Caslon Analytics elephant logo title for Identity Crime profile
home | about | site use | resources | publications | timeline |::| Analysphere | Ketupa

overview

identity?

pre-modern

apparitions

conmen

honour

survivors?

cards

resumes

pollution

tools

statistics

costs

responses

insurance

Aust law

other law

fiction

forensics

shadows

true lies

dead souls

gender

landmarks














related pages icon
related
Guides:

Security &
InfoCrime

Governance

Information
Economy

Consumers
& Trust





related pages icon
related
Profiles
& Notes:

Forgery &
Forensics

Biometrics

Credit
reporting

Vetting
Services

419 scam

Spyware

















section heading icon     tools

This page considers electronic identity crime.

It covers -

  • introduction - the net as an enabler of offline identity theft and as the basis of electronic fraud
  • data mining - scraping online profiles and public registers for offline theft
  • email and other addresses - appropriation of email names by spammers and others
  • advance fee scams - the Nigerian 419 scam and other frauds
  • phishing and pharming - getting victims to tell you their identity details
  • spyware - or getting their machines to do the talking
  • cracking - breaking into a database (or merely buying records from an employee)
  • call centres

     introduction

Accounts of identity theft in recent mass media and in film or literature have centred on the exploits of 'hackers' - variously lauded or reviled - who are depicted as cleverly subverting corporate firewalls or other data protection defences to gain unauthorised access to credit card details, personnel records and other information.

Reality is more complicated, with electronic identity fraud taking a range of forms.

The impact of those forms is not necessarily quantifiable as a financial loss; it can involve intangible damage to reputation, time spent dealing with disinformation and exclusion from particular fora or services because a stolen name has been used improperly.

Overall we can consider electronic networks as

  • an enabler for identity theft, with the thief for example gaining information online for action offline
  • the basis for theft or other injury online.

Gary Marx's 1999 paper What's in a Name? Some Reflections on the Sociology of Anonymity notes that identity and anonymity are features of social relationships rather than something that is integral to a person. His insights encapsulate research on anonymity and authenticity highlighted elsewhere on this site, such as the 2002 paper by Jack Edwards & Greg Scott on Traps, Pitfalls, Swindles, Lies, Doubts & Suspicions in Human-Computer Interaction: A Counter-Case for the Study of Good Etiquette (PDF)

     data mining

A downside to the notion of the net as a universally-accessible global library and archive is that it potentially provides the malign with a rich source of personal information for identity theft. That information can be as basic as an email address. It can be as powerful as a detailed curriculum vitae (replete with phone numbers and residential address) or an official register.

Web publication of official registers of births, deaths and marriages has thus been welcomed by genealogists (and commercial vetting services) as a way of bringing people together or authenticating claims. Property registers similarly offer a transparency that is praised by some social theorists and real estate agents or insurers.

Electronic access to such data, outside the bounds of a government office, does however enable data mining by identity thieves. Why scour past newspapers for obituary notices when information can be sourced from an electronic register?

     email and other addresses

Some people have first encountered identity theft through appropriation of their email address or instant messaging service name, with a spammer for example using a name that appears on the web (on a personal or corporate site or in a web newsgroup archive) as a false identity in messages to people across the globe.

That theft is of concern because most of the online population has yet to recognise that email addresses are readily forged and thus assume that the owner of a stolen address has either authorised the message or has failed to maintain effective anti-virus protection and thereby allowed a spammer to propagate messages from a 'zombie' machine.

Appropriation of an address or online name is also of concern because it may result in blockage of legitimate communications from the owner of that name, in some instances forcing the unfortunate owner to acquire a new name. Some observers have criticised vigilante online spam filters for simply blocking names without proper investigation.

Name appropriation is not restricted to email addresses. Contacts in China have lamented that their online names in messaging services such as QQ and their avatars in gaming or other social networking spaces have been stolen, typically through surveillance while using a cybercafe. That theft poisons their online identity - the owner typically abandons the name/avatar - and can imperil online relationships.

     advance fee scams and other frauds

Traditional advance fee scams and other frauds have migrated onto the net, with organisations and individuals across the world receiving email that solicits their assistance in transfer of supposed illicit funds (typically from the estates of deposed dictators) or announces that the recipient has won a lottery.

Such messages involve two kinds of identity fraud. The '419' or 'Nigerian' advanced fee scam - discussed in detail elsewhere on this site - both invites the recipient to supply contact/financial details and uses the identity of a real or fictitious person/organisation, such as Suha Arafat, Adnan Khashoggi, Laurent Kabila or UNICEF. Lottery scams typically invite the potential victim to supply information.

As with the provision of details in the 419 scam, responding signifies that the address is 'live' and the victim is willing. It also offer opportunities for ID theft and for sale of the address to spammers.

     phishing and pharming

Phishing involves attempts to fraudulently acquire sensitive information such as passwords and credit card details by masquerading in an email or instant message as a legitimate organisation (eg a bank) or individual (eg a system administrator) with a genuine need for that information. The message is generally underpinned by direction to a fake corporate site that invites the victim to enter the details - a process known as pharming - which can then be used by the thief to access the victim's account.

