Skip to main content

Featured

What Motivates Young Cybercriminals?

In the world of cybercrimes, the majority of cybercriminals always seek financial gain, but this is not the primary motivation. Aside from the advanced sophistication of state-sponsored incidences, the young cybercriminal venturing into the dark side boils down to their ego. Adolescent criminals seek out recognition among their peers eager for a sense of success in an effort to prove themselves.

Many seek out popularity within internet hacking communities driven by a feeling of accomplishment they compromised a target. This provides them with a rush, a demeanor to develop their skills further becoming tragically involved with organized crime immersed in their addictive and dangerous sphere of influence.

Others find inadequate employment opportunities and thus are lured into the dark side to learn a skill as a matter of survival by participating in online hacking groups. They are easy prey for organized crime and state-sponsored groups to recruit indoctrinating them into …

Understanding Identity Theft


Identity theft is currently the fastest growing crime in the United States and throughout the world. The Federal Trade Commission estimates millions of Americans were victims of some kind of identity theft in the past five years. The actual cost of identity theft is complex and involves much more than the dollars lost. For example, if a thief gains access to your checking account, you may lose, at least temporarily, the money in that bank account. In the meantime, legitimate checks could bounce due to lack of funds. You may have to request a waiver of bounced check fees from each payee individually, with no guarantee of success.

And what price tag goes along with the time and effort the victim must spend repairing the damage? Victims spend an average of 12 hours resolving identity fraud incidents. Is it fair to say that each victim has “lost” at least a dollar amount equal to his or her regular wage for the number of hours spent correcting the problems caused by the fraud?

Victims whose personal information is used to create new accounts could face months or years of clean-up with creditors and the credit reporting agencies. During this time, the victim’s credit file and credit score might reflect delinquent accounts or other harmful items, and if the timing is especially dangerous, the issues related to the theft could derail legitimate financial plans, like the purchase of a home. For those victims, the cost regarding anguish is impossible to quantify.

We all pay the price

How much is lost in the end varies from victim to victim and causes billions of dollars in losses for financial institutions and businesses as well? We all pay the price
In a current 2015 ITRC report to date, significant data breaches of identity theft increased substantially, and the most significant increase was with healthcare exposing approximately 120M records followed by government breaches with 28M records compromised. The trend is escalating with personal records being disclosed or published have already been reported in 2014 making it the most common consumer and business complaint in the U.S.

The Types of Schemes Commonly Used

Identity theft begins when someone takes your personally identifiable information (PII) or protected health information (PHI) such as your name, Social Security Number, date of birth, your mother’s maiden name, your address and health information to use it, without your knowledge or permission, for their personal financial gain.

There are several different types of schemes identity criminals use and can range from non-technological to technological schemes. The following is a listing of just some of the most common methods of identity criminals have been known to use to obtain your personally identifiable information.





Non-Technological

Dumpster Diving
Dumpster diving occurs when someone goes through someone else’s garbage to obtain PII off items found in the trash, such as credit card bills, utility bills, medical insurance, and bank statements.
To protect yourself, you should shred everything before disposing of it with a cross-cut paper shredder. Another method to use is to go paperless by receiving statements and making your payments online. Keep track of your credit report and report any discrepancies to your credit card company and credit bureaus.

Stealing Personal Items
Identity thieves can also obtain your personal information by taking your wallet or purse. When this occurs immediately contact credit card companies, bank and credit bureaus to let them know of your situation.

To secure wallets or purses, women should make sure their purses are closed and secure at all times. Carry the purse close your body with the bag in front so you can keep it within your sight. Men should button up the back pocket where their wallet is located if it has a button. If not, place in the front pocket and stay vigilant and aware of your surroundings.
Always limit the amount of personal information you carry with you. Do not carry your Social Security Number card and limit the number of credit cards you carry. Remove old deposit slips, blank checks, and any information that carries your login and password information. Some states allow you to disclose your social security number on your driver’s license or state ID. Do make sure you remove this information and re-issue these identification documents.

