USBswipeselection

JournalofLawandConflictResolutionVol.
4(1),pp.
1-12,January2012Availableonlineathttp://www.
academicjournals.
org/JLCRDOI:10.
5897/JLCR11.
044ISSN2006-98042012AcademicJournalsReviewAnanalysisofidentitytheft:Motives,relatedfrauds,techniquesandpreventionAliHedayatiFacultyofManagement,VancouverIslandUniversity,NanaimoCampus900FifthStreet,Nanaimo,BC,CanadaV9R5S5.
E-mail:alihedayati@hotmail.
com.
Tel:+1(604)8003035.
Accepted14December,2011ThispaperisaconceptualreviewofthemajorcrimesleadingtoIDfraudandlossesofmillionsofdollarsforbusinessandpeopleintheworldeveryyear.
Thepaperprovidesareviewoftheuniqueeffectivetechniquesforsustainabledevelopmentofpreventionmethodsthathavebeenofferedtopeopleandbusiness.
Inaddition,thepaperreviewsliteratureandsummarizesthemosteffectivewaysforpeopleandbusinesstoprotectthemagainstIDtheftbecausevictimsmayfacealengthyprocessofcleaningupthedamage,suchastheirreputation,creditrating,andjobs.
Identity(ID)theftisunauthorizedobtainingofothersconfidentialinformationinordertomisuseit.
IDtheftisoneofthemajorproblemsthatimposebillionsofdollarsannuallyonpeopleandbusinessesacrosstheglobe.
In2008only,9.
9millionsofAmericanswerevictimizedwhichshow22%increasecomparedto2007.
Analyzingfourmajorfactors-political,economic,social,andtechnological-revealsthatsocialandtechnologicalfactorsarethesignificantoriginsofIDtheft.
Socialengineeringisatechniqueforthievesbywhichsocialengineerstakeadvantageofpeople'sbehaviorsinsocialnetworkssuchasFacebooktostealindividuals'keyinformation.
ThisreportexaminesdifferenttypesoffraudsthatarethemajoroutcomesofIDtheft.
ThefraudsastheresultsofIDtheftcompriseIDfraud,financialfraud,taxfraud,medicalfraud,resumefraud,mortgagefraud,andorganizedcrimessuchasmoneylaundering,terrorism,andillegalimmigration.
Moreover,thevarioustechniquesthatthievesusetoattackindividualsandorganizationsarediscussed.
Thedifferenttechniquesaredividedtotwomajorones,physicalandtechnological.
Physicaltechniquesincludeseveraltraditionalwayssuchasmailtheftandinsidertheft.
Itiscrucialfororganizations'managerstoknowthatdespitenewtechnology-basedtechniques,morethan70%ofIDtheftoccursbyinsiders.
Inaddition,itwillbeshownhowthievesapplybothtechnology-basedtechniquessuchasphishingandsocialengineeringtostealpersonalinformation.
Finallyseveraleffectivepreventiontechniqueswillbeprovidedforindividualsandorganizationtoprotectkeydataandinformationagainstidentitytheft.
Usually,thievesattempttobypasssecuritysystemsthroughhumanelements.
Therefore,therecommendationsignificantlyemphasizesdevelopingindividuals'awarenessthroughpublicandorganizationaltraining.
Keywords:Identity,theft,fraud,prevention,personalinformation.
INTRODUCTIONOrganizationsandpeopleshouldbecautiousinprotectingtheiridentitytopreventfraudasaresultofIDtheft.
HowsurearetheythattheywillnotbeoneofamillionvictimsofIDfraudstersin2010TheFederalTradeCommissionreportedthat9.
9million(22%morethan2007)Americanssufferedfromidentitytheftin2008,andstatedthat"IDtheftcostsconsumersabout$50billionannually"(Finklea,2010:1).
Inspiteoftheattemptstoenforcethelaw,thenumberofnewidentity(ID)theftvictimsisincreasingeverydayacrosstheglobe.
IDtheft"canrefertothepreliminarystepsofcollecting,possessing,andtraffickinginidentityinformationforthepurposeofeventualuseinexistingcrimessuchaspersonation,fraud,ormisuseofdebit2J.
LawConflict.
Resolut.
cardorcreditcarddata"(justice.
ca,2010).
AccordingtoCIPPIC1,identitythievestendtostealtwelvetypesofprivatepersonalinformationstatedasfollows(CIPPIC,2007:1):1.
Creditcardnumbers2.
CW2numbers(thebackofcreditcards)3.
Creditreports4.
SocialSecurity(SIN)numbers5.
Driverslicensenumbers6.
ATMnumbers7.
Telephonecallingcards8.
Mortgagedetails9.
Dateofbirth10.
PasswordsandPINs11.
Homeaddresses12.
PhonenumbersMoreover,Appendix1providesseveralexamplesofpersonalprivateinformationthatidentitythievesattempttosteal.
Basedonitsdefinition,IDtheftusuallyisassociatedwithfraudandcauseslossesforvictims,includingindividualsandcorporations.
AccordingtotheCanadianCouncilofBetterBusinessBureaus,Canadianconsumers,creditors,banks,businesses,andstoreslosemorethan$2billioneveryyearbecauseofIDtheft(justice.
ca,2010).
Inaddition,theUK'sFraudPreventionService(CIFAS)reportsthattherateofIDtheftintheUKisgrowing,anditcausesalossof1.
7billionintheBritisheconomyeveryyear(CIFAS,2010).
Ascanbeseen,IDtheftisoneofthemajorcrimesleadingtoIDfraudandlossesofmillionsofdollarsintheworldeveryyear.
ItisimportanttounderstandeffectivewaystoprotectpeopleandcorporationsagainstIDtheftbecausevictimsmayfacealengthyprocessofcleaningupthedamage,suchastheirreputation,creditrating,andjobs.
Therefore,analyzingthemainpossiblefactorssuchaspolitical,economic,social,andtechnologicalandhowtheymayincreaseordecreaseIDtheftisnecessary.
Inaddition,sincepeopleandcorporationsneedtoknowhowtopreventfraudasaresultofIDtheft,IDthefttechniques,IDfraud,andmethodsofIDfraudpreventionwillbeexamined.
