Webupon

Personally Identifiable Information (PII) seems to be pouring through the security floodgates and ending up in the wrong hands at an alarming rate. Nearly every other day some new twist involving abuses of trust concerning personally identifiable information makes the headlines.

Before we fly off the deep end implementing all sorts of precautions and countermeasures, we need to identify the various types of identity theft in order to ascertain to which we are most vulnerable. Our tactic will be one of learning from the misfortunes of others and taking the appropriate steps to ensure that similar events do not become manifest upon ourselves.

According to the non-profit Identity Theft Resource Center, identity theft falls into one of four categories: financial identity theft, criminal identity theft, identity cloning and business/commercial identity theft.

Financial Identity Theft

Incidents involving the fraudulent use of another’s identity to obtain credit, goods and services are now becoming commonplace. Skimming and other means of duplicating electronic payment cards in order to commit financial identity theft are on the increase. With over US$500 million estimated to have been lost to financial institutions alone last year this is no longer little league crime.

The problem is that more often than not multiple crimes are committed with the final objective being financial fraud of some form. The borderless nature of the Internet also plays its role in financial identity theft.

Money laundering is another area where a considerable amount of financial identity fraud activities take place. The criminal focus here is upon the “cleaning” of that which is already been stolen. Perpetrators of this type of identity fraud want to attract as little attention to themselves and their activities as possible. Thus, from the perpetrators perspective the best identities are those of decent hard working Mr. and Mrs. “Average” domicile in another part of the country or the recently deceased.

So-called Nigerian 419 scams are a form of financial identity theft that still claims victims many years after having been exposed. Factors contributing to the longevity of the Nigerian 419 scams include younger people who have not heard about it, human greed and naivety. Even so-called “do-gooders” have fallen as prey. I guess the perpetrators believe in that age old adage; “when you are on a good thing, stick to it”.

Criminal Identity Theft

Posing as another when apprehended for a crime has long been a means used by felons to avoid permanent incarceration. Confidence tricksters have also been using identity theft as a means of perpetrating their scams for quite some time now.

Persons wanting to avoid the consequences of their actions have been supplying law enforcement with false identities for centuries. Their primary objective is to remain free (not in permanent custody) or avoid some penalty (speeding fine etc). There is no disguise better than becoming somebody else. The more “ordinary” and unobtrusive that other somebody is the better.

Identity Cloning

Identity cloning often takes the form of using another’s personal information to assume his or her identity in daily life, or for abetting illegal immigration, terrorism, and espionage.

Institutionally condoned identity cloning is in some instances, the act of a government agent, undercover operative or the agent of an external government. It is still a crime regardless of who the perpetrator(s) be or their motive(s).

Identity cloning plays a large role in orchestrated attacks against payment systems such as social services (pensions or disability payments) and medical insurance fraud. Simple substitution of the appropriate “desired” medical evidence such as X-ray or pathology reports in place of the real ones is often all that is required and can be very rewarding in compensation claims. Whenever adjudication of claims of this nature without the obligatory attendance of the claimant occurs, the system will always be open to this form of abuse.

A more recent twist on the identity cloning fraud theme in Australia has been the practice of certain persons of non-Caucasian extraction substituting a capable driver in place of the individual applying for their driver’s license, for a fee of course. Compulsory driver’s license ID photos are putting a brake on this.

Many other social services and government bodies have long been susceptible to identity cloning. For example we still find cases where individuals continue to collect benefits on behalf of the deceased appearing in the news. The most alarming aspect of this type of fraud is the current escalation in its incidence.

Masquerading and Impersonation

When it comes to the issue of masquerading remember that it is not always a person that is impersonated. Many subtle forms of authentication masquerading attacks involve the attacker’s machine masquerading as a legitimate machine(s).

The “evil twin” and SSL injection attacks are forms of Man-in-the-Middle (MITM) attacks where the impersonation of other machines and digital authentication systems takes place. With most users so trusting of digital authentication technologies the possibilities presented by a successful SSL injection attack are numerous and very lucrative.

Business/Commercial Identity Theft

In general, business/commercial identity theft is usually based around the use of a third party’s business name to obtain credit or as a means to obtaining another’s personal information. Numerous email scams have involved this type of activity. However, the primary motivation is still financial gain.

Phishing is an example of online business/commercial identity theft and often involves the duplication, replication and/or impersonation of a valid well-known commercial, institutional or non-profit website. The side-effects can be very damaging to the organization whose online identity (the owner of the cloned website) becomes misused in this way. Consumers tend to take the view of once bitten twice shy.

The organization involved is often left with little choice but to completely redesign their website in order to remove any semblance or relationship to the old exploited website. Often other more draconian and expensive measures are required. Because many identity theft crimes of this nature occur across international boundaries victims often have very little avenue for recompense.

Blackmail, Extortion and Character Assassination

Not only are blackmail and extortion methods commonly used in obtaining false identities or another’s personally identifiable information they are often the real motive for doing so.

Theft of electronic authentication credentials is a means often used to access “private” correspondence. The perpetrators intent is often to determine if a subject is conducting improper affairs such that might be useful in the commission of blackmail or extortion.

Character assassination, always a favorite with politicians is another objective of identity theft that is still uncommon but on the increase. The goal here is to destroy the target’s credibility in some manner. Sex scandals are a political death trap for any candidate. Financial impropriety or the insinuation of financial impropriety is a powerful tool in the destruction of political opponents.

Commercial character assassination incidents where one group posing as another will deliberately commit crimes or create incidents involving unwanted and unfavorable publicity in order to damage another organization’s reputation.

By the time the victimized organization can clear itself from the “misunderstanding”, misrepresentation or mistaken identity considerable detrimental damage may have already been done. Bad publicity sticks.

Concentrating Your Defenses and Countermeasures

When it comes to planning and defending against identity theft and subsequent fraud there are a number of areas, countermeasures, preventatives and “after-the-fact” strategies and tools readily available to us all. Many are free or free to use for home, home office and/or small business. However, before we can use any of them we must first evaluate the technologies and level of protection currently afforded the Personally Identifiable Information (PII) in our care.

Because the perpetrators of identity theft have such an expansive range of tactics and directions (geographically) from which to attack we need to concentrate our efforts upon protecting that which is of the greatest value to us and them, the PII entrusted to our care.

The key to not becoming a victim is to be able to identify exactly what you have that identity theft perpetrators might want. Then decide whether it is worth protecting. If it is not, then it is probably not worth stealing. In this way, you can determine where your efforts and countermeasures are best concentrated.

As always, the proactive prevention of identity theft in all its guises is by far better than after-the-fact cures when it comes to the gathering, administration, upkeep and eventual destruction of Personally Identifiable Information (PII) be it our own or that of other parties.

As individuals, organizations or members of an organization we need to up the stakes and improve our vigilance and countermeasures in order to ensure that we adequately protect all Personally Identifiable Information (PII) in our charge including that of ourselves, our organization and its employees, clients, business partners and contractors.