identity theft by jerry7795

VIEWS: 874 PAGES: 15

									White Paper | January 2007

Identity Theft
By François Paget Senior Virus Research Engineer, McAfee Avert Labs

White Paper | 2007


Table of Contents
Key Findings Introduction Examples South Africa: Trojan at Standard Bank United States: “Secure 360” conference France: Senate Terminology Techniques Used by Criminals Traditional physical methods Internet-related methods Ever gullible Profile of Criminals Members of a group or an organized crime network Terrorists Petty criminals Victims and Repercussions of Identity Theft Overall losses and trends Labeled a terrorist Phishing stories Victim profile and aftereffects Precautionary Measures Tips for individuals Tips for businesses Conclusion 3 3 3 3 4 4 4 5 5 6 10 10 10 10 10 10 10 11 11 12 13 13 14 15

White Paper | 2007


Identity Theft

Key Findings
1. Between January 004 and May 006, the number of “keyloggers” increased by 50 percent. During this same period, the number of alerts listed by the Anti-Phishing Working Group multiplied by 100 (17,600 in May 006 compared with 176 in January 004). . Personal data for tens of millions of people disappears each year. It’s either been stolen or misplaced. Despite this disturbing trend, the number of complaints is surprisingly low, which leads us to believe that the losses are not fully acknowledged. . There are many ways that businesses and individuals can reduce the risk of identity theft. We offer a number of precautionary tips.

Approximately 10 million Americans are affected by identity fraud each year, according to the U.S. Federal Trade Commission.1 The root of these crimes is often computer theft, loss of backups, or compromised information systems. Although normally carried out for economic gain, these crimes might also be committed by terrorists who establish false identities to conceal their activities from the watchful eyes of law enforcement.

South Africa: Trojan at Standard Bank
In May 006, an online newspaper reported that Standard Bank discovered its local and foreign clients had been cheated out of several hundred thousand rands  by an international group of cyber-criminals. The criminals captured bank information from passing users through a Trojan that they installed on computers in cyber-cafés and other public places. More than 50 people, including American, Canadian, and English tourists, were victimized by the gang’s scheme. The victims were informed about the identity theft through their own banks, which were alerted by Standard Bank.

Businesses and governments ask us to reveal personal data more frequently than ever before. These institutions store this sensitive information in numerous, increasingly larger databases. This data is, of course, very valuable, but not only to those who should have it. Criminals also try to get their hands on this information, so that they can use it for malicious purposes or sell it to commit fraud. This is identity theft. In the first section of this white paper, we discuss some recent high-profile examples of identity theft and how several countries define this type of fraud (Internet-related or not) and its scope. In the second section, we examine both the criminals and their techniques (traditional and new) to better understand how identity theft has evolved in recent years. The third section focuses on the victims and the consequences of identity theft. Using recent studies, we measure the extent of this phenomenon from a quantitative and financial point of view. Finally, we offer recommendations for prevention and protection for individuals and companies.

1 2 3

“Identity Theft Focus of National Consumer Protection Week 2005”: http://www.ftc. gov/opa/2005/02/ncpw05.htm “Cyber-Fraud Syndicate Busted”: asp?Nav=ns&lvl2=buss&ArticleID=1518-1786_1942366 One rand is equivalent to US$0.15.

White Paper | 2007

Page 4

United States: “Secure 360” conference
At the “Secure 60” conference in May 006, Mary Poquette (chief compliance officer of Verifications, Inc.) presented a study on identity theft. Figure 1, below, shows the 1 cited cases involving personal data theft of nearly .5 million people that occurred between February 15, 005, and April 8, 005.

According to the report, this example is far from isolated. When asked about this topic, the French Minister of Justice stated that falsification of administrative documents, possession of counterfeit documents, forgery, and transport and concealment of counterfeit stamps and blank or stolen passports for a terrorist organization are among the most frequent terrorist offenses encountered in French legal investigations.

What is identity crime? Although there is no universal definition, simply stated, it occurs when someone fraudulently assumes another’s identity. In the physical world, a person’s identity is concrete and is supported by legal documents. In the online world, however, a person’s identity is less tangible. Some digital data, such as passwords, account names, screen names, and logins, may not be considered elements of a person’s legal identity. Yet such data can be “identifying” and provide access to other private data. Figure 1: Identity theft cases from Privacy Rights Clearinghouse When a person asserts an identity to another party, the latter authenticates the former’s identity in one of three general ways. The most common method for two parties who have no previous relationship is to use an identifying document such as a card, badge, or license. Another method involves some kind of secret knowledge, such as a password, handshake, obscure fact, or personal knowledge. Finally, they can use physical characteristics and recognition, especially between individuals who have an established relationship.