POLITICAL,ECONOMIC,SOCIALANDTECHNOLOGICAL(PEST)ANALYSISInordertakeeffectiveactionstopreventanddecreaseIDtheftinasociety,itisnecessarytoscanandanalyzetheexternalormicro-environmentalfactors.
PESTanalysisisoneofthemainframeworksthathelptoevaluatehowpolitical,economic,social,andtechnologicalfactorsaffectIDtheft.
1CIPPIC:TheCanadianInternetPolicyandPublicInterestClinic(CIPPIC)isalegalclinicofthatwasestablishedattheUniversityofOttawa,FacultyofLawinthefallof2003.
PoliticalandeconomicfactorsandIDtheftLackofpoliticalandeconomicstabilityindevelopingnationssignificantlyincreasesIDtheft,especiallyindevelopedcountries.
Everyyearmillionsofpeoplefromdevelopingcountriesinwhichpeoplesufferfrompovertyorpoliticalissuesimmigratetothedevelopedcountries(UNHCR,2007).
Statisticsshowthatmorethan10millionillegalMexicans,SouthandLatinAmericans,andAsianimmigrantsliveintheUSA(Passel,2006:2-3).
TheAmericansocietyisburdenedbythecostofillegalimmigrationinformofIDtheftbecauseIllegalimmigrantsstealidentitiessuchassocialinsurancenumberordriverslicenceinordertowork(Sullivan,2006).
Forexample,onMarch2007,theU.
S.
DistrictCourtonimmigrationsentenced20unauthorizedMexicanimmigrantswhocommittedIDtheft,document-fraud,andmisusingSocialSecuritynumbers(ICE,2008).
Asitcanbeseen,unfavourablepoliticalandeconomicsituationsencouragepeopletoimmigrateillegally,whichleadtoIDtheftandIDfraud.
SocialfactorsandIDtheftSocialenvironmentandfactors,suchashabitsandcommunicationbysocialnetworkshavemajoreffectsonIDtheft.
Thelevelofpeoplesknowledgeabouttheuseofsocialnetworksandtheirroleinprotectingprivacyisimportantinasociety,especiallyinthe.
comarena.
Companies,institutions,andpeopletrytoprotecttheirprivacy,confidentialdata,andpersonalinformationbyapplyingthevarioussecuritymechanisms.
However,socialengineering"isaliveandwell,andprobablyremainsthemosteffectivehackingtechnique"toobtainprivacyandconfidentialinformation.
AccordingtoApplegate,socialengineeringisa"methodologythatallowsanattackertobypasstechnicalcontrolsbyattackingthehumanelementinanorganization"(Applegate,2009:1,40).
Sincecommunicationthroughsocialnetworks,suchasFacebook,Twitter,andSkypeisgrowing,socialengineersremainapotentthreattopeoplesculturalattitudesandbehavioursinsocialnetworking.
Asurveybythepointforcreditunionresearch(2008)andadviceintheU.
S.
A,Canada,theUnitedKingdom,France,Germany,andSpainin2008,illustratesthat:(i)25%ofGermansand60%ofAmericanshavesharedtheiraccountpasswordswithafriendorfamilymember.
Asresultofthisculturalattitude,3%ofGermanshaveexperiencedIDtheft.
(ii)50%ofAmericansusefamilymembernames,importantdates,nicknames,orpetsnameasonlineaccountspasswords.
(iii)Inallsixcountries,about40%ofconsumersdisplaytheirpersonalinformationintheirsocialnetworkprofileandsomeofthemuseexactlythesameinformationastheirpasswords.
(iv)Morethan25%ofconsumersinFranceusetheirdisplayeddateofbirthinsocialnetworkastheironlinepasswords.
Consequently,attackerscanfreelyobtainthisinformationinusersprofiles.
Attackersapplythisinformationtoreceivecomplementaryinformationwithoutraisinganysuspicionforafinalattack,IDtheftandfraud.
Forexample,asocialengineerobtainsafinancialmanagersinformationinasocialnetworksothattheattackerknowsthatmanagersfirstandlastname,career,andbirthofdate.
Thefollowingconversationcanbeawaytostealhis/herIDoverthephone:Mr.
Hyman:HelloCaller:Hi,Mr.
Hyman,thisisBobinITtechsupport.
Duetosomediskspacelimitation,wearegoingtomovesomeusersdirectoriestoanotherdiskat5:00pmtoday.
Youraccountwillbeapartofthat,andwillnotbeavailabletemporarily.
Mr.
Hyman:Uh,thankyouverymuchthatwouldbegoodbecausesometimesmycomputerisslow.
Noworries,Iwillnotbeherebythen.
Caller:Awesome.
Pleasemakesuretologoffbeforeleaving.
Ijustneedtocheckacoupleofthings.
YourusernamestillisHyman,rightMr.
Hyman:Yes.
ItisHyman.
Noneofmyfileswillbelost,willtheyCaller:Nosir.
ButIwillcheckyouraccountnowensureeverythingwillbeOK.
Whatwasthepasswordonthataccount,soIcancheckyourfilesMr.
Hyman:Sure,MypasswordisSaturday20,withthefirstlettercapitalized.
Caller:Great,Mr.
Hyman,Iappreciateyourhelp.
Iwillmakesuretocheckyouaccountandverifyallthefilesarethere.
Mr.
Hyman:Thankyouverymuch.
Bye.
Inthisexample,themanagertrustedthecalleronlybecauseofsomeprimarybutimportantinformationabouthiminhisprofileinasocialnetwork.
Inthisconversationthesocialengineertakesadvantageofthemanagerstrustbecauseheposedasaninsiderandhistendencytobehelpful.
Inaddition,fearofhavingmoretechnicalproblemsencouragedhimtocooperateandtogivealltheinformation.
Asresult,thecallercouldgetallothercrucialinformationoverthephone,whichmaycausenumeroushugefinancialfraudsthroughhisID.
Asitcanbeseen,asocialengineercouldbypassastrongsecuritymechanismthroughamanagerastheweakestpartofthesecuritychain.
Asresult,socialfactorssuchasthewidespreaduseofsocialnetworksthatareunsecuredsources,habits,andcustomsmakepeopleprivacyvulnerabletoIDtheft.
TechnologicalfactorsandIDtheftTechnologicalfactorsthreatenpeopleandinstitutionsHedayati3privacyandincreaseIDtheftaslongastheyusenewtechnologywithoutusingapropersecuritysystem,andfollowtheirdangerousbehavioursatworkorsocialnetworks.
