Stomp the identity thieves
Essay by Kevin Mitnick
Identity theft is one of the fastest growing crimes in the country, and there's no doubt that the Internet makes it easier. But while some argue that sequestering personal information from the Web is the only solution, I have seen the future of identity theft, and I believe that approach would prove a complete disaster.
Simply defined, identity theft is the stealing of another person's identity, usually to leverage the victim's credit rating to obtain personal loans, credit cards, or instant credit, and run up debts that are never repaid. Some identity thieves go even further, and siphon money directly from a victim's existing bank accounts.
There's also the rare identity thief who isn't after financial gain. For those who enter the U.S. illegally, using another person's social security number might facilitate obtaining employment, renting an apartment and turning on utilities like telephone service and electricity. There are also those who have no credit or negative credit histories that may "borrow" another person's social security number to establish a line of credit, without any intention of defrauding the real owner.
And for those "master" criminals who have been profiled on such shows as America's Most Wanted, stealing an identity (from the living or dead) may help them avoid being captured before the first commercial break.
Regardless of motives, what makes all this thievery possible is the system by which people are issued identification documents, and the practices of verifying identity. The perpetrator only needs to learn a few personal details about his or her target. The credit industry accepts a certain level of risk in doing business, and creditors are more than willing to service anyone who can "verify" personal information against the details already on file with major credit-reporting agencies.
The unsuspecting public may assume that those details, like their mother's maiden name, social security number, and driver's license information, are secret and protected from public disclosure. However, numerous governmental and private organizations keep our so-called "private" information in widely accessible databases, and many opportunities exist for identity thieves to obtain it. Thieves can learn most personal identifiers through low-tech methods, like mail theft and dumpster diving. More sophisticated attackers might break into government or private sector databases to retrieve the data.
Thanks to the World Wide Web, and its plethora of databases, search engines and public records, getting this information is now easier than ever.
Roots of the problem
Several genealogical sites provide research tools to help you trace your family tree. These sites have collected an enormous amount of data from many different sources, including birth, death, and marriage records.
One site I recently learned about, rootsweb.com, allows Web surfers to search and retrieve data from California's birth and death records index, which are public information in the state. While this might be a valuable tool for a genealogist, it's a potential goldmine to an identity thief.
For example, financial institutions typical ask customers doing business over the phone to give their mother's maiden name to prove their identity. But, if you were born in California, anyone with fingers and access to the Internet can find out that information. Some family secret.
The potential for abuse escalates when records can be easily cross-referenced with other data. Ambitious thieves could even employ identity-stealing bots that comb through the vast array of information on the Web and assemble dossiers on potential victims.
Such a program would begin by searching through online alumni records, or professional referral services that catalog doctors, lawyers, or accountants, with the primary objective of targeting affluent people who are likely to have stellar credit profiles.
After acquiring a target, the bot would scour through any and all online resources in search of personal identifiers. For example, if the target was born in California, the program might visit RootsWeb to acquire the target's date of birth and mother's maiden name. Next, it would search online telephone directories or other databases to locate the target's home address. Once it identifies the address, the bot would connect to an online information broker, such as merlindata.com, to run a "credit header" search, which would identify the victim's previous addresses and his or her social security number. Repeat as necessary.
Send in the clones
Identity assumers who are looking for long-term cover, typically deadbeat dads or fugitive felons, often take on the names of people who died as infants. While morbid, this technique gives thieves a blank slate -- an identity that has no established paper trail.
The Web would prove useful here as well: the thief could create a bot that would scour death record indexes, and the obituary sections of newspaper web sites, then cross-reference the information with birth records.
Once an identity thief has the information they need, they can seize existing customer accounts through the old "change of address" trick -- the imposter will make a request of the Postal Service via phone or mail and change a victim's address to a mail drop or P.O. box. This delays tipping off the victim and allows the imposter to intercept credit cards, bank statements, and credit applications.
Sophisticated identity assumers will sometimes "clone" a living person's identity by either counterfeiting or obtaining a certified copy of the victim's birth certificate. Anyone with the right information and some spare change can obtain anyone else's birth certificate through the mail. An applicant only needs to know the target's full name, date of birth, place of birth, and mother's maiden name. Once the imposter receives the birth certificate, he or she can easily obtain traditional forms of identification, including a driver's license and social security card.
It's clear the system is broken. These dated forms of authentication should have been abandoned ages ago. The continued use of these practices will result in more cases of identity theft and "paper tripping." And in the future, anyone potentially could be the target of an identity stealing bot.
I'm always amused when my bank and utility companies "verify" my identity by asking for the last four digits of my social security number. It's no wonder why identity theft is so easy.
Some privacy advocates argue that certain personal identifiers should be restricted from disclosure, and there are a number of bills pending in Congress to strengthen individual privacy. Will enacting laws that proscribe the dissemination of social security numbers, for example, be effective?
I think not. As the old saying goes, the cat is already out of the bag. Once information is freed, it simply cannot be controlled. Should research tools that are available on genealogical web sites be restricted from legitimate use just because unscrupulous people can exploit them? No. That would be analogous to outlawing motor vehicles because they can be used in a bank heist.
I strongly believe that databases available to web surfers should not be outlawed or restricted, even though they may reveal our traditional personal identifiers. Instead, the government and the private sector must adopt new strategies and practices when verifying an individual's identity. My mother's maiden name is not a password; my social security number is not a PIN.
Federal, state, and local governments must work hand-in-hand with private enterprise to overhaul the system of identity verification, and begin immediately to implement accurate and effective methods of authentication. The first step along the way is to strip the value of known personal identifiers, so the information is worthless to an imposter. Then we can all become a shadow in the eyes of the identity stealing bot.
© 2001 SecurityFocus.com, all rights reserved.
Sponsored: Becoming a Pragmatic Security Leader