France: Senate
In June 005, the French Senate (one of the two houses of the French Parliament) issued a report on the new generation of identity documents and documentary fraud. This report pointed out that terrorist networks systematically use false identity documents provided by forgers who supply common criminals as well. The report mentions, for example, a Paris criminal court case in July 9, 004. Two individuals were sentenced to five and eight years, respectively, in prison. They were found guilty of criminal conspiracy in relation to a terrorist group, concealment of administrative documents, possession of false administrative documents, and concealment of counterfeit stamps. When arrested on October 0, 00, as they were attempting to leave Rotterdam, they had in their possession 0 French passports, 60 revenue stamps, and 60 laminated films bearing the initials “RF” (for Republique Française, or French Republic), which were used to create the passports. The investigation uncovered that their logistical activities were tied to a radical Islamist faction. The fake documents were intended for groups training for military formations in Afghanistan and Pakistan.

White Paper | 2007

Page 5

An identity crime, therefore, circumvents or deceives one or more of these authentication mechanisms. Figure  presents the definition as it has evolved in both U.S. legislation and regulations.4
The definition of identity theft was first codified as part of the Identity Theft and Assumption Deterrence Act of 1998 (ID Theft Act),5 which made identity theft a standalone crime. More specifically, it amended the federal criminal code to make it a crime for anyone to: “…knowingly transfer or use, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law.” In 2003, the Fair and Accurate Credit Transactions Act of 2003 (FACTA) amended the Fair Credit Reporting Act to include a civil definition of identity theft: “ The term ‘identity theft’ means a fraud committed using the identifying information of another person, subject to such further definition as the FTC [Federal Trade Commission] may prescribe, by regulation.”7 Pursuant to FACTA, the FTC has recently proposed a more specific definition of identity theft that describes what is meant by “identifying information”: (a) The term ‘identity theft’ means a fraud committed or attempted using the identifying information of another person without lawful authority. (b) The term ‘identifying information’ means any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual, including any (1) Name, Social Security number, date of birth, official state- or government-issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number. (2) Unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation. (3) Unique electronic identification number, address, or routing code. (4) Telecommunication identifying information or access device.”8

The Australian Bureau of Statistics (via the National Crime Statistics Unit) and the Australian High Tech Crime Centre further define the term.9

• “False identity” may be used to describe:

° The creation of a fictitious identity ° The alteration of one’s own identity (or identity

° The theft or assumption of a pre-existing identity

(identity theft), which may also involve subsequent manipulation

• “Identity crime” may be used as the generic term to include both identity fraud and identity theft (and “skimming”10) and relevant related offenses (such as the possession, distribution, and manufacture of relevant items, devices, etc.) • “Identity fraud” may be used to describe use of a false identity for monetary gain, illegal acquisition of goods, services, or other benefits, or the avoidance of obligations and should include instances of “skimming” • “Identity theft” may be used to describe the theft or assumption of a pre-existing identity (or significant part of it), with or without consent, and regardless of whether the person is dead or alive
In the United Kingdom, the preferred term is “identity fraud.” French-speaking countries also have their own distinct terms. Some favor vol d’identité (“identity theft”), while others speak of usurpation d’identité (“impersonation”).

Techniques Used by Criminals
Identity theft can affect all aspects of a victim’s daily life and often occurs far from its victims. Identity thieves use both traditional physical methods as well as Internetrelated methods.

Traditional physical methods
We’ve all learned to be vigilant with respect to our personal property and our identities, yet criminals have many methods for stealing documents and other valuables:

Figure 2: One definition of identity crime

• Computer and backup theft. This method is among the most common. In addition to stealing equipment from private buildings, criminals also strike public transport,

4 5 6  8

“Putting an End to Account-Hijacking Identity Theft”: consumer/idtheftstudy/identity_theft.pdf Pub. L. 105-318 18 U.S.C. §1028 15 U.S.C. §1681a(q)(3) Related Identity Theft Definitions, Duration of Active Duty Alerts, and Appropriate Proof of Identity Under the Fair Credit Reporting Act, Federal Register 69, no. 82 (April 28, 2004): 233.

“Standardisation of Definitions of Identity Crime Terms”: au/policy/DEFINITIONSjoint.pdf 10 Skimming occurs when a person steals a credit card’s information while processing a legitimate transaction. See for more information. 9