Theadventofnewtechnology,suchasPDAs,cellphones,USB,Wireless,andlaptopsintheWorldWideWebarenahaschangedpeoplesbehaviourtomanagetheirprivateinformation,suchascreditcardsandsocialinsurancenumbers.
Nomatterwherepeopleareonlineandwork,theyarenot100%safewhentheyusetheirprivateinformationsuchasbankingaccountinformation.
Today,fraudstersconsidertheInternetasanewfrontier,easyaccessible,andagoldmineofprivateinformationtostealpeoplesID(Motsay,2010).
AccordingtoMostay(2010),peopleandinstitutionslosearound$40billionannuallyinonlineactivitythroughIDtheftandcommunicationfraud.
Inaddition,almost80%offinancialinstitutionsapplywirelesstechnologysuchassmartphone(Blackberrydevices)intheiroperationwhileonly75%ofdevicesareusingmobilesafeguards(CardLine,2007).
Therefore,itiscrucialthatpeoplechangetheirbehaviourswhentheyusenewtechnologiessuchaswirelessoronlinebanking.
Forexample,savingtheonlinebankingusernameandpasswordinthebrowserisoneofthebiggestmistakes.
Inthenewtechnologyboom,individualsandtechnologymanagersmustchangetheirattitudesandbehavioursandconsiderprecautionarysolutionswhenusingnewtechnology.
Forexample,applyingappropriatesecuritysystems,suchasnotsavingaccountinformationincomputers,usingantispy-wareprograms,andwirelesssafeguardswillprotectpeopleandindividualsagainstIDtheft.
Consequently,newtechnologythreatsandtheireffectsonIDtheftdifferbasedonindividualsandmanagersbehavioursandtheprecautionstheytake.
IDTHEFTANDOTHERFRAUDSAccordingtoGercke(2007),IDtheftisoftenthefirstandpreparationphasetothesecondphase.
Accordingly,themajormotivesofperpetratorsforstealingidentitiesare:1)Requirementoffurtherfraud(inmostofcases)2)Sellthestoleninformation3)HidingtheidentityMoreover,IDfraud,financialfraud,taxfraud,medicalfraud,resumefraud,mortgagefraud,andorganizedcrimessuchasmoneylaundering,terrorism,andillegalimmigrationarethesignificantoutcomesofIDfraud.
FactsshowthateveryyearIDtheftandrelatedfraudimposesoverwhelmingcostsonnations.
Forexample,theUnitedKingdomisannuallyburdenedabout1.
3billionfromIDrelatedfraudthatincludes:taxfraudfor215million,creditfraudfor215million,moneylaunderingfor400million,andimmigrationfraud(forgingpassports)for584million(Whitleyetal.
,2007:4J.
LawConflict.
Resolut.
Figure1.
ThemajoroutcomesofIDtheftCanadianpeoplesufferedfromin2006(CIPPIC,2007:23).
53-54).
IDtheftisusuallytheprimarymainstepassociatedwithothertypesoffraud.
Abriefdefinitionofalltypesoffraudandadeeperdiscussionaboutafewofthem,whicharereportedbyCIPPIC(2007:23)(Figure1).
IDfraud(forgingidentitydocuments)Personalinformationisusedtocreatefakedriverslicenses,vehicleregistrationcertificates,creditanddebitcards,andotheridentitydocumentsthatwillbeusedtocommitfraud.
InOctober2005inToronto,atheftringcreatedforgedhealthcards,creditcards,driverslicenses,andotherkeyidentitiestoopennewbankaccounts.
FinancialfraudsTakingoverexistingaccounts:Fraudsterswithenoughpersonalinformationcancontactorganizationsandtakecontroloftheexistingbankaccountandwithdrawallmoneyinashortestperiodoftimewithoutanysuspicion.
Openingnewaccounts:WithhavingprivateinformationandIDsuchasname,address,andsocialinsurancenumbers,fraudsterscanopennewbankaccounts,creditaccounts(creditcards,linesofcredit,orloans),in-storeaccounts,cellphoneaccounts,andstudentloansaccountsunderthevictimsrealinformation;theythenwillchangetheirbillingaddressinordertoconcealtheiractivitiesfromvictims.
Insuchcasesfraudstershavemoretimeandmoreopportunitiestocommitfraudandinmostofcases,victimsonlywillrealizewhencollectoragenciescontactthemortheircreditapplicationsarerefused.
Onlineshopping:InthismethodfraudstersshoponlinewithvictimspersonalinformationandIDinadifferentarea,usuallyAfrica,andasktodeliverorderstoatrustedthirdparty.
Theythenrequestrepackagingofordersandshippingthemtothefraudsters.
ThismethodoffraudincreasedinCanadain2003,whenanAlbertanpurchasedmerchandiseonlinewithastolenIDandcreditcardnumberandaskedforhisordertobeshippedtoNorthDakotaandre-shippedthemtoEdmontonthroughrepackaging.
Mortgagefraud:Anewdisturbingformoffraudthathasbeengrowingrecently,whichisanotherresultofIDtheft.
MortgagefraudisdefinedasobtainingmortgagefinancingunderafakeIDorfalseidentification.
InthiswayfraudstersusestolenIDs,suchasfalsifiedID,incomestatementsoremploymentrecordstotakeownershipofpropertiesandsellthemortakeoutmortgageundervictimsnamesandcredits.
AccordingtoCIPPIC(p.
28),mortgagefraudincreased500%intheU.
S.
Afrom4,000casesin2001to17,000casesin2004.
Inaddition,Canadiansannuallylose$1.
5millionduetomortgagefraud.
Forexample,inApril2006,inSurreyB.
C.
,awomanposedastheownerofapropertyandappliedfora$170,000mortgage.
Amortgagebrokerarrangedamortgagebutanotherbrokerinformedpoliceafteridentifyingthescam(CIPPIC,2007:29).
Inaddition,basedonOttawaPoliceservice,mortgagefraudinvolvesothercrimesaswell;drugtraffickingisoneofthemajorones.
Accordingly,drugtraffickersownpropertiesthroughIDtheftandmortgagefraud;theythenusethesepropertiestogrowmarijuana,whichcaughttheattentionofneighborsinmostofthecases(CIPPIC,2007:29).
