With more and more people living out large parts of their lives online, cybercriminals are finding endless new ways of stealing identities.
Identity theft and identity fraud have come a long way in the last decade. It was only 2004 when UK card issuers were warning everyone to be careful with their shiny new PINs as the EMV (Europay/MasterCard/Visa) smartcard security system – better known as Chip & PIN, and it seems a lifetime ago.
The driving forces behind the escalation of fraud have been the Internet and, more specifically, social media.
Stealing someone's identity in the world of Facebook, LinkedIn, Twitter and other social networks – allied with a sea of easily obtained name, address and associated data from a wealth of free and low-cost online sources – is now so easy that cybercriminals are even offering DIY kits to novice criminals.
If that wasn't enough, online underground forums now act as a 'carder forums' where cybercriminals buy, sell and exchange identity and payment card sets for as little as $2.00 a time – rising to $6.00 if the identity on sale is that of an apparent high-flyer (e.g. a platinum card holder) located in the UK or premium income parts of the US such as New York City and Florida.
Scoping the battlefield
Although the Chip & PIN security seen on most modern credit and debit cards in Europe is now commonplace – it was successfully pioneered by Carte Bleu in 1992 in France – it's important to understand that the system is less than a decade old in the UK – and almost unknown in the US, where legacy magnetic stripe technology is still in active usage.
Both security systems have their advantages and disadvantages – on the one hand magnetic-stripe cards feature a signature strip, meaning that shopkeepers can verify the signature on the payment slip matches that on the card. On the other, Chip & PIN cards allow an encrypted on-chip personal identification number record to be verified by the four digit PIN entered by the card user on a terminal.
Both systems have an inherent weakness in the shape of the ability to purchase goods and services online using the 16-18-digit card number, expiry date and three-digit Card Verification Value (CVV) number printed on the signature strip of cards – except Diners Club and American Express cards, where a four-digit number is printed on the face of most cards.
To counter the misuse of this data for fraudulent purposes, the card companies have developed an online security process called 3D Secure.
Also known as MasterCard SecureCode, Verified by Visa, American Express SafeKey and J/Secure for JCB cards, the security mechanism is an XML-based protocol designed to be an additional security layer for online credit- and debit-card transactions.
Originally developed by Visa with the intention of improving the security of Internet payments, the system requires the cardholder to register certain details – including date of birth, a unique alphanumeric password selected by the cardholder and optional additional data that is known – in theory at least – only to the cardholder.
Unfortunately for the card issuing industry, after three attempts at 3D Secure data entry box, the XML server (gatewayed from the merchant to the card issuer) requests a data reset by the user at the time, which means that canny criminals – armed with information on their victim – can reset the 3D Secure data to their own requirements, provided they have the basic card credentials of the account in question – which they will have purchased from a carder forum.
The security system is on a three-domain model (hence 3D): acquirer domain (the merchant and its transaction processor); issuer domain (the card issuer); and the interoperability domain, normally the Internet or similar online transaction medium.
As 3D Secure started to make life more difficult for cybercriminals in the mid-2000s, criminals started to exchange card credential data sets between themselves using underground forums known as carder forums.
Today, it is possible to buy – usually in batches of 100 – sets of card and allied credentials that range in price between $2 and $8 each, the price depending on parameters such as the geographic location of the cardholder, the Banking Identity Number (BIN) prefix of the credit or debit card, the category of card (debit, credit, gold credit or platinum credit) and so on.
The carder forums – and the criminals who exchange data on them – have become highly sophisticated in the last few years, expanding their data-harvesting programmes to encompass both legitimate and fraudulent e-commerce websites, as well as bribing members of low-paid staff in outsourced call centres, for whom $500 for a copy of their employer's database, or partial database, may be a highly enticing prospect.
Legitimate websites are normally compromised by a hacker attack – perhaps using an XSS (cross-site scripting) attack or similar – and data-harvesting software installed to run in the background and collate all the data, including card credentials, email address, phone numbers and so on, entered by customers. Every so often the malware on the server bursts into life and routes the valuable data – suitably encrypted to avoid detection – to a remote command-and-control server.
Fraudulent websites are subtler. Since most savvy Internet shoppers now use price-comparison sites to seek out the best price on their travel tickets, CDs, DVDs and other essentials to their modern lifestyle, cybercriminals are known to create entirely bogus Web portals – suitably meta-tagged to allow Google and Yahoo to spider/screen scrape their data – designed to harvest customer card details and other credentials.