White Paper | 2007

Page 6

	 hotels, and recreation centers. They can carefully analyze stolen equipment or backups and, given enough time and resources, can usually recover data • Direct access to information. People who have earned a certain degree of trust (house cleaners, babysitters, nurses, friends, or roommates) can obtain legitimate access to a business or residence to steal information • Searching trash or garbage bins (“dumpster diving”). Retrieving documents from trash bins is more common than you might think • Theft of a purse or wallet. These often contain bank cards and identity documents. Pickpockets work on the street as well as in public transport and exercise rooms • Mail theft and rerouting. It is easy to steal from mailboxes, which do a poor job of protecting bank mail (credit cards, account statements), administrative forms, or partially completed credit offers. These documents are all priceless to criminals. Using your name, criminals can, for example, return items to the sender or request a change of address • Reading over your shoulder (“shoulder surfing”). People who loiter around automatic teller machines and telephone booths are sometimes on the lookout for your personal details • False or disguised ATMs (“skimming”). Just as it is possible to imitate a bank ATM, it is also possible to install miniaturized equipment on a valid ATM. (See photos in Figure .) A copier captures your card information so that it can be duplicated, and a camera films you entering your personal identification number (PIN) • Dishonest or mistreated employees. An employee or partner with access to your personal files, salary information, insurance files, or bank information can gather all sorts of confidential information • Telemarketing and fake telephone calls. This is an effective method for collecting information from unsuspecting people. The caller who makes a “cold call” (supposedly from a bank) asks the victim to verify account information immediately on the phone, often without much explanation or verification

The following photos show how an ATM can be set up for identity theft. These documents come from a presentation proposed for the annual NACO 005 conference.11

Figure 3: Preparing an ATM for identity theft with a card copier (top photos) and camera (bottom photos)
Courtesy University of Texas at Austin Police Department

Internet-related methods
With the popularity of email and the web, plus the increasing use of electronic payment systems, it’s easy to see why criminals are exploiting this arena. Identity theft villains have adopted new techniques; in the virtual world, we see various types of attacks that apply to the real world:

• Hacking, unauthorized access to systems, and database theft. Apart from stealing hardware, criminals frequently compromise systems, diverting information directly or with the help of listening devices, such as sniffers and scanners, on the network. Hackers gain access to a great deal of data, decrypt it (if necessary), and use the data for exploits elsewhere

11 “Identity Theft: Trends, Techniques, and Responses”, John D. Arterberry, Executive Deputy Chief, Fraud Section, Criminal Division, United States Department of Justice, Washington, D.C. 20530. 2005 NACO Annual Conference, July 16, 2005

White Paper | 2007

Page 7

• Phishing. Cyber-criminals use fraudulent email and web sites (known as “mirror” sites) that resemble online bank or retail sites. They are designed to fool users into revealing personal information, particularly credit card numbers, account numbers, and passwords. Below you’ll find an example of a bogus eBay screen

attackers want to direct you to a fraudulent site, they simply modify their name-server responses. This is particularly effective because the attackers can redirect any of the users requests at any time, and the users would have no idea that this is happening.1 In December 005, such an attack was carried out against HSBC Brazil, Banco Itau, Banco Banespa, and Bradesco banks. The next figure shows a screen that infected victims encountered when they joined the HSBC web site. (Redirectors, like other Trojans, are detected by anti-virus software)

Figure 4: Fraudulent vendor information request

• Pharming. This is an advanced form of phishing that redirects the connection between an IP address and its target server. This can happen at the DNS server—via cache poisoning or social engineering—or on the local machine with the help of a Trojan that modifies the host file. The link has been altered, so that every time users try to connect with an organization’s proper site, they are secretly redirected to a mirror site, without ever having typed in the incorrect (fraudulent) address. Social engineering is especially devious because victims are driven to harmful actions by their own greed or generosity. In 005, the SANS Institute reported that 1,00 companies—including several big names—suffered from a single cache-poisoning attack1 • Redirectors. These are malicious programs that redirect users’ network traffic to locations they did not intend to visit. The Anti-Phishing Working Group sees a strong increase in traffic redirectors, as well as in phishingbased keyloggers. They report that the highest volume in traffic occurs with malicious code which simply modifies your DNS server settings or your hosts file to redirect either some specific DNS lookups or all DNS lookups to a fraudulent DNS server. The fraudulent server replies with “good” answers for most domains. However when
12 “How to Prevent Pharming”: 200507/ai_n14801912/print

Figure 5: A redirector displays a fraudulent bank site

• Advance-fee fraud. The unsuspecting user receives an email message allegedly from a family member of an African dignitary. Its writer explains that following the death of the dignitary, a large sum of money will be blocked somewhere. With the user’s help, and using his or her financial backing for the funds transfer, the contact says that it would be possible to release the money. A substantial reward supposedly awaits those who accept the contract 	 This scam, called “advance-fee fraud”, is also known as “419 fraud” (for the relevant section of the Nigerian Criminal Code). Originating in Nigeria in the 1980s, this successful fraud, circulated through postal mail and fax, quickly crossed the borders within Africa. Also in this category of swindling are email messages that announce to recipients that they have won the lottery after their email addresses came up in a drawing 	

13 APWG—Phishing Activity Trends Report (monthly basis):

White Paper | 2007

Page 8

	 These scams qualify as identity crimes because they involve collecting personal and bank information from unsuspecting Internet users who are gullible enough to respond to these solicitations • The fake Internal Revenue Service (IRS) form. This one involves the W-9095 form,14 sometimes named the W-8888 form

At McAfee,® we are regularly consulted about a Trojan family known as Haxdoor, A11 Dea†h, or Backdoor-BAC. This is one of the most common advanced malware that we encounter in the wild. Many attack Microsoft® Internet Explorer vulnerabilities. On an infected machine, each Trojan captures network information and logins and waits for the user to browse a web site (usually financial) that requires authentication. When this occurs, the keylogger collects transaction data, such as username and password, and then sends the stolen data to a dedicated host that enters the stolen data into incremental log files. We saw the first Backdoor-BAC variants in 00. Month after month, new variants appeared. Hundreds exist today. They grow ever more sophisticated and now contain rootkit capabilities. Written by a Russian nicknamed Corpse, the creation toolkit is sold online for $00 to $500, depending on specifications.