TheCanadianCriminalIntelligenceService(CISC)investigatedthenegativeimpactsofthemortgagefraudonCanadiansocietyanditseconomyandtheresultofthesurveyisillustratedasfollow(CIPPIC,2007:7):"Intermsofsocialharms,mortgagefraudcancausesignificantpsychologicalormentalstresstothevictims.
Theconsequencestovictimscanincludeguiltandshame,disbelief,anger,depression,asenseofbetrayalandalossoftrust.
Individualscanalsospendaconsiderableperiodoftimerecoveringlostorstolenidentificationandrepairingdamagedcredithistories.
Multiplemortgagefraudswithinaneighborhoodcanresultininflatedneighborhoodpropertyvalues,higherpropertytaxes,aninabilitytosellhomes,andabandonedproperties.
…Intermsofeconomicharm,thecorruptionofprofessionalsintherealestateandmortgageindustriesisdifficult,expensiveandtimeconsumingtoinvestigate.
…Theaveragemortgagefraudlossperpropertywasapproximately$100,000.
Onechallengeisthatthehealthyreal-estatemarkethascausedhousingpricesgenerallytoincrease.
Asaresult,itissometimesdifficulttodetectfraudulentlyover-valuedproperties.
However,afterareal-estatemarketdownturn,thepricesofsomeofthesefraudulentlyover-valuedpropertieswillfall.
Asaresult,defaultswilloccurandsomefraudswillbereadilyapparent.
"ResumefraudSincecriminalrecordchecksareoneofthemainprerequisitesofsecurepositionsparticularlyingovernmentsections,fraudstersusestolenidentitiestogetemployment(CIPPIC,2007).
Resumefraudisanopportunityforfraudsterstouseindividualsappropriaterelatedexperiencesandeducation.
TheworstsituationinresumefraudisthatfraudsterssecureapositioninastrategicgovernmentsectionsuchastheCanadaRevenueAgency.
Inthissituationtheaftermathwillbeirreparablebecausethieveshaveaccesstothemostimportantprivateinformation.
Forexample,MichaelRitter,theAlbertanfraudsterclaimedthathegraduatedfromLondonSchoolofEconomics(LSE)andsecuredhispositionsforalmostfiveyearsasthechiefparliamentarycounselattheAlbertalegislature.
AlthoughRitterdidnotHedayati5useastolenIDtoforgehisresume,itispossibleforIDthievestodothesameaswhatRitterdidtosecureanimportantpositionandgainbenefits.
Immigrationfraud(obtainingapassport)andterrorismInternationalcriminals,suchasterroristsandillegalimmigrants,usestolenidentitiestoobtainapassporttocovertheirfeloniesandillegalactivities.
Thesetypesoffraudoftencountasasignificantthreatfornationalsecuritiesacrosstheglobe.
Forexample,inJuly2002,amemberofal-Qa'ida,whowasusingAustralianpassport,wasarrestedinCanada.
HewaschargedbythegovernmentoftheNetherlandsbecauseheplannedtoblowuptheAmericanembassyinParis(OCBA,2010).
Inaddition,accordingtotheFBI,Al-QaedasmemberspurchasedtheircellphonesandpaidbystolenidentityandcreditcardsinSpain.
TheyalsostoleIDandforgedpassportstoopenbankaccountsinwhichterroristsupportersweretransferringmoneyfromAfghanistanandPakistan(Arterberry,2005).
MedicalfraudMedicalfraudhappenswhensomeonestealsimportantinformationorIDsuchashealthcards,andusesthemtoclaimorobtainmedicalservicesunderthevictimsname.
Oneofthepossibleresultsofmedicalfraudismisleadinghealthservicesproviders,whichmayputapatientslifeatrisk.
Statisticsshowsthataround500,000Americanshavebeenvictimsofmedicalfraud.
AlthoughthisstatisticisnotavailableforCanada,theOntarioMinistryofHealthandLong-TermCareclaimsthatmedicalfraud(healthcarefraud)isthemainoutcomeoftheIDtheftinOntario(CIPPIC,2007:26).
TaxfraudIDfraudstersusevictimsidentitiessuchasemploymentrecordsorsocialinsurancenumberstofiletheirincometaxestoreceivevictimstaxrefunds(CIPPIC,2007).
Forexample,accordingtotheUnitedStatesDistrictCourt(2010),DistrictofArizona,agroupoffraudstersfiledincometaxreturnsbystolenIDsbetween2005and2008andobtainedabout$4millionintaxrefunds.
THEFTTECHNIQUESAccordingtoCIPPIC,IDthievesmaystealpersonalandprivateinformationinvariousways,rangingfromsimple(physical)wayssuchastheftofwalletstoverysophisticatedmethods(technology-basedthefts)suchas6J.
LawConflict.
Resolut.
Figure2.
Thedifferenttechniques,frequency,anddistributionofIDtheftintheUnitedStatesin2006(CIPPIC,2007,p.
4).
computerhacking.
Inaddition,theCIPPIC(2007)reportillustratesthatIDthievesmaystealpeoplesprivateinformationthroughthirdparties.
StatisticsshowthatIDtheftthroughhigh-techmethodssuchastheinternetislessthan10%;however,identitythievessignificantlyuselow-techmethodstostealpersonalinformation.
Figure2illustratesthedifferenttechniques,frequency,anddistributionofIDtheftintheUnitedStatesin2006(CIPPIC,2007:4).
InordertodealwithIDtheftitiscrucialforindividualsandorganizationstounderstandvarioustechniques;therefore,differenttechniquesfromphysicaltohigh-tech,whichwereretrievedfromtheCIPPICreportin2007.
PhysicalthefttechniquesTheftofpersonalinformationsources(wallets,cellphones,andcomputers)Today,thievescanobtainpersonalinformationbystealingrichsourcesofinformationparticularlylaptopsfromimportantgovernmentalinformationcenterssuchasCanadaRevenueAgency,CRA.
Thefollowingexamplesaresomeofthemostimportantones(CIPPIC,2007:5):"-OnFriday,September26,2003,twowelldressedmenwalkedintotheCalgaryofficesoftheCanadaCustomsandRevenueAgency(CCRA)andstole15DELLlaptopcomputersvaluedinexcessof$60,000.
00.
(i)Fourcomputerscontainingconfidentialpersonalinformationofmorethan120,000CanadianswerealsostolenfromCCRAsLavalofficesonSeptember4,2003.
