hen it comes to protecting their identities,
consumers are being threatened and pressured from all sides. It's not
just scam artists who are doing everything they can to separate you from
your birth date and social security number, it's often the online Web
sites you choose to use, and - most troubling - those in authority as
Let's look at that last item in detail. In their interest to protect
themselves or provide some level of public transparency, many
authorities with whom we're forced to entrust our information don't
trust us back, and in doing so, they're putting our financial and
physical security at risk.
Take, for example, a first visit to a doctor's office. Nearly all
doctors will insist on a copy of your medical insurance card. Then
you're asked to fill out a medical -history form. Finally, almost every
doctor's office in the United States insists on taking a photocopy of
your driver's license. Whether you're sick or not, if you refuse to
provide all the information requested, you're usually turned down for
So your choice is putting your identity at risk or seeing doctor.
How is that information protected? In most cases, it is put into your
"file," which is just that, a paper file. Hundreds of those files litter
most doctors' offices or live in unlocked file cabinets, just waiting
to be stolen or copied. Do doctors' offices perform background checks on
every single employee and temp worker they hire? Of course not.
What about schools? The University of Central Florida automates all
stages of the application process. If you want to go to school there (or
many others in Canada and the United States), you need to get online
and upload everything from -application essays to references. UCF is
extremely careful about online security, so every three months, without
fail, you're required to change your online password. If you don't
change your online password, the school simply deletes it.
To get back in is a simple process, though. Your identifying number for
the school is your social security number. And your password is your
birthdate. These are items, along with a scan of your driver's license,
that you're required to provide to the school as part of establishing
your account and filling out your application. If you choose to protect
your identity and not provide a scan of your driver's license or give
them your SSN or birthdate, you don't get to go there.
So your choice is putting your identity at risk or going to college.
Once a company "goes public," meaning it can trade stock with the
general -public, there's some expectation of public disclosure. But in
most American states (and some provinces), if you incorporate even a
small private company, your incorporation documents are stored online
for all to see.
These documents include not only the home addresses of all the board
members (a serious personal security risk), but scans of the actual
signatures of the key individuals. As you might imagine, if you don't
sign your state forms, your application to start a company is going to
be denied. And if you don't sign your yearly state reports, you're
liable for fines and other punishment.
So your choice is putting your identity at risk or having your own company.
Sadly, when confronted with the risk to identity theft they're
subjecting you to, most state/provincial officials, school bureaucrats,
and medical office clerical staff neither seem to understand the
problem, nor care. Their interest is in getting what they need from you,
and your need for self-protection is often way down on the list.
INFORMATION IS THE KEY
In today's mostly virtual world, it's not a physical lock or key that
safeguards your life savings, your financial data, your most closely
guarded secrets, and your potential for increased indebtedness - it's
your "account." It could be your email account, your online banking
account, your credit card account, your frequent flyer account, your
online stock trading account, your insurance account, or even your World
of Warcraft account.
Virtually all your wealth, your savings, your thoughts, your plans, and
your history is "locked up" in one online account or another. With the
right "keys," all of that information is ripe for the taking.
Many levels of Hacking
In July, 2009, a Frenchman in his early 20s who goes by the handle
"Hacker Croll" conducted a penetration attack of the Twitter company. He
started by searching online for lists of Twitter employees and what
public information he could find: information about their birth dates,
their email addresses, names of pets, family members, etc. Once he
compiled a large enough list, he was able to begin his attack.
It began by using the "I can't remember my password" feature of Google's
Gmail. If you can't remember your password, most online services will
offer to give you access to your account if you can provide some other
"secret" information - like your mother's maiden name, your date of
birth, your pet's name, and so forth. Hacker Croll had compiled such a
list, and was able to guess his way into the email account of a Twitter
There, he found information that helped him guess and derive other
passwords, and gain further access. Within a short time, he had access
to a treasure trove of confidential information about the -Twitter
company and its employees - from corporate strategies and deals in
progress to credit card numbers of employees and founders. Hacker Croll
then packaged all this information up, and sent it to an online news
site, which (although they should have known better) chose to publish
some of the more juicier bits of news.