Figure 6: Fake IRS form This form is entirely fictitious. Attached to an email, it is often accompanied by a fax number, to which it must be quickly returned. The message indicates that users will lose some tax exemptions if they fail to respond within seven days.

Figure 8: Web site of the Russian keylogger Corpse

• Keyloggers and password stealers. These terms refer to malicious programs that find their way onto the computers of their victims. Each program gathers certain keystrokes and can collect the name of the user, passwords, and other personal and confidential information. The malware then sends the data to the attackers, who use it fraudulently
Figure 9: A “backdoor” application with keylogger facilities With this Trojan, malware authors can create their own settings before recompiling the code. They can also easily create multiple variants without much technical knowledge. The centralized server is called a “blind drop.”15 It is usually a purchased (illegitimately, in almost all cases), dedicated hosting machine with a basic directory structure, which receives the data via a PHP file and then outputs it into log files. In Figure 10, the files are named A11formxy.txt, where “xy” corresponds with the day of the month. In the same directory, we also found files named A11passxy.txt; they included password information. Figure 7: A simple keylogger configuration screen
14 IRS Tax Form Scam: 15 “Phishing Exposed,” Lance James, p.340. Syngress ISBN 1-5949-030-X

White Paper | 2007

Page 9

Figure 10: A blind drop server for capturing keylogger data Differentiating among keyloggers, password stealers, and “backdoor” applications is not easy. Many backdoors, which allow hackers to remotely control computers, can also collect information. This is why many data-gathering programs are considered backdoors. Although intended for worthwhile goals, such as parental control, some commercial utilities are occasionally diverted from their original purpose and are used for malicious crimes. Like malware, they are capable of secretly intercepting any computer activity without the user’s consent or knowledge. At McAfee, we call these applications potentially unwanted programs (PUPs). They are not numerous, however. Many fall into the general spyware16 family. Figure 11: A legitimate program some specialists label as “spyware” when it is used for malevolent activities

• Hardware. In March 005, police discovered that the London office of the Japanese bank Sumitomo had been the target of a group of hackers for several months. The investigators initially believed that the criminals had used a Trojan. However, after several days of exploration, they found a tiny keystroke-recording device inserted where the keyboard cable connects to the back of the computer17 	 A quick search on the Internet yields a list of a half-dozen companies that sell this type of product.

16 Although industry professionals circulate precise definitions, the media and the public often use “spyware” to include commercial programs that generate income by gathering marketing data and distributing advertising (adware). The Anti-Spyware Coalition (ASC) aims to clearly define spyware programs by developing a common terminology. The Coalition hopes that better definitions of the terms (see the ASC’s glossary) will give users a better understanding of the threats to which they are exposed and help them use security software more effectively. Anti-Spyware Coalition : ASC glossary:

Figure 12: Example of a hardware keylogger you can purchase online
1 “Mission Impossible at the Sumitomo Bank”: sumitomu_bank/

White Paper | 2007

Page 10

Some of the characteristics of these advertised products are:

° Holds up to  MB in memory ° Undetectable by software ° Transparent to the targeted machine’s operating system ° Capable of recovering material on any PC ° Ranges in price from $0 to $00, according to memory

require an ID card. They also used stolen calling cards and credit cards to communicate with cell members in Pakistan, Afghanistan, Lebanon, and elsewhere. They often used fake passports and travel documents to open bank accounts to finance their operations. 0

Petty criminals
Organized crime groups or networks aren’t the only ones to commit identity theft. Many individuals do so to make money quickly or to obtain benefits to which they are not entitled.

° Instructions and material available to build the device Ever gullible
Whether employing traditional or modern methods, criminals are often successful in their attempts to steal identities. In March 005, a survey on identity theft18 measured the degree of gullibility of 00 Londoners. In exchange for an offer of highly prized theater tickets, 9 percent of the sample group gave the interviewer the personal information requested. The English Home Office estimates that more than 10,000 people were victims of identity theft in Great Britain in 004.

Victims and Repercussions of Identity Theft
Statistics on identity crimes vary from country to country, and even within the same country. We can partially attribute the wide differences in these statistics to differing definitions of identity theft, as well as to reporting inconsistencies.