(ii)InMay2005,theU.
S.
DepartmentofJusticereportedthatalaptopcontaininginformationon80,000departmentalemployeeswasstolen.
(iii)AsimilarsituationoccurredattheUniversityofCalifornia,Berkeley.
Thistime,personalinformation,includingsocialsecuritynumbers(SSN),wasstored,unencrypted,onthelaptop.
"Trash-theftTheIDthievescanreceivepersonalinformationthroughdivinginhouseholdtrashaswellasthatofspecificbusinessessuchashotels,rentalcarcompanies,andrestaurant.
InthiswayIDthievesmayobtainpersonalinformationondiscardedfinancialreceipts.
ChangeofaddressSincemailisagoodcontinuoussourceofpersonalinformationandittakesmoretimeuntilvictimsdetectanytheft,IDthievescanredirectmailtoobtainvictimsaccountinformation.
Forexample,inMarch2006,twofraudsterswhousedachangeofaddressformtoredirectpeoplemailwerearrestedinOttawa.
Accordingtopolice,victimsprovidedallpersonalinformationandreplied.
Finally,policewerealertedaboutthefraudbyCanadaPostCorporateSecurity.
MailtheftMailtheftisaneasywaybywhichthievescanstealkeyinformationfrombusinessesorhomemailboxes,recyclebins,orgarbage.
Thievesmayobtainpersonalinformationthroughbankandcreditcardstatements,utilitybills,ordriverslicenses.
Accordingtoasurvey,amajorityoflawenforcementofficials(68%)believethatmailtheftisthesignificantconcernofIDtheftintheU.
S.
A.
Forexample,in2004,Bradley,athiefwhocommittedmailtheftwassentencedtofourandhalfyearsbecauseheusedstoleninformationtoforgeotherdocumentsforfurtherfraud(CIPPIC,2007:7).
TombstonetheftBythistechniqueIDthievescollectallpersonalinformationsuchasbirthdateandfullnamesofdeceasedfromnewspapersandtombstones.
Inthenextstep,thievesposeasdeceasedsinsurancecompanyandcollectotherimportantpersonalinformationfromfuneralhomes.
Forexample,inAtlantain2007,thievespurchasedtheidentitiesof80deceasedfor$600eachandsecured$1.
5millionincarloans(CIPPIC,2007:9).
Skimming(magneticstripduplication)Usingthismethod,thievesuseasmallelectronicdevicecalleda"skimmers"thatcancopycreditordebitcardinformationafterswipingthecard.
Sinceanycardswithamagneticstripsuchaslibrarycardsareprogrammable,thievesthencancreateadditionalcardsbyusingstoleninformationforfraud.
Forinstance,inCalgaryin2004,thievescopied35ATMusersdebitcardsinanhour(CIPPIC,2007:9).
InsidertheftDishonestinsidersinorganizationsthatholdpeopleskeyinformation,suchascreditanddebitcardnumbersoftenmaystealpersonalinformationduetolackofappropriateinternalcontrol.
Findingsinastudyshowthatupto70%oftheIDtheftfromAmericanorganizationsiscommittedbyinsiders(CIPPIC,2007:11).
PurchasingstolenpersonalinformationOneoftheeasiestwaystoreceiveanindividualsprivateinformationistopurchaseinformationfrominsiderthieves,ordatatraffickers.
Forexample,thievessoldtheHedayati735duplicateddebitcards(inSkimming)andearned$117,000(CIPPIC,2007:13).
Technology-basedIDthefttechniquesPhishing"Phishingisaformofsocialengineeringinwhichanattackerattemptstofraudulentlyacquiresensitiveinformationfromavictimbyimpersonatingatrustworthythirdparty"(Jagaticetal.
,2005:1).
Jagaticetal.
(2005)statethatsocialnetworks,suchasFacebook,Orkut,LinkedIn,MySpace,andFriendsterarethemainsourcesformininginformationaboutvictims(Jagaticetal.
,2005:2).
AccordingtoCIPPIC,sincephishingmessagesareattractiveforpeople,thievesusetheminupto25%ofIDtheft.
Thievesinphishingmessagesusuallyaskforprivateinformationtofix,update,orresolveothertechnicalissues(Appendix2).
Expertsstatethatinphishingmessages,surprisingly,thievesusefraudalertstotrickindividuals.
WhenphishingmessagescomewiththesamelogosandcolorsofthetrustworthyorganizationitiscalledSpoofing.
Statisticsshowthat24%ofCanadiansreceivedphishingmessagesthataskfortheiraccountinformation,and14%ofthembecamevictims(2007:13-14).
Inaddition,57millionAmericansreceivedphishingmessagein2003andmorethan50%whorespondedwerevictimizedbyIDtheft(Litan,2004:1).
Forexample,inRomania,policearrestedDanMariusStefanwhostole$500,000throughphishing(Mitchisonetal.
,2004:33).
HackingUnauthorizedaccesstosystemsordatabasestoobtainpersonalororganizationalclassifiedinformationiscalledhacking(Paget,2007).
Hackerscansellallstoleninformationorgainprofitfromprivateinformationdirectly.
Forexample,in2009,acomputerhacker,Gonzalez,28,stolemorethan135millioncreditanddebitcardnumbersinchainstoreslike7-Eleven,andobtained$1.
6millionincash(Meek,2009).
WardrivingInwardriving,thievesattempttosearch,detectandconnecttoindividualsororganizationsunsecuredWi-Fiorwirelessnetworksandstealpersonalinformation.
Thievesor"wardrivers"usedeviceswithwirelessnetworksdetectorssuchasnotebooksorPDAstoconnecttounsecurednetworkswhentheydriveinneighborhoods(CIPPIC,2007).
Forexample,in2003,SalecedotheAmericanhackerandhispartnerweresentencedtonineyearsinprisonbecauseofunauthorized8J.
LawConflict.
Resolut.
accesstoLowesCompanieswirelessconnectionandstealingcreditcardaccountnumbers(Justice,2004).
SocialengineeringtechniquesAswasmentionedearlier,IDthievesattackthehumanelementsespeciallyinorganizationstobypasstechnicalcontrolsandstealpersonalinformation.