There are even reports of some sites supplying users with their required CDs or DVDs (pirate versions, of course) and then selling the identity and card sets via multiple card forums. This is fraud monetisation and identity theft on a one-stop basis.
Then there are the check-in staff at major hotels. Since many hotel guests are required to give their card credentials, mobile phone numbers/addresses and passport numbers, many travellers are unwittingly giving their complete identities to hotel staff – a clear vulnerability. And of course there is always the guest Wi-Fi system to be used to infect the hotel servers with trojan malware capable of harvesting customer credentials for resale.
Most banks and card issues have a vested interest in playing down the scale of identify theft and card fraud generally, while most security vendors use the fear, uncertainty and doubt of online card fraud to promote their security suites of software, which feature heavy-duty security to stop a targeted email or malware infection (known as a trojan) from hitting the user's computer.
Other companies – notably Trusteer, now part of IBM – have developed online security solutions that they sell to the banks, which offer the software for free to their customers.
Trusteer's Rapport, a web browser software plug-in, is in active use by tens of millions of online banking customers worldwide. Thanks to Rapport, in fact, Trusteer collates information on malware and similar cybercriminal attacks on an anonymised basis, and uses this crowd-sourced intelligence to offer a value-added service to companies.
A significant problem
Kaspersky Lab CEO Eugene Kaspersky first broached the subject of ID theft and fraud having become a major cybercriminal business some eight years ago at the Infosecurity Europe Show in London to a disbelieving audience. His comments were subsequently proved correct – namely that there are criminal big businesses operating with staff working in various disciplines, whose sole purpose is to make money from identity thefts and associated fraud against civilians and their businesses.
Kaspersky said in April 2005 that he knew of criminal organisations whose programming staff were rewarded for developing suitable trojan software with Porsches or other high-status goods – in much the same way that sales staff in the real world receive bonuses, although on much increased (and tax-free) scale.
The massive scale of identity theft and identity fraud was revealed to UK audiences in April 2012 when the Serious Organised Crime Agency (SOCA) announced that 36 websites – operating carder forums and allied identity plus card credential sales exchanges – had been closed in an operation spanning the UK, US, Europe and Australia.
In a major takedown following an intensive two years of investigations, SOCA said that police in various countries had coordinated the seizure of Internet domain names, so putting the sites out of business. The US Department of Justice – acting in concert with the FBI and SOCA in the UK – identified the websites as specialising in selling stolen payment card and online bank account details, using e-commerce platforms known as automated vending carts (AVCs) to allow criminals to sell large quantities of stolen data quickly and easily.
In its press statement at the time, SOCA said it had been tracking the development of AVCs and monitoring their use by cybercriminals, who support payment card and online banking fraud on a global scale. "Working with the FBI, the BKA in Germany, the KLPD in the Netherlands, the Ukraine Ministry of Internal Affairs, the Australian Federal Police, and the Romanian National Police, SOCA has recovered over 2.5 million items of compromised personal and financial information over the past two years," it said, adding: "The recovered data has been passed to UK and overseas financial institutions to help prevent potential fraud taking place against the accounts and mitigate the impact of large-scale data thefts. The potential international fraud prevented by the identification of this detail is estimated at being in excess of £500m."
Commenting on the April 2012 operation, Lee Miles, SOCA's head of cyber operations, says that the takedown was an excellent example of the level of international cooperation being focused on tackling online fraud. "Our activities have saved business, online retailers and financial institutions potential fraud losses estimated at more than £500m, and at the same time protected thousands of individuals from the distress caused by being a victim of fraud or identity crime," he notes.
This was no isolated incident, as in June of 2012, the FBI revealed it had also been coordinating a two-year investigation into a carder crime organisation that resulted in the arrest of 26 people around the world. The cybercriminal gang behind the fraud was thought to have been responsible for trafficking in hundreds of thousands of stolen credit and debit card accounts.
At the time, leading US security researcher Brian Krebs – a former Washington Post security writer – said that the carder forum – CarderProfit.cc – was actually an FBI sting operation.
