Identity Theft

Your identity is at risk

Vinita Gupta talks about identity theft, the techniques used for the same and what organization, users and technology can do to prevent it

Recently a security solutions provider, Trend Micro, received a phone call from someone claiming he were from the Ireland office working as a contractor and that he needed the contact list for the North American office, but the e- mail system was down so he couldn’t access the address book. This person asked Trend Micro’s receptionist to fax a copy across and even had some basic information like Trend Micro’s CFO’s name, etc., to try and sound official. Luckily, working for Trend Micro had made the receptionist security conscious and aware of the risk factor, the receptionist flagged the incident and no information was given out.

Other companies may well have fallen for this type of con job, Criminals will try to gather as much information as they can so that each subsequent person they speak to will be more confident of the validity of their request until they can get the information that they require—user names, passwords, etc.

Identity theft, also known as ID theft, is defined as access to personal confidential information through the Internet or by physical means leading, in turn, to fraud. ID theft may be used to facilitate crimes including financial misappropriation, illegal immigration, terrorism, and espionage.

ID theft tops the Federal Trade Commission’s (FTC) Annual List of Top Consumer Complaints. Of 813,899 total complaints received in 2007, 258,427, or 32%, were related to identity theft.

Methods and techniques used

The commonly used techniques involved in ID theft are broadly software codes that access a computer on the network to access a database containing vital information. Organized crime groups mostly target high profile and important users of organizations and businesses. The most prevalent methods to steal information are through phishing malware, spam, and hacking. In fact, phishing is the Internet’s biggest identity theft scam and is widely prevalent in India and has emerged as the primary method used by e-criminals to extract identities.

Most incidences of identity theft involve using blended software programs that combine the characteristics of viruses, worms, Trojan Horses, and malicious code that can easily bypass point solutions, firewalls, and other traditional technology defenses. Blocked at one entry point, an attacker may simply enter unnoticed through other points.

It is a known fact that most shared computers, including those at Internet cafes, international airports and 5-star hotels have key-logging software loaded on them by individuals with malicious intent on their mind, and if you log into your bank account using one of those computers then that person or persons gets access to the information to compromise your account.

Digvijaysinh Chudasama, VP-Sales, Cyberoam (India) said, “ID thefts use the technique of blended threats using an advanced paradigm of attack methodology—that of the new insider threat. For example, through the use of malicious Trojan horse programs, a remote hacker can essentially act as an insider threat, operating at will within a compromised system.”

Vikas Desai, Lead Technology Consultant, India and SAARC, RSA, revealed that ID theft can happen at various places as the ID information travels. The information can be stolen when in motion, when at rest or when in use. For example, the credit details could be stolen physically like when a wallet is stolen containing the credit card or can be stolen from a vendor database holding the credit card information in non encrypted format or electronically over the Net when transacting online. “While a criminal once could bribe waiters at restaurants to obtain dozens of credit card numbers over the course of a week, that same criminal could get thousands of credit card numbers in just a few hours by launching a phishing scam. The whole velocity of working at Internet speed is the difference,” pointed out Desai.

There are two types of ID thefts—physical and online. Sometimes a thief takes over the complete ID and sometimes they just access it. “Hackers are getting sophisticated, for instance if you are spending a large amount by using credit card then these hackers will only steal small amounts of money so that users do not know about it. Even many banks do not know that their customers are been hacked. This kind of hacking has not yet come to India but it will follow soon,” said Shekhar Kirani, Vice-president, VeriSign India.

Need for caution

The prevalence of ID theft is highest amongst IT/ITeS companies and in the financial sector. However, this does not rule out the growing cyber fraud menace in other industry segments, especially biotech, pharma, and FMCG where information on pricing, costing, and R&D are extremely critical and at high risk of theft.

It is vital that organizations safeguard their customer and user information by implementing adequate counter measures that will mitigate the risk. These counter measures starts from physical security all the way to encrypting the data on the storage devices where the information is stored.

Organizations need to be careful when granting access to every employee. They need to study business justifications carefully before doing so. Furthermore, lockdown of desktops should be a good practice to allow employees to do whatever they need to do for their day-to-day responsibilities. Anything above that should be handled by the IT department.

