director. The email title will aim to defuse any doubts about authenticity: 'Customer Feedback', 'Invoice Attached', 'Financial Data' etc. So the victim downloads the attachment and the trojan installs itself, quietly and surreptitiously.
A common online scam with a strong element of identity theft is so-called advance fee fraud - also known as 419 scams in reference to the relevant section in Nigeria's penal code (many of these frauds originate in West Africa). Advance fee fraud is usually initiated by automatically distributed spam. Sometimes the initial email simply aims to hook the recipient's interest and stimulate ongoing dialogue. But sometimes the first message gets straight to the point - the recipient is promised a chance to make big money in return for a small upfront investment. Anyone seduced by this illusory bonanza not only stands to lose their investment. They may get sucked into a murky underworld of criminal activity where their personal safety is at risk. Fraudulent cheques are a central component in many advance fee frauds. So too are attempts to persuade the victim to forward their bank details on the pretence that they will be wired some money - but really so that the scammers can siphon funds out of the account. Other personal details handed over during the scam are also highly likely to be abused, e.g. in forging passports or opening false bank accounts.
SOCIAL ENGINEERING, SOCIAL NETWORKING
Social engineering has become part and parcel of the identity thief's art. The better targeted the email they send out, the more convincing it will be - and the greater the chance that their victim will allow their guard to slip. The problem is, such social engineering requires only small nuggets of information to be effective and breach corporate defences. Information is the oxygen of online identity theft. And the internet is teeming with it. Take a company's website or Annual Report. The 'bad guys' can use public-domain data about Board Members, for example, to impersonate genuine people and spoof identities, maximising the probability of persuading a victim to send them restricted data that they would never dream of divulging to an outsider. Today's informal world of blogging and social networking poses another key source of danger. Around half of UK web users now use sites such as Facebook, MySpace and LinkedIn to exchange details about themselves, their lives and their jobs - just the kind of data that 'bad guys' hiding behind assumed identities are keen to access. In a survey carried out by Get Safe Online in November 2007, no less than 25% of social networkers admitted to posting their contact details or date of birth on their online profiles. The simple truth is that, on the Internet, anyone can pretend to be anyone. Moreover, the Internet has blurred the line between home and work to an unprecedented degree. Any information posted online anywhere, by anyone for any reason, could be harvested as a potential identity theft weapon against individuals or against businesses large or small.WiFi has revolutionised the way we use the Internet. But it can create significant risks in terms of online identity theft. Unsecured systems and unencrypted communications give criminals a golden opportunity to hijack computers and steal information. 'Bad guys' also target public WiFi hotspots in airports, hotels, railway stations etc. In some cases, fake WiFi routers and interfaces obtain victims' user or credit card details; in others, a memory stick or computer disk accidentally left behind at a public hotspot can provide a criminal with a bountiful harvest of confidential data.
. For research purposes, MessageLabs Chief Security Analyst created a Hotmail account using a colleague's name. Using this spoof identity, he easily secured sensitive commercial and personal information from a range of email correspondents.
. A MessageLabs Senior Analyst exploring 419 scams replied to spam emails and was 'rewarded' with an authentic-looking cheque for $78,000. He was directed to deposit the cheque, keep 10% and wire the balance to Hong Kong. Had he done so, the cheque would have bounced and he would have lost over $70,000.
. MessageLabs knows of many cases where auction website accounts have been hijacked, and where phishing emails claiming to be from online payment portals have aimed to steal users' login names and passwords
. . A professional footballer recorded in his blog that he was training with a rival team. His club found out and sacked him - demonstrating just how difficult it is to control access to information once it has been posted on the Internet.
. Similarly, a company employee posted photos of himself in the pub on his social networking profile - when he claimed to be absent from work ill. He lost his job.
. As a research exercise, IT security company Sophos set up a Facebook profile for a plastic frog. 82 people replied to Friend Requests and handed over personal information of potential value to cyber-criminals.
. Also as a research exercise, the BBC deployed a program to collect personal data from Facebook users, who believed the program to be a harmless application - just like thousands of tests, quizzes, jokes etc already available on the Internet.
THWARTING THE THREAT - DO'S AND DON'TS
The key to preventing online identity theft lies in informed decision-making. It requires a recognition of the risks involved in broadcasting personal and other sensitive information over the Internet, at work or at home. It also demands an instinctive scepticism whenever you're asked to provide information online - for instance, if you're emailed by someone you haven't communicated with for several years. Above all, it means going through a mental checklist every time you're online and never dropping your guard. Who is communicating with you? Are you sure they are who they say they are - or do you need to check (e.g. by phoning them)? Are they authorised to ask for the data they are requesting? Would you be happy for the information you're sending by email or IM, or posting on a website, to fall into anyone's hands? What damage could it do - to you or your company - if the wrong people accessed it?Five Key 'Do's'
. DO check the identity of anyone requesting confidential data from you online.
. DO think very carefully before submitting any personal information online.
. DO check the privacy policy of any website where you submit personal data - if it doesn't have a clear and comprehensive policy, don't submit.
. DO choose passwords that are unique mixtures of letters and numbers and remember to change them regularly.
. DO dispose of data securely, whether in paper or electronic form (including back-up files and hard drives).
Five Key 'Don'ts'
. DON'T click on email attachments unless you're absolutely sure who sent them.
. DON'T click on links to websites whose legitimacy you have any doubts about.
. DON'T respond to emails asking you to update or confirm account IDs, PINs or passwords.
. DON'T include key personal or company information in social networking profiles (e.g. real date of birth).
. DON'T work on sensitive or highly confidential material in public WiFi hotspots.
Please note the above lists are by no means exhaustive. Consult your IT Department or MessageLabs for further guidance.
We hope you find this MessageLabs guide a valuable source of information and advice about online identity theft. You may also be interested in the following:
. 'The Online Shadow Economy', Maksym Schipka, Senior Architect, MessageLabs; MessageLabs White Paper downloadable at www.messagelabs.co.uk
. 'Targeted Trojans: A New Online Threat to Businesses', Mark Sunner, Chief Security Analyst, MessageLabs; MessageLabs White Paper downloadable at www.messagelabs.co.uk
. 'Online Social Networking - The Employer's Dilemma'; a White Paper produced by Shoosmiths Solicitors and MessageLabs downloadable at www.messagelabs.co.uk
. 'Social Networkers and Wireless Networks Users Provide "Rich Pickings" for Criminals'; summary of Get Safe Online survey downloadable at www.getsafeonline.org
. 'He Bit into Some Nigerian Spam - To Fight It'; summary of MessageLabs investigation into 419 scams downloadable at www.sfgate.com
. 'Sophos Facebook ID Probe Shows 41% of Users Happy to Reveal All to Potential Identity Thieves'; downloadable at www.sophos.com
. 'Identity "At Risk" on Facebook'; summary of BBC investigation downloadable at news.bbc.co.uk
Download this guide as a PDF file
Download this guide as word Document