"Federal officials are calling the operation the largest coordinated international law enforcement action in history directed at 'carding' crimes, in which the Internet is used to traffic in and exploit the stolen credit-card, bank-account and other personal information of hundreds of thousands of victims," he says, adding that the sting – 'Operation Card Shop' – started back in June 2010, when the FBI established an undercover carding forum called CarderProfit.cc to identify users who were buying and selling stolen credit card accounts and goods purchased with stolen accounts.
The FBI was clever in its sting operation, reportedly restricting CarderProfit.cc site membership to those individuals with established knowledge of carding techniques or interest in criminal activity. The FBI meticulously kept track of the Internet addresses used by forum members and used members' log-in information to gather additional information about registered users – and in May of 2012, moved in for the kill.
"New users registering with the [undercover] site were required to provide a valid email address as part of the registration process. The email addresses entered by registered members of the site were collected by the FBI," said the FBI in its statement, adding that card issuers had been notified of more than 411,000 compromised credit and debit card accounts.
Defending your identity
According to Peter Wood, CEO of penetration-testing specialist First Base Technologies and an IT/security veteran with experience dating back to the 1960s, identity theft is a major scourge of the Internet era, but he notes that it is actually part of a larger problem.
"I think it's part of a much larger security issue than you might think. It's now turning away from being a problem for consumers – as cybercriminals find the obstacles placed in their path too great, and start looking at business identity theft," he says, adding that stealing a company's financial identity is potentially a lot more profitable than doing the same with an individual.
Wood says that because of his work in the security business, he has subscribed to an online identity defence service called Garlik, which is part of the Experian group of credit check and allied financial services.
"It costs me a few pounds a month and, whilst I only get the occasional email from them, alerting me to a potential issue, my view is that it's more a peace of mind service than anything," he says.
Garlik was set up in 2005 by a group of UK security professionals to help consumers to protect themselves from the risks of identity theft and financial fraud. Through its main product, DataPatrol, Garlik captures and monitors information from a variety of sources across the wider web and social networking sites using its proprietary web-crawler technology.
DataPatrol – which is offered to businesses in the UK, US, Germany and Italy – generates alerts when an online loss, disclosure or theft of consumer data is detected, and suggests next steps on how to respond to incidents before an individual becomes a victim of financial crime or identity fraud.
Experian acquired the VC-backed company in December 2011 – when it said the firm had gross assets of around £700,000 – and has since folded the company into its Experian Interactive business.
The biggest problem surrounding identity theft – and identity fraud – says Wood, is the fact that many online users have the same credentials on many sites, and seem to refuse to use different passwords on different services, despite the warnings of security professionals . "It's clear to me that a company identity has far more value than an individual's identity," he noted.
Wood's comments are echoed by Professor John Walker, CTO of Ascot Barclay and a visiting professor with Nottingham-Trent University. Like Wood, his experience in the security business reaches backs several decades, but he says that pure identity theft – as defined by banks and others – does not actually exist.
"The Theft Act defines theft as the act of depriving someone of a given item, but how can you deprive someone of their identity? You could steal it in a Jackal style – and even impersonate them. Even then the concept is tentative," he says.
"And even if you are dead, your identity is still recorded on several systems," he adds, noting that there are actually several components of identity fraud, many of which are functionally independent of each other.
As a security consultant, Professor Walker says he came across one company that was afraid its perimeter had been compromised.
It was far worse than that, as the firm's metadata, along with information on staff from social networking service Facebook and LinkedIn, could be collated and mapped – and used by cybercriminals.
In another example, he says, the emails of key staff in company A auto-generated responses to say that they were going on leave between specific dates, allowing cybercriminals to know which members of staff's identity to target and defraud as they saw fit.
"From there it was relatively easy for the fraudsters to advise company B that there had been a change of banking details for one of their service suppliers – company A – and could they please send future payments to the new bank account," he says.
"Incredibly, company B then sent a £2m payment to company A, using the new bank details, on the basis of emails that supposedly came from the management of that firm," he adds.
Professor Walker says that the major problem surrounding identity theft and allied fraud is that people are too verbose and easy with their personal information on Facebook and LinkedIn.
"You have to be careful what information you give out on these services. If someone is out of the office for two weeks, you don't give that information away. It becomes a balancing act – only give out what information recipients actually need to know," he advises.
"Criminals don't need to go dumpster diving any more – they have the Internet to do the same process, but electronically."