Phishing thus involves

  • appropriation of the organisation or individual's identity and
  • the victim providing information for the theft of the victim's identity

Like offline pretexting is a form of social engineering, which as noted earlier in this profile is easier and often more effective than dynamiting bank vaults or drilling through electronic firewalls. Why be a safecracker when the victim, if offered a plausible story, will hand you the keys to the safe?

Phishing typically is not directed only at customers of a particular institution and instead has the distribution characteristics of much spam. We have for example received requests to 'confirm' accounts in Australian and overseas financial institutions with which we have never had a relationship; the US Honeypot project notes that in 2004 around 54% of phishing emails in one survey purported to come from CitiBank.

Spam filter vendor Brightmail estimated that there were 3 billion phishing emails worldwide during April 2004. Christopher Abad's 2005 The economy of phishing: A survey of the operations of the phishing market paper and the 2006 Why Phishing Works (PDF) by Rachna Dhamija & Marti Hearst offer other statistics.

Responses to phishing have varied. It has been claimed that phishing cost US$1.2 billion in "damage" to US financial institutions in 2003 and that, more problematically, an estimated 10% or 19% of the adult US online population were credulous enough to click on a link in a phishing message despite warnings by government agencies and businesses that organisations do not ask people to confirm/update their details online. A supposed 3% reported actually entering sensitive personal or financial details.

The Australian Securities & Investments Commission reported in June 2005 that the number of complaints about phishing had doubled over the preceding year. The extent to which consumers are becoming more savvy is unclear.

     spyware

Some spyware - discussed in more detail elsewhere on this site - can be used for identity theft, in particular unauthorised collection and transmission from a personal computer of the user's personal information, such as bank account and credit card numbers.

It comprises 'malware' that is not knowingly installed by a user and that covertly supplies information to another party. That malware may get onto the machine when the user interacts with a service such as Kazaa, downloads a game or accesses other content.

A 2004 study by the National Cyber-Security Alliance claimed that 80% of surveyed users had some form of spyware, with 89% of infected users being unaware and an unsurprising 95% indicating that they had not given permission for installation. The extent to which spyware is being used for identity theft is uncertain.

     cracking

Film, fiction and much technology journalism have promoted the image of the intrepid/malign hacker bathed in a suitably unearthly blue light while breaking silently into a strongly secured corporate or database. In practice unauthorised access to personnel files and financial data is more prosaic. It generally takes three forms.

The first - arguably the least common in terms of serious impact - is an offender breaking through inadequate security protection on a corporate database or accessing an unprotected personal computer.

The extent of such access is contentious: some analysts argue that most breaches are undetected and that much unauthorised access to corporate facilities goes unreported because managers are loath to erode confidence in their activity/organisation or encourage further attacks.

Breaches of major corporate facilities - and belated admission that there may have been unauthorised access to over 40 million files in some instances - have led critics to call for mandatory standards for data protection, with substantial penalties by corporate regulators and compensation to individuals whose data may have been exposed.

Other analysts, including government auditors such as Australia's ANAO, note that loss of laptops - including devices with extensive unencrypted sensitive data collections - is an ongoing problem for organisations in the defence, financial services and health sectors.

A second form of access involves misbehaviour by an organisation's staff or contractors, rather than outsiders.

Within the Australian federal government, for example, one contractor in the Department of Finance & Administration used a colleague's name and passwords to remove $8.7 million, subsequently using the identities of other colleagues in an unsuccessful effort to obscure the audit trail. A more humble employee in Centrelink stole the identities of pensioners, generating benefit cards that were then used to withdraw cash from automatic teller machines.

Some thieves have simply bought paper and electronic versions of databases from employees, with AOL for example experiencing a major security breach after one staffer sold several million files.

A third - and perhaps most surprising - form of access is through corporate loss of records in transit.

2005 for example saw admission by major US financial institutions that they had recurrently misplaced computer tapes during shipment across the country; those tapes were not encrypted and contained millions of files. It is unclear whether the records were stolen or simply ended up in a dumpster as unrecognised trash. However it is alarming to think that major organisations are so cavalier about customer data and that regulators have been so slow in detecting and preventing such losses.

     call centres

Offshoring of data processing and the emergence of large-scale call centres has raised concerns about theft of consumer bank account, credit card and other information

Media coverage has centred on incidents in India, highlighted in the note on data losses, but in practice it is clear that some abuses are occurring in the UK, US and other locations. Theft of information handled by data centres reflects poor management, employee turnover, the scale of data and opportunity, and poor remuneration of call centre employees.

In 2004 for example a NatWest callcentre worker in the UK supplied a gang with the bank details of comedian Ricky Gervais. The thieves were subsequently caught using Gervais' account to buy £200,000 of gold bullion. An employee of US payment intermediary iBill is believed to have been involved in release of 17 million customer records; an employee of major US payment processor Fidelity National Information Services improperly sold 2.3 million consumer records to an unidentified data broker.






icon for link to next page   next page (identity crime statistics) 

 


this site
the web

Google

 

version of September 2007
© Bruce Arnold 1997-2026
caslon.com.au | caslon analytics