Identity is a crucial element of information security. Access controls are based on correctly identifying the users or devices that are allowed to view or use resources — and keeping everyone else out. For example, we are asked to “prove” our identities every time we board a plane, check into a hotel, make a purchase via check or credit card, or log onto a computer or secure web site.
Identity theft is when someone pretends to be another person by assuming that person’s identity, usually with the goal of gaining access to their credit and other valuable information. The victim of identity theft can suffer adverse consequences if they are held responsible for the perpetrator’s actions.
Determining the link between data breaches and identity theft is challenging, primarily because identity theft victims often do not know how their personal information was obtained,” and identity theft is not always detectable by the individual victims, according to a report done for the FTC. Identity fraud is often but not necessarily the consequence of identity theft. Someone can steal or misappropriate personal information without then committing identity theft using the information about every person, such as when a major data breach occurs. A US Government Accountability Office study determined that “most breaches have not resulted in detected incidents of identity theft”. The report also warned that “the full extent is unknown”. A later unpublished study by Carnegie Mellon University noted that “Most often, the causes of identity theft is not known,” but reported that someone else concluded that “the probability of becoming a victim to identity theft as a result of a data breach is … around only 2%”.
Techniques for obtaining and exploiting personal information for identity theft Identity thieves typically obtain and exploit personally identifiable information about individuals, or various credentials they use to authenticate themselves, in order to impersonate them. Examples include:
- Rummaging through rubbish for personal information (dumpster diving)
- Retrieving personal data from redundant IT equipment and storage media including PCs, servers, PDAs, mobile phones, USB memory sticks and hard drives that have been disposed of carelessly at public dump sites, given away or sold on without having been properly sanitized
- Using public records about individual citizens, published in official registers such as electoral rolls
- Stealing bank or credit cards, identification cards, passports, authentication tokens … typically by pickpocketing, housebreaking or mail theft
- Common-knowledge questioning schemes that offer account verification and compromise: “What’s your mother’s maiden name?”, “what was your first car model?”, or “What was your first pet’s name?”, etc.
- Skimming information from bank or credit cards using compromised or hand-held card readers, and creating clone cards
- Using ‘contactless’ credit card readers to acquire data wirelessly from RFID-enabled passports
- Observing users typing their login credentials, credit/calling card numbers etc. into IT equipment located in public places (shoulder surfing)
- Stealing personal information from computers using breaches in browser security or malware such as Trojan horse keystroke logging programs or other forms of spyware
- Hacking computer networks, systems and databases to obtain personal data, often in large quantities
- Exploiting breaches that result in the publication or more limited disclosure of personal information such as names, addresses, Social Security number or credit card numbers
- Advertising bogus job offers in order to accumulate resumes and applications typically disclosing applicants’ names, home and email addresses, telephone numbers and sometimes their banking details
- Exploiting insider access and abusing the rights of privileged IT users to access personal data on their employers’ systems
- Infiltrating organizations that store and process large amounts or particularly valuable personal information
- Impersonating trusted organizations in emails, SMS text messages, phone calls or other forms of communication in order to dupe victims into disclosing their personal information or login credentials, typically on a fake corporate website or data collection form (phishing)
- Brute-force attacking weak passwords and using inspired guesswork to compromise weak password reset questions
- Obtaining castings of fingers for falsifying fingerprint identification.
- Browsing social networking websites for personal details published by users, often using this information to appear more credible in subsequent social engineering activities
- Diverting victims’ email or post in order to obtain personal information and credentials such as credit cards, billing and bank/credit card statements, or to delay the discovery of new accounts and credit agreements opened by the identity thieves in the victims’ names
- Using false pretenses to trick individuals, customer service representatives and help desk workers into disclosing personal information and login details or changing user passwords/access rights (pretexting)
- Stealing checks to acquire banking information, including account numbers and bank routing numbers.
- Guessing Social Security numbers by using information found on Internet social networks
- Low security/privacy protection on photos that are easily clickable and downloaded on social networking sites.
- Befriending strangers on social networks and taking advantage of their trust until private information are given.