"Socialengineeringinvolvesexploitingthenaturaltendencyofapersontotrustothers,especiallypeoplewithwhomtheyhavesomesortofrelationship"(CIPPIC,2007:20).
Followingareseveralmaintypicaltechniquesthatareusedbysocialengineers:Pre-textingInthisformofIDtheft,socialengineersrelyon"smoothtalking"totargetvictimsorthirdpartiestostealpersonalandprivateinformation(CIPPIC,2007).
AccordingtoCIPPIC(2007),typicallypre-testersuseseveralmethodstostealpersonalinformationasfollowed:1)Contactthirdpartiesandposeasaninternalemployeeoranothercompanyonbehalfofvictimsandaskfortheiraccountsinformation.
2)Pretendtodoatelemarketingsurveyinwhichthevictimsinformationisapartofsurveyrequirements.
3)Pretendtofromcallanantifraudorganizationandvictimsinformationisrequiredtoregisterinprotectionprograms.
4)Trickyouthandchildrenandtargetthemtoobtainpersonalinformationininternetchatrooms.
Forexample,inCanadain2004,IDthievescalledEquifaxCanadaInc.
2,posedasalegitimatecreditgrantor,andmanagedtosteal1400Canadianscreditfiles(CIPPIC,2007:21).
ObtainingcreditreportsSincecreditchecksforsomesituationsareusual,thievesusethiswaytostealpersonalinformation.
InthisformofIDtheft,fraudsterspretendtobealandlord,cardealer,orpotentialemployerandobtainindividualsprivateinformation.
FakeemploymentschemesInthisform,bogusemployerspostjobsontheirwebsitesandaskjobseekerstosubmitaresumeoranapplicationformtoobtainpersonalinformation.
Withthistechnique,inOttawain2006,thievesobtainedpersonalinformation2EquifaxCanadaIncisoneoftheCanadianmajorcustomerreportingagencies.
suchasSINanddriverslicensenumbers(CIPPIC,2007:21-22).
InB.
C.
in2003,withusingthesametechniques,afraudsterstolepersonalinformation,openedabankaccount,forgedcheques,andobtained$80,000(CIPPIC,2007:22).
THEFTPREVENTIONFraudstersusedifferentmethodsandstrategiestoobtainpersonalinformation.
Infact,basedonthesituation,thieveschoosetheirmethodstoattacktotheirtargets.
Forexample,theIDtechniquesforstealinginformationfromorganizationsdifferfromindividuals.
Therefore,appropriatepreventiontechniquesthatarerecommendedbyRoyalCanadianMountedPolice(RCMP)(2010)forindividualsandorganizationsareasfollows:Preventiontechniquesforindividuals1)SincethievesareabletostealpersonalinformationviatheInternet,fax,regularmail,ortelephone,individualsshouldnotdisclosepersonalinformationwhentheyarenothundredpercentsure.
2)Itisrecommendedtocarryentireidentitiesdocumentonlywhenisneeded;otherwiseshouldbekeptinasafeplace.
3)Askforperiodicalcreditcheckreportsfrombanks,creditors,orotherfinancialinstitutionsandreportanyirregularitiestothecreditbureaus.
4)Itisrecommendedthatindividualsdonotallowotherssuchascashierstoswipetheircreditanddebitcards.
5)PersonalidentificationnumberwhenusingaPINpadoranATMshouldbecovered.
6)ItisbettertomemorizeallpersonalIDnumberssuchasdebitcards,andtelephonecallingcardsandneverwritethemonthecards.
7)Itisbetterthatindividualsbefamiliarizedwiththeircreditanddebitcardsbillingcycleandmonitorthemcarefully.
8)Documentshreddingbeforediscardingintrashbinsisstronglyrecommendedbecausegarbageandtrashbinsareagoldmineforthieves.
9)Thepostofficeandotherrelevantfinancialinstitutionsshouldbeinformedaboutanyaddresschange.
Amongallofthese,allmailshouldberemovedquicklyfrommailboxandavacationholdwhenpeopletravelisrecommended(Paget,2007).
Italsoisrecommendedtoreviewfinancialaccountbalancesandcheckintoanyunexplainedwithdraworcharges(Paget,2007).
Inaddition,accordingtoPaget,thefollowingtechniquesarerecommendedtoindividualstoprotectpersonalinformationincomputeroronlinenetworks:a)Individualsshouldwatchoutforphishingmessagesandnotdisclosepersonalinformation.
b)Reputedandaccreditedbusinessneverrequestaccountinformationsuchasusername,passwords,socialinsurancenumbers,andcreditordebitcardsnumbers;therefore,thesee-mailorcontactsshouldberejected.
c)Itisrecommendedthatpeopleneitheruselinksinunknownemails,norcutandpastethemintheirwebbrowsersbecausephisherscanaccesstheircomputersafteropenthoselinks.
d)Usingcomprehensivesecuritysoftwaresuchasanti-virus,anti-spyware,andfirewallsandkeepingthemuptodateisrecommended.
e)Peopleshouldensurethattheirsecuritysoftwareisenabledandcheckallattachmentsintheiremailwhentheydecidetodownloadattachedfilesregardlessofwhoisthesender.
f)Peopleshouldnotsharetheirpersonalemailwiththeirfamilyorfriendsandposttheiraddressandpersonalinformationintheirwebsiteorsocialnetworks.
g)Itisnotrecommendthatindividualssendpersonalinformationeventofriendsandfamilybecausetheircomputersmightnotbeprotected.
h)Allpersonalinformationshouldbedeletedpermanentlyinoldcomputersorharddrivesbeformattedbeforedisposingofacomputer.
i)AllwebsitesandtheircomponentssuchasURLandlockedicon,andtheirprivacypolicyshouldbecheckwhetheraresecuredandcorrectornotbeforeprovidingpersonalinformation.
j)Usingstrongpasswordsisstronglyrecommendedtopeopleinonlinenetworks.
Securityexpertsbelievethatstrongpasswordsaremadebymorethansixcharactersandareacombinationofletters,numbers,andspecialcharacterssuchasHd4vK%j.
PreventiontechniquesfororganizationsSincebusinessesandorganizationscarrypeoplesidentitiesandprivateinformationintheirdatabases,itisnecessarytohaveastrategicplantoprotectkeyinformation.
Atfirstphase,tohaveaneffectiveandsecuredsystem,organizations,suchasfinancialorgovernmentalorganizations,mustassurethatredflagscanbedetectedbytheirsecuritymechanisms.