In September, 2008, shortly after having been nominated as the Vice
Presidential candidate for the U.S. Republican Party, Sarah Palin found
the contents of her Yahoo email account published widely on the
Internet. Using her birthday published on Wikipedia, a young hacker
named "Rubico" published information on her Yahoo account to a site
called Wikileaks. The FBI investigated and linked Rubico to one David
Kernell, who was later indicted.
EMAIL ACCOUNTS ARE GATEWAY ACCOUNTS
Both of these incidents were made possible because email accounts are
often the "gateway accounts" to much more confidential information. Many
of our more financially secure accounts use email as the ultimate way
to reset passwords and gain access in case login information is
forgotten. So if a hacker can get into your email account, he has a much
better chance of getting into your financial data.
More than 10,000 stolen Hotmail logins and their associated passwords
were recently posted on the sharing site Pastebin. Two days later, the
BBC reported that the same site contained more than 20,000 stolen
account names and passwords for Gmail, Yahoo, AOL, EarthLink and
Comcast. Although the exact method of -acquisition for these lists is
still unclear, authorities have indicated that it was likely through a
combination of phishing schemes and trojans (programs hosted on
unsuspecting computers, sending information back to a master database).
So why were the passwords posted online? They were mostly accounts
beginning with "A" and "B" and were probably a deranged form of
advertisement. The posting effectively said, "Look, we have the A's and
B's. Don't you want the rest?"
This was followed by a surge in spam related to a fake Chinese
electronics shopping site, where the overall goal of the scheme was to
separate consumers from their credit card numbers. And that's really the
most common goal of all identity theft: to separate you from your
money. Oh, sure, sometimes there's a "Hacker Croll" out there who wants
to show off what he can find, or a David Kernell who has a twisted
political motivation, but the primary reason your identity is stolen is
money, pure and simple.
Lately, there has been a surge in medical ID theft, particularly in the
United States. Medical ID theft occurs when your personal information is
stolen and used to gain access to medical care and drugs. In addition
to the potential for financial ruin, use of your identity for medical
procedures and drugs can "jeopardize your own future treatment,"
according to notices from the American Association of Retired Persons.
WHAT CAN WE DO?
In solving the identity theft problem, we have created something of a
Gordian Knot of inter-entangled interests. Many of our authorities
(schools, governments, doctors, hospitals) insist that we provide more
and more proof that we are who we claim we are. Online services and even
financial institutions want to make our lives easier, making it
possible for us to recover account information when we inevitably lose
our passwords - and crooks want to take advantage of it all.
According to the nonprofit Indentity Theft Resource Center, consumers
now spend an average of 600 hours (about $16,000 in equivalent work
time) to recover from a single instance of identity theft. As far back
as 2003, the U.S. Federal Trade Commission said that more than 10
million customers were victims of identity theft every year (and you
know that's increased a lot over the past years).
So what do we do about it? Consumers need to become more diligent.
Instead of using obvious passwords, you should start to use random
combinations of letters, numbers, and symbols. I know it's a lot harder
to keep track of those passwords, but there are a many free password
tracking programs that can help. Change your passwords regularly. You
should also get regular credit reports and check all your accounts at
least monthly to make sure there's no unexpected activity.
Banks and online services are constantly working on improving security.
Many banks now require users to choose a picture password, as well as an
alphanumeric one. If you can't pick the correct picture, you're not
allowed into your account.
But the real improvement needs to be with those in authority who seem to
think their own security is more important than that of consumers.
Governments, agencies, schools, doctors, and hospitals need to be
trained on identity theft risks and they need to understand that they
are potentially hugely liable if their records, often containing
thousands of pieces of confidential information, fall into the wrong
It's not enough just to improve the security of record keeping. More,
they need to stop putting citizens at risk, stop posting confidential
and identity information to the Internet, and stop collecting copies of
thousands of drivers' licenses and other ID that could then fall into
the wrong hands.
Bottom line: identity theft is a huge mess. We need to be on the same
side, and we need to do everything we can to make sure consumers'
identity information is -protected.
David Gewirtz is the Cyberterrorism Advisor for the International
Association for Counterterrorism and Security Professionals, a member of
the FBI's InfraGard program, and a member of the U.S. Naval Institute.
He can be reached at david@ZATZ.com.
© FrontLine Security 2009