Stomp the identity thieves

Essay by Kevin Mitnick

  • alert
  • submit to reddit

Providing a secure and efficient Helpdesk

Identity theft is one of the fastest growing crimes in the country, and there's no doubt that the Internet makes it easier. But while some argue that sequestering personal information from the Web is the only solution, I have seen the future of identity theft, and I believe that approach would prove a complete disaster.

Simply defined, identity theft is the stealing of another person's identity, usually to leverage the victim's credit rating to obtain personal loans, credit cards, or instant credit, and run up debts that are never repaid. Some identity thieves go even further, and siphon money directly from a victim's existing bank accounts.

There's also the rare identity thief who isn't after financial gain. For those who enter the U.S. illegally, using another person's social security number might facilitate obtaining employment, renting an apartment and turning on utilities like telephone service and electricity. There are also those who have no credit or negative credit histories that may "borrow" another person's social security number to establish a line of credit, without any intention of defrauding the real owner.

And for those "master" criminals who have been profiled on such shows as America's Most Wanted, stealing an identity (from the living or dead) may help them avoid being captured before the first commercial break.

Regardless of motives, what makes all this thievery possible is the system by which people are issued identification documents, and the practices of verifying identity. The perpetrator only needs to learn a few personal details about his or her target. The credit industry accepts a certain level of risk in doing business, and creditors are more than willing to service anyone who can "verify" personal information against the details already on file with major credit-reporting agencies.

The unsuspecting public may assume that those details, like their mother's maiden name, social security number, and driver's license information, are secret and protected from public disclosure. However, numerous governmental and private organizations keep our so-called "private" information in widely accessible databases, and many opportunities exist for identity thieves to obtain it. Thieves can learn most personal identifiers through low-tech methods, like mail theft and dumpster diving. More sophisticated attackers might break into government or private sector databases to retrieve the data.

Thanks to the World Wide Web, and its plethora of databases, search engines and public records, getting this information is now easier than ever.

Roots of the problem

Several genealogical sites provide research tools to help you trace your family tree. These sites have collected an enormous amount of data from many different sources, including birth, death, and marriage records.

One site I recently learned about, rootsweb.com, allows Web surfers to search and retrieve data from California's birth and death records index, which are public information in the state. While this might be a valuable tool for a genealogist, it's a potential goldmine to an identity thief.

For example, financial institutions typical ask customers doing business over the phone to give their mother's maiden name to prove their identity. But, if you were born in California, anyone with fingers and access to the Internet can find out that information. Some family secret.

The potential for abuse escalates when records can be easily cross-referenced with other data. Ambitious thieves could even employ identity-stealing bots that comb through the vast array of information on the Web and assemble dossiers on potential victims.

Such a program would begin by searching through online alumni records, or professional referral services that catalog doctors, lawyers, or accountants, with the primary objective of targeting affluent people who are likely to have stellar credit profiles.

After acquiring a target, the bot would scour through any and all online resources in search of personal identifiers. For example, if the target was born in California, the program might visit RootsWeb to acquire the target's date of birth and mother's maiden name. Next, it would search online telephone directories or other databases to locate the target's home address. Once it identifies the address, the bot would connect to an online information broker, such as merlindata.com, to run a "credit header" search, which would identify the victim's previous addresses and his or her social security number. Repeat as necessary.

Send in the clones

Identity assumers who are looking for long-term cover, typically deadbeat dads or fugitive felons, often take on the names of people who died as infants. While morbid, this technique gives thieves a blank slate -- an identity that has no established paper trail.

The Web would prove useful here as well: the thief could create a bot that would scour death record indexes, and the obituary sections of newspaper web sites, then cross-reference the information with birth records.

Once an identity thief has the information they need, they can seize existing customer accounts through the old "change of address" trick -- the imposter will make a request of the Postal Service via phone or mail and change a victim's address to a mail drop or P.O. box. This delays tipping off the victim and allows the imposter to intercept credit cards, bank statements, and credit applications.

Sophisticated identity assumers will sometimes "clone" a living person's identity by either counterfeiting or obtaining a certified copy of the victim's birth certificate. Anyone with the right information and some spare change can obtain anyone else's birth certificate through the mail. An applicant only needs to know the target's full name, date of birth, place of birth, and mother's maiden name. Once the imposter receives the birth certificate, he or she can easily obtain traditional forms of identification, including a driver's license and social security card.

Social insecurity

It's clear the system is broken. These dated forms of authentication should have been abandoned ages ago. The continued use of these practices will result in more cases of identity theft and "paper tripping." And in the future, anyone potentially could be the target of an identity stealing bot.

I'm always amused when my bank and utility companies "verify" my identity by asking for the last four digits of my social security number. It's no wonder why identity theft is so easy.

Some privacy advocates argue that certain personal identifiers should be restricted from disclosure, and there are a number of bills pending in Congress to strengthen individual privacy. Will enacting laws that proscribe the dissemination of social security numbers, for example, be effective?

I think not. As the old saying goes, the cat is already out of the bag. Once information is freed, it simply cannot be controlled. Should research tools that are available on genealogical web sites be restricted from legitimate use just because unscrupulous people can exploit them? No. That would be analogous to outlawing motor vehicles because they can be used in a bank heist.

I strongly believe that databases available to web surfers should not be outlawed or restricted, even though they may reveal our traditional personal identifiers. Instead, the government and the private sector must adopt new strategies and practices when verifying an individual's identity. My mother's maiden name is not a password; my social security number is not a PIN.

Federal, state, and local governments must work hand-in-hand with private enterprise to overhaul the system of identity verification, and begin immediately to implement accurate and effective methods of authentication. The first step along the way is to strip the value of known personal identifiers, so the information is worthless to an imposter. Then we can all become a shadow in the eyes of the identity stealing bot.

© 2001 SecurityFocus.com, all rights reserved.

Secure remote control for conventional and virtual desktops

More from The Register

next story
Facebook pays INFINITELY MORE UK corp tax than in 2012
Thanks for the £3k, Zuck. Doh! you're IN CREDIT. Guess not
DOUBLE BONK: Testy fanbois catch Apple Pay picking pockets
Users wail as tapcash transactions are duplicated
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
YARR! Pirates walk the plank: DMCA magnets sink in Google results
Spaffing copyrighted stuff over the web? No search ranking for you
In the next four weeks, 100 people will decide the future of the web
While America tucks into Thanksgiving turkey, the world will be taking over the net
Microsoft EU warns: If you have ties to the US, Feds can get your data
European corps can't afford to get complacent while American Big Biz battles Uncle Sam
prev story


Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.