InMarch2009,theFederalTradeCommission(2010)providedaguideline,theredflagsrule.
Accordingly,identitytheftpreventionprogramsshouldbeprovidedandcoverthefollowingmajorelements:1)First:Reasonablepoliciesandprocedurestoidentifythe"redflags".
2)Second:Detecttheidentifiedredflags.
3)Third:appropriateactionsafterdetectionofredflags.
4)Fourth:Evaluateandupdatethepreventionprogramperiodically.
Moreover,accordingtoCollins,despitecommonthought,themajorityofIDthefthappensinworkplaceratherthanHedayati9online.
Collinsstatesthatemployeesorindividualswhoposeasemployeescommitmorethan70%ofIDtheftsinorganizations;thereforeCollinsrecommendsthefollowingpreventiontechniquestoorganizations(Collins,2003:304-305):a)Tosecureorganizationswithanappropriateandeffectivepersonnelselectionpolicytohirehonestpersons.
b)Toapplyariskassessmentprocess.
c)Toconductane-businessriskassessmenttooltoidentifyredflagstoIDtheft.
d)Torequirethatalldocumentsthatcontainidentitiesandsensitiveinformationaboutindividualsandbusinessbeshreddedbeforedisposing.
e)Todevelopandtrainemployeestorecognizefakeapplications.
f)Toenhanceethicalcultureoforganization.
g)Torewardandsupportemployeeswhoendorsehonestyinorganization.
Inaddition,thefollowingpreventiontechniquesarerecommendedtoorganizationsbyFranoisPaget(2007),SeniorVirusResearchEngineerinMcAfeetoavoidIDtheft:a)Toappointapersontoberesponsiblefororganizationsecuritysystem.
b)Todecreaseriskybehavioursuchassendingandreceivingemailwithoutdiscretionanddownloadingprogramsthroughtraining,listingusersresponsibilities,anddocumentingtherulesoftheinformationsystemandnetworks.
c)Tobuildasecurednetworkandinstallsecuredhardwareandsoftware.
d)Toadoptmanageablesolutionsforemployeeswhoareresponsibletosupportthesystem.
e)Tomanagetheorganizationnetworkbydocumentingallactivities,suchastroubleshooting,installing,testing,andrestoring.
f)Toformalizetheusageofthecorporatenetwork,suchasaddingordeletingusers.
g)Tousepreventionsecuritysystemstoidentify,detect,block,andreportsuspiciousonlineactivities.
h)Toinstallreliablesecuritysystems,suchasanti-virus,anti-Trojan,andanti-spyware)onallterminals(serversandworkstations)thatconnecttocorporatenetwork.
i)Toupdateallsecuritysoftwareregularly.
j)Toassess,modernize,reconfigure,andadministercorporatesecuritysystem.
k)Toignoreanyfreeremotesecuritysystemauditsl)Toprotectalldatabackupdevicesinorganizationm)Toavoidcarryingcrucialdataandinformationontoportablescomputessuchaslaptops.
n)Toanalyze,monitor,andcontrolthecorporationwirelessnetworkanddevices.
o)Toprotectorganizationinformationsystembylimiting10J.
LawConflict.
Resolut.
physicalaccesstothecomputers.
p)Tominimizetherisksofcopyingorstealingofkeydatabysupervisingemployeesturnoverandjobmobility.
q)Tocontrolinformationflowoutsideofthecorporationelectronicnetworksuchasinterviews,responsestoanyquestionnaires,presentationsinconferences,andinformationexchangesinprivateorpublic.
CONCLUSIONSANDRECOMMENDATIONSIdentitytheftasamajorcrimeisincreasingacrosstheglobe,threateningpeopleandorganizations.
Thieves,fraudstersandcriminalsusevarioustechniquestoobtainpeoplesprivateinformation.
Thevarietyoftechniquestoacquirepersonalinformation,andamountofprofitreflectthelevelofmotivation,expertiseandcommitmentoffraudsters.
Factsshowthatcriminalsaltertheirtechniquesbasedontheirmotive;therefore,thecostsofIDthefttoindividualsaredifferentthantoorganizations.
Asmentionedbefore,socialandtechnologicalfactorsaremajormotivesforperpetrators.
Thesetwofactorsaretiedtogetherandincreasetheidentitytheft.
Inaddition,emergingnewtechnologyandthelackofenoughpeoplesknowledgeabouthowtoprotecttheirpersonalinformationmotivatesfraudsters.
Accordingly,itisanticipatedthatidentitythievesmovetowardsusingnewtechniquestoobtainpersonalinformationparticularlyinonlineenvironment.
Therefore,itiscrucialtoenhancepeoplesknowledgeabouthowtoprotectthemselvesinonlinenetworksthrougheducationinthemedia.
Intermsofcostsofpubliceducation,itisnecessarytomentionthatthegovernmentsandotherbigcorporationsshouldconsidercostsasaninvestmentratherthanexpenditurestomakeasafesociety.
Moreover,organizationsthatcollectpeoplespersonalinformationintheirdatabasessuchasbanks,financialinstitutions,andretailstoresaremorevulnerablethanothersmallbusinessesorcorporations.
Therefore,itisvitalfortheseinstitutionstohaveappropriatestrategies,policies,andactionstoprotectthemagainstmassidentitytheft.
Thegooddefensivestrategiesshouldcombinesecurityawareness,training,technicalcontrol,andaneffectiveinformationmanagementstrategy.
Factsshowthatidentitytheftbyinsidersisamajorproblemfororganizations;thusorganizationsshouldconsiderastrongandeffectiveinternalcontroltoavoididentitytheft.
Itisrecommendedthatorganizationseducateemployeesaboutthemostpervasiveattacks,socialengineering,anditsconsequences.
Additionally,managersshouldnoticethatpoorperformanceandneglectingofthedamageofpotentialattacksnotonlyimposeshugeamountsoflossbutalsodestroystheimageofcorporation.
Individualsandorganizationsmustacceptthattheyarevulnerabletoidentitytheft;therefore,applyingthemosteffectivesecuritysystemshouldbeassociatedwithdevelopingawarenessaboutpossiblethreatsbecause"awarenessisthebestdefense".
REFERENCESApplegateS(2009).
