Identity Theft

1
Identity Theft

• An Investigationof theImpact ofIdentity
  Thefton eCommerce

2
Scale of Problem

• Sixty two per cent of online users believe online
  fraud could not happen to them.
• One in ten would not have a problem releasing
  their credit card details to an unidentified
  third party.
• This type of theft is one of the fastest growing
  crimes in the UK. The latest estimate is that
  identity fraud costs the UK economy 1.7 billion
  (Home Office 2006).
• Huge increase in the reports of identity theft
  during the past year. Credit reference agency
  reported a 69 increase the number of victims.

Although stealing a persons identity has been
with us through history. Using computers for this
purpose is relatively new.
3
Evolution of eCommerce and related consumer fraud
25 Years ago

• There were very few early ATM machines.
• No debit cards
• No on line banking
• Most shopping done in person
• Most consumer transactions used cash, cheques or
  card slips requiring signatures, in person.

Present Day

• ATMs on every street corner.
• 76 of bank account holders use online banking.
• On-line shopping an every day event
• Many of these transactions are faceless, require
  no verifiable signatures, and are instantly
  completed.

4
How do criminals steal online?

• Phishing - Internet fraud in which a criminal
  attempts to trick their victim into believing
  they are communicating with a trusted source.

5
Spyware,Malware,Trojans and Key Loggers.
Spyware, malware, trojans and key loggers are all
types of malicious software, installed
surreptitiously onto a victims home computer.
Malware - Spyware, Trojans and Key Loggers. -
More damage than spawning annoying pop ups.-
Regularly used to harvest information to commit
identity theft. - Allow the fraudster to monitor
everything that the victim does online. -
Seemingly normal software applications can have
software hidden within it.- Often designed to
disable anti virus or firewall programs without
the user knowing.
6
Botnets
Network of computers attached to the internet
that have been compromised by a hacker without
the awareness of their owners and are controlled
by a single user or server.
Usually the compromised home computers a running
Windows operating systems The controller only
needs to give instructions a small number of
machines which then broadcast compromised. This
makes detection very difficult.
7
Man-in-the-middle
An attack where a fraudster gets between the
sender and receiver of information and sniffs any
information being sent .
Neither of the affected parties will be aware
that the link is being tampered with. Achieved
by modifying ARP cache table stored in the memory
of the victims machine. The attack is often
combined with phishing techniques.
8
Wireless Vulnerability
Effectively securing wireless networks can be
very difficult as many of the standard solutions
are less than effective at guaranteeing privacy
and authentication. As a consequence many
identity fraudsters are attracted to this
environment.
This type of attack does provide some degree of
anonymity. Many Networks left open with no
security at all. Wired Equivalent Privacy (WEP)
vulnerabilities can be exploited. Wi-Fi Protected
Access (WPA) much better but still not foolproof.
9
Human Factors Social Engineering
To gain unauthorised access to information in
order to commit fraud, network intrusion,
industrial espionage, identity theft, or simply
to disrupt the system or network. Individuals are
manipulated into divulging confidential
information. In most cases the fraudster never
comes into direct contact with the victim.
10
Large Scale Fraud

• 62 of UK companies had a security incident in
  2007.
• A quarter of UK businesses are not protected
  against spyware.
• UK companies are poorly placed to deal with
  identity theft, with only 1 having a
  comprehensive approach for identity management
  .84 say there is no business requirement to
  improve this.
• Three-fifths of companies allow remote access
  and do not encrypt their transmissions
  businesses that allow remote access are more
  likely to have their networks penetrated.
• 30 of transactional web-sites do not encrypt the
  transactions that pass over the Internet.
• One in five wireless networks is completely
  unprotected, while a further one in five is not
  encrypted.
• Two-fifths of companies that allow staff to
  connect via public wireless hotspots do not
  encrypt the transmissions.

11
Data Breaches

• HM Revenue and Customs (HMRC) discs contained the
  entire child benefit database containing 25
  million records.
• HMRC also have lost 6,500 records belonging to a
  pension firm.
• Skipton Financial Services has confessed to
  losing a laptop containing records of 14,000
  customers.
• The Financial Services Authority (FSA) has fined
  Norwich Union 1.26m for failing to safeguard
  customers against fraud.
• Britain's Driving Standards Agency has admitted
  losing details relevant to more than 3 million
  candidates for driver's-license testing.

Mislaid data disks, lost and stolen laptops,
insecure systems and poor security procedures
ensure that the problem of the exposure of
customer data will be with us for the long term.
12
People - The Weak Link
13
What can be done to combat this problem?

• Standards
• Monitoring and Testing
• Company Security Policy
• Training
• Legislation

Until recently, companies that leaked data got
off lightly as the costs incurred by the
resulting credit card fraud was often borne by
banks and other merchants. Merchants and Banks
can now seek compensation from a business that
has leaked data. Gross failures in the
protection of personal data could now be
increased to 2 years in prison