Social Engineering
Social engineering is the practice of someone either in person, over the telephone, or computer uses means to deceive someone else into divulging sensitive information. Usually, social engineers know some information that leads the victim to believe they are legitimate and give the information asked. Social engineering is commonly known as a con game and is perpetrated by con-men.

To prevent this, stay diligent and NEVER give out any personal information to anyone you do not know. If in doubt, do not be afraid to obtain the person’s contact number and let know that you will call back. Do not trust anyone and always verify the person’s identification. Also, check with others or confirm with the company the person is representing that such information is actually needed.

Mail Theft
Mail theft occurs when someone targets your mailbox and removes mail that has pertinent information on it. As in dumpster diving, a thief can take your credit card bills, bank statements; anything that can be used to steal your identity. At times, identity theft criminals have been known to re-route your mail without your knowledge or permission by submitting a change of address to the post office.

To protect yourself, you should monitor your mail. If you suspect that someone has been taking letters out of your mailbox, contact the post office immediately. Other steps can be made to protect yourself. For example, do not leave your mail in the box for extended periods. Use a locking mailbox if possible, or rent it at the post office.

Shoulder Surfing
This attack may occur anytime you use a password or a device that stores PIN numbers, such as at an ATM. The identity thief attempts to get close enough to you so that when you enter password information, such as a PIN number, the thief records the password. Although this can typically occur in a public setting, where the victim is, and their credentials are in plain sight, it may also occur through a video camera set up by the criminal.

To prevent this from happening, you should pay attention to your surroundings when you are accessing any accounts that require you to enter a password or PIN in public. If someone stands too close to you, do not be afraid to ask the person to move back. If they are not willing to do so allow the person to go first and walk away. If you do not feel safe, try using another machine particularly one inside of a bank that employs numerous surveillance cameras in addition to using a teller to conduct the transaction. Another method you can use is to try to pay cash for your purchases or use a pre-paid credit card.

Do not write down your passwords where someone can find them such as your wallet or purse. Also, take advantage of credit reports which will help you analyze whether anyone has stolen your identity to access your bank accounts.

Technological Schemes

Credit card fraud is an element of identity fraud and it has far-reaching effects since the information on the card can be used to perpetrate other types of identity theft crimes. From using the signature on the back of a card that is stolen to loaning a credit card to a friend or family member can cause someone to obtain what they need to open other credit card accounts or bank accounts in the victim’s name.

Steps you can take to protect this information include writing CID on the back of your signature panel instead of your signature on the back of your card. CID stands for “SEE ID” and requires merchants to request to see other forms of identification to verify the user of the card. Another step you can take is to keep your card in plain sight when making payments. For instance, there are places such as restaurants where the waiter brings the credit or debit card away from you to make the payment. However, there have been instances when identity criminals have been known to take the victims card away to swipe it through the card reader, not only to make the legitimate payment but also to make a copy of the information on your card. Some restaurants are now using table card devices allowing you to pay without giving your ticket to a waiter/waitress.

Always question if the merchant is using multiple swipes to approve a charge. This may indicate the card reader is electronically copying the information of the magnetic strip for use later.
For online transactions do not use a credit card on an unverified site. Make sure that a lock appears in the right-hand corner of the web status bar. If none is there, do not purchase anything on the website. It is not recommended to give out your credit card (or any personal information) over your cell phone since eavesdropping is a concern. Consider the use of a pre-paid credit card for purchases. The only liability will be the amount on the card, not your identity.

Other alternatives are to request your card be renumbered periodically, at least annually, as this will limit any future potential for fraud. For example, criminals may use your identity at a future date of their choosing long after a breach has occurred.

Pretexting
Pretexting occurs when a thief has done prior research (surveillance) on your personal information and uses this information to bait you to release more sensitive information, such as a credit card number or Social Security Number. The schemer will call you on the telephone, and lead you to believe they are a business that requires this information. Most people tend to find them since they have their name, address, and telephone number.

To prevent this, TRUST NO ONE and verify who you are speaking to. Ask for a call back number and question the need for this information. Look for the telephone number of the company the individual says he/she works for. Always call the company and ask for the legitimacy of the request.