Overall losses and trends
In the United Kingdom, the cost of identity theft to the British economy was calculated at $. billion during the past three years, according to one Home Office committee.1 (All amounts are in U.S. dollars unless noted.) In Australia, estimates vary from less than $1 billion (from the Securities Industry Research Center of Asia-Pacific) to more than $ billion (Commonwealth Attorney-General’s Department) per year. The Federal Trade Commission (FTC) calculates the annual cost of identity theft in the United States—for consumers and businesses—at approximately $50 billion. A joint study by the Council of Better Business Bureaus and Javelin Strategy & Research backs up this claim. The combined study highlights some interesting trends. 4 It shows stable overall statistics for a three-year period. (See Figure 1.)

Profile of Criminals
According to Public Safety and Emergency Preparedness Canada, surveys indicate that the criminals behind identity theft typically belong to one of three main categories.19

Members of a group or an organized crime network
Law enforcement agencies in Canada and the United States recognize that organized crime groups (such as criminal biker gangs or ethnic criminal groups), as well as local crime networks, are becoming more involved in identity theft. Their goal is not only to make money, but also to use the stolen goods or information to support other criminal activities and to build a list of accessible identities to facilitate their crimes and to avoid being discovered by law enforcement.

The governments of Canada and the United States also recognize that terrorists use identity theft to gain employment as a cover, obtain money to finance their activities, and assume a suitable identity when they are about to carry out an attack. For example, an Al Qaeda terrorist cell in Spain used stolen credit cards to set up their crimes and to make several purchases for the group. The criminals did not purchase anything expensive enough to
18 “U.K. Wide Open to Identity Theft”: 19 “Report on Identity Theft”: 20 Testimony of Dennis M. Lormel, Chief, Terrorist Financial Review Group, FBI. Before the Senate Judiciary Committee Subcommittee on Technology, Terrorism, and Government Information, July 9, 2002. Hearing On S. 2541, “The Identity Theft Penalty Enhancement Act”: 21 Home Office Identity Fraud Steering Committee, “Identity Theft, Don’t Become a Victim”: 22 Australasian Centre for Policing Research, “Identity Crime Research and Coordination”: Suresh Cuganesan and David Lacey, “Identity Fraud in Australia: An Evaluation of its Nature, Cost and Extent,” SIRCA: identity_fraud_extract.pdf. 23 “Putting an End to Account-Hijacking Identity Theft”: consumer/idtheftstudy/identity_theft.pdf 24 “New Research Shows Identity Fraud Growth Is Contained and Consumers Have More Control Than They Think”: 651

White Paper | 2007

Page 11

may appear several times in the file under different names or spellings. Some detractors state that the 5,000 names correspond to only 00,000 people. 6 They also claim names may be added to the list following an identity theft in which a criminal uses an innocent person’s name. Such a misfortune happened in December 004 onboard a Delta Airlines flight between Colombia and Atlanta, Georgia.7 When authorities found a passenger’s name on the no-fly list, they rerouted the plane to a military base. After several hours, authorities discovered that the passenger had been the victim of identity theft. Figure 14 is an example of a no-fly list, as presented at the National Association of Counties 005 conference. 8

Figure 13: American study says cost of identity fraud remains consistent According to this study, identity fraud attributable to Internet usage (cyber-crimes) accounts for as little as 10 percent of the total cases (11 percent in 00, 9 percent in 005). Here’s the breakdown:

• Viruses, spyware, and hackers: 5 percent • Phishing:  percent • Online transactions: 0. percent
In light of other sources reporting a tremendous number of thefts and disappearances of personal data, the BBBJavelin percentages seem surprisingly low. They are also low according to phishing studies conducted by Gartner and statistics reported by the Anti-Phishing Working Group. Between February 005 and March 006, more than 55 million Americans were put at risk by security breaches, leaving them vulnerable to identity theft. 5 When five people take a risk, one will be a victim, according to consumer-protection company TrustedID. Identity theft often goes undetected until, for example, the victim attempts to travel by plane and finds his name on a “no-fly” list of suspects. Figure 14: Example of a no-fly list

Phishing stories
In the United Kingdom, the Association for Payment Clearing Services (APACS) guarantees the payment services for numerous financial organizations. APACS conducted research that showed that 4 percent of online bank services customers would respond to an email message that supposedly came from their bank and requested that they click a link to reenter their confidential information. 9 In February 006, APACS stated that the total loss due to bank card fraud had decreased between 004 and 005. It also announced, however, that the cost of online bank fraud (predominantly phishing or scamming attacks) had doubled during the same period, to $4. million from $.8 million.0

Labeled a terrorist
In the United States, the National Counterterrorism Center database contains more than 5,000 names. Its size has increased four-fold since its creation in 00. This list was designed to enable security services to protect the United States from new attacks by identifying dangerous individuals. According to its critics, that database contains numerous errors and approximations. A single individual
25 TrustedID: Identity Theft Resource Center (source: Privacy Rights Clearinghouse):