Venu Palakirti, Sales Director, India and SAARC Region, F-secure said, “I have seen that financial institutions are doing a lot to create awareness amongst users about ID thefts. It is also constantly communicated to users how they should safeguard their accounts and personal information. These institutions have also done their part with implementing stronger security controls such as two-factor authentication, and browsers today are more capable in detecting if the Web site you are visiting is a phishing site or not.”

Greg Boyle, APAC Small and Mid-sized Regional Product Marketing Manager, Trend Micro, stated that over 40% of SMBs in APAC region have a mobile workforce with their users frequently working from outside the relative safety of the corporate network. These users need a higher level of security when roaming, but an IT administrator cannot rely on them to change their settings, so a solution that can recognize the location of the user and adjust itself automatically is a huge plus.

Source: Trend Micro

Rakesh Singh, Vice-president, Products and MD, Citrix R&D India, said, “For organizations, security is everyone’s problem—the internal staff, external customers, suppliers or partners. They must be made aware of their responsibilities, even for simple things such as ensuring that their passwords do not fall into the wrong hands.”

Vishal Gupta, CEO, Seclore Technologies revealed that the most obvious vulnerability points for financial service providers are wherever this kind of information is leaving the organization i.e. physically when the details are sent to the customer, or when such details are sent to a third party like a credit rating agency or an outsourcing company for the purpose of credit card embossing or statement printing.

Users should be cautious about formulating the right password and using it. “They should not use too many passwords but make use of just one complex password (alpha-numeric with more than eight characters). Identity and access management helps organizations to provide their employees safe access to the Internet by protecting them from malicious and dangerous Web sites,” added Surendra Singh, Regional Director, SAARC & India, Websense.

The technology’s in place

An anti-virus software will protect you from Trojans and backdoors that are capable of stealing personal information, but the best solution for this is not technical rather it is awareness and education to the end-user. Somewhere somehow someone will still be a victim of ID theft. End-users must be careful of what they throw in their dustbins and they should securely delete their personal data from their previously owned computer and mobile equipment before disposing them, and so on.

“There has been an unprecedented rise in financial crime, both in sheer numbers and in terms of ingenuity and sophistication. What’s interesting is that the nature of sophistication is not necessarily through the use of latest technology, but through non-technical methods using social engineering. Hackers will use simple expedients to crack complicated security measures. They always exploit social weaknesses in people to extract personal information. The answer lies in simple education and awareness,” said Raghu Raman, CEO, Mahindra Special Services Group.

There is an acute need for a solution that is able to identify the actual user rather than just the IP address of the machine. Or, in other words, there is a need to control and track user behaviour so that any insider threat arising out of ignorance or malicious intent can be controlled with instant corrective actions. UTMs have now gone a step ahead and integrated identity controls in its solution that traces the attack route right up till the actual user and not just till the IP address of the machine. It is an added advantage in tackling ID theft.

The BFSI sector should have proper technology in place like fraud detection technology, so that the banks comes to know when there is any change in their customers’ credit card usage and if there is, they can call and confirm with the users, and in case the card is lost or the customer is not using it they can immediately block the credit card.

Guillaume Lovet, EMEA Threat Response Leader, Fortinet asserted that consolidated network security solutions that include anti-spam and Web content filtering security functions provide an effective first line of defence, because they are designed to protect against both blended threats and more traditional forms of hacking, including spam, spyware or phishing. However, the best form of security is layered defence—that is, deploying multiple layers of security, such as a UTM device at the gateway, anti-virus and personal firewall software on the desktops and laptops, and anti-spam on the mail servers. For example, anti-phishing mechanisms on the browser and e-mail client are now widely available, and should be used. Often all it takes is to ensure that the latest version of the Internet software is rolled out on all desktops and notebooks.

According to Joe Gare, Compliance Specialist, APAC and Japan, Quest Software, the most important thing is for users to be aware of what they’re doing online and the threats that lie in wait upon the Internet. This can be made easier by users saving their bank’s Web site address in their ‘favorites’ folder. From an IT perspective, keeping all security software (including anti-virus, anti-spam, anti-spyware, adware defenses and firewalls), as well as the operating system, up-to-date will help minimize risks.

ID theft is on rise and there is no one solution to completely protect oneself against all kinds of thefts. What is required is a strategy to be adopted by an organization or user, which can help address the various channels of data loss or theft.

vinita.gupta@expressindia.com