Skimming
This can happen anytime you use your credit or debit card. The theft occurs when the device which reads your credit card information from the magnetic strip on the back of the card records the data (the card’s code numbers) to another electronic storage device. This enables the criminal to make a copy of your card to make unauthorized purchases. Skimming can occur through some different ways, whether it is a recording device set up on an ATM machine or a salesman who secretly swipes your card onto his personal digital card reader.

To prevent skimming, make it a habit to periodically check your credit reports. This helps you discover if anyone made unauthorized purchases or has stolen your identity to access your bank accounts or open other lines of credit in your name. Try to minimize credit transactions and use cash. Consider using a pre-paid credit card, so your liability and loss of identification are eliminated.

Man-in-the-Middle Attack
This type of theft involves criminally intercepting communication between two parties and recording the information without the two parties ever knowing about it. The criminal then uses this information to access accounts and possibly steal the user’s identity.

A typical scenario consists of making an online search for the URL address of a company, such as a financial institution. Once found, you click on the link to access the website, for example, http://www.mybank.com. However, when the site appeared on your screen, you did not notice that the URL web address changed to http://www.somethingelse.com.

This is a website that is actually re-directing you to another site that mirrors your financial institution’s website. All the information you enter on this website is rerouted to your financial institution, and the information your financial institution sends you is re-routed to you. The schemer is recording all the transactions that are taking place between you and the institution. The objective is to obtain your personally identifiable information, your login and password numbers, or your credit and/or debit card number.

You should protect yourself by ALWAYS reading the URL being displayed ensuring its authenticity. Moreover, use browser plug-ins such as NoScript that prevents malicious redirects. Also, some banks and online merchants employ multifactor authentication allowing the bank to send you a numeric access code to your cell phone. Always make a habit of periodically checking your credit reports, which will help you discover whether anyone has stolen your identity to access your bank accounts.
Become more diligent when you select to access a website of a web search. Make sure that the website address is legitimate by verifying the URL address in the web address bar located at the top of the page and if something looks suspicious close the browser.

Phishing Schemes
These are the most common types of computer identity theft schemes where the thief tricks you into giving your personal identifying information. These types of attacks occur through some different mediums including cell phone messages, social networks, emails, text messages, and standard mail. The following explains several common schemes that are used.

Pharming                                                                         
Protect yourself from this type of theft by checking for the padlock symbol in the right-hand bottom of the website scrollbar if it is a merchant website. If it is an organization or an affiliation, contact the website administrator or the organization via phone or email to verify that such information is actually needed before entering in any report.

If you entered your credentials without questioning the request and later hear that there’s a phishing scheme going on, request that your account is terminated.

Vishing                                                                                                                  
The goal is to get you to disclose your personal identifying information. Another tactic used is to make robocalls (pre-recorded messages) urging you to contact a particular phone number, stating that you either won a prize or an emergency has occurred that requires you to disclose your personally identifiable information or credit card/debit card numbers.

Consider using Google’s Voice feature as a telephone firewall allowing you to selectively forward legitimate calls to your cell, home or office phone while blocking the rest. In as much as how Network Address Translation (NAT) works on most routers and firewalls this method allows you to do the same by masking your real phone numbers behind the one, you provide to the public.

If you have received these calls and would like them to stop, most State Attorney Office’s recommend that you first send a letter (cease and desist) to the company telling them to stop calling you and to remove you from their list. The message that you submit to the company calling you must be certified so that you can send it as proof to your State Attorney’s Office. If you still get calls after the letter was sent, you can file a complaint with your State Attorney’s Office.

Search Engine Phishing
This type of phishing occurs when thieves create websites that contain “too good to be true” offers, services, and other incentives. The site is legitimately indexed into search engines so that during the ordinary course of searching for products or services individuals can find these offers. Once the individual accesses the website, the user is given incentives and persuaded in such a way that the individual becomes susceptible to give up his or her personal identifying information to take advantage of the offer being given.