26 “United States: More Than 325,000 Presumed Terrorists Filed”: http://interet-general. info/article.php3?id_article= 6387 2 “Identity Theft Causes Airline Flight Diversion”: 28 “Identity Theft: Trends, Techniques, and Responses”, John D. Arterberry, Executive Deputy Chief, Fraud Section, Criminal Division, United States Department of Justice, Washington, DC 20530. 2005 NACO Annual Conference, July 16, 2005 29 “APACS Launches Anti-phishing Web Site”: 30 “U.K. Card Fraud Losses in 2005 Fall by £65m—to £439.4m From £504.8m in 2004”:

White Paper | 2007

Page 1

Between May 004 and May 005, Gartner announced 7 million Americans had received an average of 50 fraudulent email messages. According to the Gartner data, the number of consumers receiving phishing attack emails increased 8 percent in the 1 months that ended in May 005 compared with the 1 months that ended in April 004. An estimated 57 million U.S. adults reported that they definitely have, or think they have, received a phishing attack email. 1 About .4 million online consumers reported losing money directly because of the phishing attacks. Of these, approximately 1. million consumers lost $99 million during the year preceding the survey. Survey participants indicated that most of the money stolen was repaid by banks and credit cards. In the 004 study, Gartner cited a high rate of success for phishers. They estimated that about 19 percent of those attacked, or nearly 11 million U.S. adult Internet users, had clicked on the link in a phishing attack email. Moreover,  percent of those attacked, or an estimated 1.8 million adults, reported giving phishers their financial or personal information.  In both surveys, 5,000 participants were selected to match demographic characteristics of the U.S. online population. The Anti-Phishing Working Group is a global pan-industrial and law-enforcement association focused on eliminating the fraud and identity theft that result from phishing, pharming, and email spoofing of all types. The group reports phishing attacks on a monthly basis, and its mission is to provide a resource for information on the problem and solutions for these attacks. In 004, group spokesman Dan Maier said that in the past, about 5 percent of phishing scams were successful, based on anecdotal evidence.  While preparing this paper, I found three other studies that demonstrate the high number of people who visit fake web sites or who admit to having been “phished.” One survey was conducted in 004 by the Ponemon Institute and sponsored by the online privacy group TRUSTe and by NACHA, an electronic payments association. The study was based on a national sample of 1,5 Internet users in the United States. The report states that seven out of ten respondents had unintentionally visited a fake web site. The study also reports that more than 15 percent of the affected respondents admit to having been phished. In total, the study shows that a little less than  percent of respondents thought they had suffered financial damage as a direct result of a phishing attack. The survey also estimated that
31 “Gartner Survey Shows Frequent Data Security Lapses and Increased Cyber Attacks Damage Consumer Trust in Online Commerce”: asset_129754_11.html 32 “Gartner Study Finds Significant Increase in Email Phishing Attacks”: http://www.gartner. com/5_about/press_releases/asset_71087_11.jsp 33 “ ‘Phishing’’ Scam Reports Jump”:,116163-page,1/article.html

total financial losses for victims of phishing in the United States rose to approximately $500 million. 4 In the 005 Consumer Reports “State of the Net,”5 the authors stated that the total impact of phishing was low, but quickly increasing. Of ,00 Internet users questioned, 6 percent (about 00) of them said that they had revealed personal information and about 10 people had suffered losses. Consumer Reports states that the average cost per incident was $400. The third study was made by the TowerGroup. They found total losses attributable to phishing in 004 to be about $17 million. 6 This study placed the effective number of phishing attacks at 1,000 cases worldwide, and predicted a figure higher than 86,000 for 005. Based on the figures in these three studies, between  percent and 5 percent of phishing attacks are successful. That’s an incredibly high figure—which demonstrates the ongoing need to educate the public. Why do the estimates of losses directly attributable to victims of phishing vary so greatly? For the Organization for Economic Cooperation and Development, 7 the variation may be due in part to the fact that financial institutions, although taking the threat seriously, hesitate to publicly reveal their losses. And some companies may simply be unaware of the extent of their losses if their customers do not inform them.