SocialEngineering:HackingtheWetware!
.
InformationSecurityJournal:AGlobalPerspective,January,18(1):40-46.
Availablefrom:BusinessSourceComplete.
ArterberryJD(2005).
IdentityTheft:Trends,Techniques,andResponses[Internet],Washington,TheUnitedStatesDepartmentofJustice:CriminalDivision.
Availablefrom:[Accessed26May2010].
CIFAS(2010)IdentityTheft–Victims[Internet].
London,TheUKsFraudPreventionService(CIFAS).
Availablefrom:[Accessed25May2010].
CIPPIC(2007).
WorkingPaperNo.
2:TECHNIQUESOFIDENTITYTHEFT[Internet],Ottawa,CanadianInternetPolicyandPublicInterestClinic(CIPPIC).
Availablefrom:[Accessed25May2010].
CISC(2007).
MortgageFraud&OrganizedCrimeinCanada[Internet],Ottawa,CriminalIntelligenceServiceCanada(CISC).
Availablefrom:[Accessed25May2010].
CollinsJM(2003).
BusinessIdentityTheft:TheLatestTwist.
JournalofForensicAccounting,4:303-306.
FinkleaM(2010).
IdentityTheft:TrendsandIssuesKristin[Internet],Washington,TheFederationofAmericanScientists(FAS).
Availablefrom:[Accessed25May2010].
FederalTradeCommission(FTC)(2010).
FightingFraudWithTheRedFlags[Internet].
Washington,TheFederalTradeCommission(FTC).
Availablefrom:[Accessed24May2010].
GerckeM(2007).
Internet-relatedidentitytheft[Internet],Strasbourg,EconomicCrimeDivisionDirectorateGeneralofHumanRightsandLegalAffairsCouncilofEuropeStrasbourgAvailablefrom:[Accessed27May2010].
ICE(2008).
Illegalalienssentencedonimmigration,fraudandidentity-theftcharges[Internet].
Washington,TheU.
S.
ImmigrationandCustomsEnforcement(ICE).
Availablefrom:[Accessed26May2010].
JagaticTN,JohnsonNA,JakobssonM,MenczerF2005).
SocialPhishing.
CommunicationsoftheACM,50(10)December,pp.
94-100.
Availablefrom:BusinessSourceComplete.
JusticeCA(2010).
HACKERINDICTEDINMASSIVETAX,MAIL,ANDWIREFRAUDSCHEME[Internet],Washington,TheUnitesStatesDepartmentofJustice.
Availablefrom:[Accessed24May2010].
JusticeCA(2004).
HackerSentencedtoPrisonforBreakingintoLowe'sCompanies'ComputerswithIntenttoStealCreditCardInformation[Internet],Charlotte,TheDepartmentOfJusticeWesternDistrictofNorthCarolina.
Availablefrom:[Accessed24May2010].
LitanA(2004).
PhishingAttackVictimsLikelyTargetsforIdentityTheft[Internet],Stamford,Gartner,Inc.
Availablefrom:[Accessed23May2010].
MeekJG(2009).
HackerAlbertGonzalezchargedwithlargestIDthefteverinvolving130Mcredit,debitcards[Internet],Washington,DailyNewsWashingtonBureau.
Availablefrom:[Accessed27May2010].
MitchisonN,WilikensM,BreitenbachL,UrryR,PortesiS(2004).
IdentityTheftADiscussionPaper[Internet],Brussels,EuropeanCommission,DirectorateGeneral,JointResearchCenter.
Availablefrom:[Accessed25May2010].
OCBA(2010).
Casestudies[Internet],Adelide,TheSouthAustralianGovernment'sJustice.
Availablefrom:[Accessed25May2010].
PagetF(2007).
IdentityTheft[Internet],SantaClara,McAfee.
Availablefrom:[Accessed25May2010].
PasselJS(2006).
TheSizeandCharacteristicsoftheUnauthorizedMigrantPopulationintheU.
S.
[Internet],Washington,MicrosoftthePewHispanicCentre.
Availablefrom:[Accessed25May2010].
CreditUnionNationalAssociation(CUNA)(2008).
PointforCreditUnionResearch&Advice.
12.
November,p.
1.
Availablefrom:BusinessSourceComplete.
RCMP(2010).
IdentityTheftandIdentityFraud[Internet].
Ottawa,RCMP.
Availablefrom:[Accessed24May2010].
Hedayati11SullivanB(2006).
Hiddencostofillegalimmigration:IDtheft[Internet],NewYork,Microsoft(MSNBC).
Availablefrom:[Accessed25May2010].
UNHCR(2007).
Whydopeoplemovetoanothercountry[Internet].
Geneva,TheUnitedNationsHighCommissionerforRefugeesUNHCR.
Availablefrom:[Accessed26May2010].
WhitleyEA,HoseinIR,AngellIO,DaviesS(2007).
ReflectionsontheAcademicPolicyAnalysisProcessandtheUKIdentityCardsScheme.
InformationSociety,Jan.
,23(1):51-58,Availablefrom:BusinessSourceComplete.
12J.
LawConflict.
Resolut.
Appendix1.
TypesofPersonalInformationCollectedbyThieves.
Personalinformation:NameGenderAgeDateofbirthPlaceofBirthBirthcertificateMothers'maidennameMaritalstatusEthnicoriginAddress(currentandformer)TelephonenumberEmailaddressSocialinsurancenumber(SIN)Driver'slicencenumberHealthcardnumberPassportnumberPermanentResident(PR)cardAccountcredentials(username,password,PIN,etc)EmploymenthistoryFamilyinformationEducationalhistoryMedicalhistoryNumberofdependentsInformationonyourspousePropertyinformationPropertyAddressesVehiclePlatenumberVehicleregistrationnumberInformationonassetsFinancialinformationCreditcardnumbersCallingcardnumbersandpersonalidentificationnumbers(PIN)LiabilitiesDebitcardnumbersandpersonalidentificationnumbers(PIN)TaxpayeridentificationnumberActualorestimatedincomeBankaccountnumberMortgagedetailsInvestmentinformationOutstandingdebtBiometricInformationFingerprintVoiceprintRetinaimageHeightWeightEyeandhaircolorSource:(CIPPIC,2007:2-3).
Appendix2.
TypesofvisaphishingE-mail.
Source:(CIPPIC,2007:2-3).