An example of this would be when you are purchasing an ordinarily high priced item over the internet, such as a video game system, and you find a website that has a much lower price. You may be tempted to purchase this item at a lower price, but you do not realize that you are accessing a fake website. The schemer is just trying to obtain personal and credit card/debit card information from individuals.

Yet another example is a job website that may offer a higher salary than the same job by other companies in that industry. The schemer’s site may require you to put in your Social Security number in addition to additional personally identifiable information.

To protect yourself, before submitting any information or downloading any attachments, research the company carefully. If you have never heard of the company or the offer, contact competitors and question the legitimacy of what is being offered.

Malware-Based Phishing
This scheme occurs when the thief attaches a harmful computer program made to look helpful onto emails, websites, and other electronic documents on the Internet. This type of computer program is called malware. The malware uses keyloggers and screen loggers to record your keyboard strokes and sites that you visit on the Internet. The malware sends the information to the schemer who is located at another location using the Internet.

An example of this type of phishing is an email disguised as coming from a trusted and legitimate application. The message prompts you to install an updated version to increase your computer security. By clicking on the link and download the supposed updated application you have just downloaded malware. More sophisticated methods are drive-by downloads caused by going to unsuspecting websites where the malware is automatically downloaded unknowingly.

To protect yourself from this type of scheme, use caution before visiting suspicious sites, downloading or installing any program on the web. Contact the organization that supposedly sent the email message and advise them you have received an email requesting to download a specific file, and that you would like to know if there was any legitimacy to it. Some organizations are aware of this type of scam and post warnings on their websites.

Never reply to the email message as the attacker could trick you into believing that the email is authentic. Moreover, by responding some of your information is given to the attacker and you will be well served by classifying the email as spam.

SMiShing
In this scheme, the identity thief sends spam text messages posing as a financial institution or other legitimate entity. The text message has a sense of urgency and can scare you into thinking there is a severe emergency by leading you to believe you will suffer financial losses or fees if there is no response. This may lead you to disclose personal identifying information by clicking on the link that appears in the text message.

NEVER dial back the unknown number, you would only be providing the spammer some of the information they need from you. Look through the phone book or the internet for a number to contact the organization that is supposedly contacting you. Verify that your information is actually needed because you have been solicited for information through text messaging. If you find that the request is not legitimate, contact your cell phone provider and alert them of the scheme. Many smartphones incorporate call/text blocking features from unknown numbers.

Phishing through Spam
In this scheme, the thief or spammer sends repeated spam emails to you. These email messages offer you opportunities for scholarships, business partnerships, or free products. In some instances, the scammer pretends to be a financial institution or organization you might belong to. The spam is sent to prompt you to provide your personal identifying information.

Research the company and the opportunity or offer advertised. This can be done through a search on the internet or by contacting the company directly and be extremely cautious of bogus offers. You can Google the suggestion given to see if others have received the same offer and most often people post messages declaring the promotion as a scam or verifying it as being legitimate.

Spear Phishing
This scheme is very similar to the email phishing scam, except it attacks businesses. Spear phishers send emails to almost every employee of an organization and can be written to look like it has been submitted by a division within the organization such as the IT or the human resources department. For instance, the email might state that every employee must send their username and password for verification purposes. This potentially not only gives the attacker access to your personally identifiable information but also the company’s private information.

You should protect yourself by contacting the information security department, network administrator or the individual that supposedly sent the email to verify that such information is needed. Do not reply back the email and notify the head of the division or individual that apparently sent you the email that you and other colleagues have been solicited for information.

The complexity and escalating costs caused by the alarming and never-ending breaches will continually occur. Discussed are the most common schemes used to orchestrate identity theft and methods of protection one can employ.

Identity theft is a serious matter that affects the lives of all of us globally. The costs are staggering not only are they difficult to ascertain that varies from victim to victim, but the sophistication of these criminals be it organized crime syndicates, state-sponsored or lone wolves can impact us at a future date of their choosing, a time bomb ready to detonate. When identity theft occurs part of you is stolen, and the information is used against you at any time having profound and prolonged consequences. It affects all individuals, businesses and governments alike for financial gain and political motives.