Victim profile and aftereffects
According to the FTC, 9 percent of identity theft complaints were submitted by people between 18 and 9 years old. The majority of victims belong to this age bracket. (See Figure 15.) Do not infer from these statistics, however, that all victims are individuals. Businesses and financial institutions are often affected by data theft. They not only bear financial losses, but they also suffer blows to their reputations, their credibility, and their future activities. The potential damage includes direct financial loss, indirect costs (from repairing the damage), ruined images, as well as accusations, arrests, and detention. The joint study, cited earlier, by the Council of Better Business Bureaus and Javelin Strategy & Research stated that each victim had spent on average $550 (during the threeyear period from 00 to 005) to repair the damages caused. The Javelin report confirmed an earlier survey, conducted in
34 “$US500m Lost in ‘Phishing’ Scams in U.S.”: articles/2004/10/01/1096527902980.html 35 “Consumer Reports ‘State of the Net’ Survey Shows Wave of Crime Threatens Online Users”: 36 “Les Dégâts du ‘Phishing’ Surévalués? Et Qui Va Payer?”: articles/7535/Les-degats-du-phishing-surevalues-Et-qui-va-payer.html 3 “Scoping Study for the Measurement of Trust in the Online Environment”:

White Paper | 2007

Page 1

00, by the FTC.8 In the most serious cases—the creation of new accounts, for example—victims said they spent an average of $1,00 to fix the problems stemming from identity theft. In addition, the two surveys show that repairing damages was also extremely time consuming. Over a period of four years, the amount of time that victims had to spend on rectifying problems stemming from identity theft grew from 0 hours to 40 hours per person.

In daily life

• Guard your personal information. Do not provide personal data on the phone or via mail, unless you’ve initiated the contact. Clever identity thieves might pose as bank agents, phone companies, and even government agencies. Before sharing personal information, confirm the organization is legitimate by calling directly using the number listed on your account statement or telephone directory • Protect your mail. Promptly remove mail from your mailbox, and when traveling, contact the Postal Service to request a vacation hold • Monitor your credit. Regularly review your credit report with major credit services, and follow up with creditors if bills do not arrive on time. Federal law requires creditreporting agencies to provide you a free copy, upon request, of your credit report every 1 months

Identity Theft Complaints by Victim Age* January 1–December 31, 2005
30 25 20 15 10 5 0 5% 29% 24% 20%

13% 9%
6% (65 and over) 3% (60–64)

• Monitor your accounts. Review the balances of your financial accounts, and carefully check for any unexplained charges or withdrawals • Carry only necessary information. Don’t carry extra credit cards, a passport, or Social Security card in your purse or wallet unless you need it that day • Protect your trash. Never discard a credit card or ATM receipt in a public place. Always shred personal information including credit card numbers, bank statements, charge receipts, and credit card applications • Minimize unsolicited credit offers. To opt out of these offers in the mail, call the major credit reporting agencies at 888-5-OPTOUT
On your computer

Under 18





60 and Over

*Percentages are based on the total number of identity theft complaints where victims reported their age (239,277). 95 percent of the victims who contacted the Federal Trade Commission (FTC) directly reported their age.

Figure 15: FTC statistics Sometimes, the trouble is not purely financial; a victim may be blamed by a law enforcement agency for a wrongdoing, such as being associated with the criminals. In the FTC survey, 4 percent of victims indicated that the criminals who had been arrested or accused gave the name and information of their victims as identification.9 In some rare cases, the victims said that they themselves were arrested or detained.

Precautionary Measures
Apart from using common sense, you can employ both technical and organizational methods to safeguard your identity. Beyond protection, though, it is necessary to reinforce your authentication procedures.

Your computer can be a gold mine of personal information to an identity thief. The following are some tips to keep your computer—and the personal information stored within it—safe.

Tips for individuals
It is impossible to completely eliminate your chances of becoming a victim of identity theft; however, you can effectively reduce your risk by following these basic recommendations.

• Watch out for phishing scams. These use fraudulent emails and web sites to impersonate legitimate businesses, in hopes of getting you to disclose your personal information • Be wary of emails requesting personal information. Reputable businesses will never ask for your user name, password, or credit card or Social Security numbers via email. If you are concerned about your account, contact the organization directly by phone

38 Synovate, Federal Trade Commission Identity Theft Survey Report: http://www.ftc. gov/os/2003/09/synovatereport.pdf 39 Ibid.

White Paper | 2007

Page 14

• Don’t use the link in an email to visit a web site. Never cut and paste the link from the message into your Internet browser. Phishers can make links appear as if they go to one place, while actually sending you to a different site. Instead, open a new Internet browser session and manually type the company’s correct web address • Install comprehensive security software, and keep it up to date. Some email messages contain harmful software that can damage your computer or track your Internet activities without your knowledge. Anti-virus and antispyware software and a firewall will protect you from inadvertently accepting such unwanted files. Anti-virus software scans incoming communications that contain these malicious files, while a firewall protects both the inbound and outbound connections to your computer. A firewall is particularly crucial if you have a broadband or DSL connection that leaves your computer connected to the Internet 4 hours a day • Use caution when opening email attachments— regardless of who sent them. These files might contain viruses or other malicious software that could capture your passwords or other information you enter on your computer. If you download files, make sure your security software is enabled and pay close attention to any warnings • Be selective when sharing your email address. Only family and friends should have your personal email address. Do not post your address on web sites, forums, or in chat rooms. If you post your address, you are vulnerable to receiving spam or having your email passed on to others. If you would like to subscribe to a newsletter, consider using a generic email address not linked to any of your personal information • Use email wisely. It’s an excellent way to stay in touch with friends and family, but be selective when emailing them your personal information. Although you might have security software on your PC, your friends and family might not be protected • Before disposing of a computer, permanently erase personal information. Erasing files using the delete command or reformatting your hard drive might not be sufficient because files might remain on the computer’s hard drive, which can be retrieved later by tech-savvy criminals. Use a trusted utility to permanently erase your sensitive, personal information • Check that a web site is secure. When providing your personal information to a business web site, check for signs that the site is secure: a lock icon on the browser’s status bar or a URL for a site that begins with “https:” (The “s” indicates “secure”). However, these signs are not 100 percent foolproof, since even security icons might be forged

• Review the web site’s privacy policy. Trustworthy businesses will publish how they maintain the security of personal information collected by the site, how the information will be used, and whether it will be provided to third parties. If no privacy policy is available or if the policy is hard to understand, consider doing business elsewhere • Use strong passwords. Security experts recommend creating passwords that combine letters (both uppercase and lowercase), numbers, special characters, and are more than six characters in length. For instance, a strong password would be: Go1dM!n • Use caution when instant messaging (IM). If you use IM to communicate with friends and family, be careful when sending personal information. Protect yourself by using a nickname for your IM screen name, and never accept strangers into your IM groups

Tips for businesses
Absolute protection does not exist; however, tight security makes it possible to discourage significant attacks and to minimize the consequences of mistakes. In June 006, CLUSIF (Club de la Sécurité de l’Information Français, or the French Information Security Club) published “Maîtrise et protection de l’information” (“Information Control and Protection”).40 The following are key points that, according to the association, ensure the best security to help businesses avoid identity theft:

• Name a person and a backup to be responsible for information systems security • Have policies for human resources administration—as well as for trusted vendors and partners—that are consistent with the level of security you choose for your information systems • Take action to reduce risky behavior—downloading programs, accepting email without discretion, responding to email concerning confidential information—through education and by creating documents detailing the rules of hardware usage or listing user responsibilities • Build the network and define the parameters for hardware and software so that it is impossible to bypass the system • Adopt manageable solutions for the people in charge of security who must support the system • Create an inventory of hardware and software, and maintain message boards for users

40 “Maitrise et Protection de l’Information,” June 2006: production/ouvrages/pdf/Maitrise_et_Protection_de_l_Information.pdf

White Paper | 2007

Page 15

• Manage the corporate network by formalizing its use (adding and deleting users, for example) and by documenting the actions performed on the information system (installing, restoring, troubleshooting, testing) • Maintain a single gateway to the Internet with a firewall and an intrusion detection/prevention system to detect and block suspicious data exchanges • Install security software (anti-virus, anti-spyware, antispam, and anti-Trojan) on all of the workstations as well as on any servers connected to the network • Regularly apply official security patches and update the anti-virus, anti-spyware, and anti-Trojan definition files on workstations and servers • If necessary, contact an external consultant who can assess the security of your system, and reconfigure, administer, and modernize it. Don’t jump at offers for free remote security audits • Protect your data backup devices
In addition to these general measures, the association recommends:

We must first admit that every one of us—individuals and businesses—are threatened and potentially vulnerable to identity theft; this is not something that happens only to others. Despite the seriousness of current incidents and the increasing threat, some basic principles allow us to significantly reduce the risk. Awareness is the best defense. Through awareness, we develop our senses to spot identity theft and to protect personal and corporate information, while maintaining the benefits of information technology. About the author: François Paget is a Senior Virus Research Engineer at McAfee Avert® Labs. He has been involved in virus research since 1990. Paget is a regular conference speaker at French and international security events, author of numerous articles and a book, and general secretary of the French Information Security Club (CLUSIF).

• Tightening security around your system’s most sensitive information. Don’t allow crucial data onto a laptop computer • Analyzing in detail the wireless networks within the company. A laptop may be stolen solely to gain access to its wireless network • Protecting the information system’s surroundings. The simplest method is to restrict physical access to the computers • Supervising job mobility to minimize the risks and the consequences of a theft or a copy • Controlling the circulation of information beyond electronic communication. Exchanges in public or private locations, presentations at conferences, seemingly personal solicitations, responses to questionnaires, invitations to tender, and interviews are opportunities to expose information that should not be made public or to present a bad image of the company through poor performance

McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054, 888.84.866, Copyright © 2006 McAfee, Inc. No part of this document may be reproduced without the expressed written permission of McAfee, Inc. The information in this document is provided only for educational purposes and for the convenience of McAfee’s customers. The information contained herein is subject to change without notice, and is provided “as is” without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance. McAfee, Avert, and Avert Labs are trademarks or registered trademarks of McAfee, Inc. in the United States and other countries. All other names and brands may be the property of others. 6-avert-id-thft-001-010

To top