ID theft is a growing problem that accounts for just under half of all frauds in the UK, but how are these identities stolen and what technologies can be put in place to prevent it happening?
Identity is now a commodity. As personally-identifiable information circulates increasingly online, thieves are hell-bent on stealing it. Credit card information, names, addresses, and dates of birth are just some of the data points that can trade for money online - and help to trash their owners’ credit scores, or worse.ID theft is a growing problem. In the UK, fraud prevention agency CIFAS said that the number of recorded victims rose 31 per cent to 32,058 in the first three months of 2015, compared to the same period in 2014. What’s more, over 80 per cent of it happened online.
With credit card numbers and other records being stolen by the millions in online breaches, the stakes are high, but a lot of identity theft still happens on paper. Often, thieves can learn just as much about you from your rubbish as they can by mounting a more sophisticated attack online.
Dumpster diving and mailbox theft have the advantage of a low cost of entry, which can appeal to certain criminal types: in particular, uneducated individuals with fewer resources. Donald Rebovich, executive director of the Center for Identity Management and Information Protection (CIMIP) of Utica College in New York State, has spotted a strong correlation between paper-based identity theft and drug crime. In particular, he noticed a concentration of ID-theft rings in the rural southeastern US.
“These same areas seem to have a high concentration of clandestine meth labs. Some offenders that we found in the secret service database were tweakers - people who are addicted to meth,” he said. “They feed their habit through what they can make from ID theft and fraud.”
He recalls multiple cases where law enforcement officers would raid an ID criminal’s home and find drug-making paraphernalia. “What hinders the research is that when someone is arrested for meth, that’s the lead offence,” he warns. “If there’s evidence of ID theft then that’s a secondary offence, and so it doesn’t always show up in the statistics.”
Typically, ID thieves stealing information from mailboxes will deliver them to a local data broker who will typically traffic hundreds of fake IDs and use them quickly to steal money. Law enforcers have intercepted data brokers with mobile ID factories in the boots of their cars, complete with laminators and fake ID licences.
If paper is an attack vector, then one approach is to protect the paper itself from fraud. There have been various proposals to do this. Some involve encoding information directly into the paper. Holographic imprints on paper have been with us for years, but researchers are now working on something rather different.
A team at Vanderbilt University in Tennessee has created tiny gold spirals at the nanoparticle level - fitting 10,000 of them into a space less than one hundredth of a millimetre square - and used ultrafast lasers to characterise their optical properties. By shrinking them below the wavelength of visible light, they develop unusual reflective properties, in an effect known as frequency doubling. Polarised infra-red light from the lasers pushes electrons along the ultra-thin arms of the spiral, causing them to absorb energy and emit a strong visible blue light with a unique signature that would be very difficult to counterfeit.
Other teams have manipulated even smaller particles in the battle against identity thieves. Researchers from the University of Twente and Eindhoven University of Technology in the Netherlands propose using the quantum properties of photons to make it difficult for identity thieves to replicate and use credit cards - even if the entire structure of the credit card is known.
The process uses a layer of nanoparticles on a credit card, which will reflect light back in a certain pattern. In a purely Newtonian world, an attacker could read the reflected pattern of light on the card and attempt to reproduce the same pattern with their own layer of particles.
Projecting a pattern of single photons onto the nanoparticle layer changes that. The laws of quantum mechanics allow a single photon to exist in multiple locations at once. Trying to observe them all collapses them. Projecting a small selection of single photons onto the nanoparticle layer would therefore create a more complex pattern than expected. An attacker could not observe the pattern of photons without destroying it, and could not deduce that pattern from the reflected light.
Deeper and darker
Assuming that institutions adopt them, techniques like this will make it harder to commit identity theft by forging paper. But forgeries are only part of the problem. Criminals use ID information for other, more insidious forms of identity theft. Rather than racing to milk a single credit card, some will use a stolen ID to build up good credit over time before cashing out with a large loan. Children’s identities and those of elderly people in nursing homes are particularly good, because they won’t have a recent credit history - or any at all.
“We see about two million children’s IDs every year, and the bulk of those - around 1.4 million - are stolen by members of their families” says Stephen Coggeshall, CTO at ID Analytics, which specialises in detecting ID fraud.
In this scenario, family members who have ruined their own personal credit will fall back on their children’s IDs for credit card loans. “These unsuspecting children turn 18 and go to apply for credit cards or a student loan, and find that they have a whole bunch of bad debt,” he laments.
Still another type is synthetic ID fraud, says Rabovitch, in which people piece together information including social security numbers and identities to create a person out of thin air.
“These people will change identities. They can easily shift from one to another. By the time Experian or maybe some other organisation identifies that fictitious person, they don’t exist,” he comments.
The trade in stolen identity information is fast and fluid, typically conducted through ‘carding’ forums. In the early days of mass online ID theft, these were conducted on sites openly accessible on the web, but as law enforcers have become more sophisticated in tracking down the criminals behind them they have become more secretive. Today, many of them exist on the dark web, trading ID information on encrypted sites reachable only via anonymous surfing protocols like Tor and I2P.
Victor Benjamin, a doctoral student at the University of Arizona, has worked with law enforcement and cybersecurity vendors to infiltrate these groups. He uses textual analysis software to index forum messages and identify the key players.
“The overall trend since we started this project is that there are only a few legit sellers running multiple shops,” he says. The rest are typically wannabes or scammers.
Making a hash of it
How can institutions and their customers protect themselves against these communities? The traditional ways aren’t working well. Using passwords to protect your valuable information is flawed in several ways.
Valuable information like names and addresses are still sent via the postal service in plain text, meaning that they are not password protected in any case. Where passwords are used, many people still resort to predictable ones that are easier to remember, which creates serious problems, even if websites encrypt them.
When lists of millions of passwords are stolen from hacked sites, as happened with both LinkedIn and adultery site Ashley Madison, the passwords are typically encrypted using hashing. This is a mathematical function that works like a trapdoor. However, more predictable passwords are still relatively easy to break.
Hashing an alphanumeric string (strA) produces another string (strB) that corresponds uniquely to the first. Only StrA will produce StrB when hashed, and StrB is the only string that will ever be produced by StrA. The hash function is an irreversible process, because while it takes very little time to produce StrB from StrA, it would require an inordinate amount of computing power to deduce StrA using StrB.
Attackers get around these properties and deduce passwords from hashed versions using a tool called a rainbow table, which capitalises on the fact that hashed strings are unique to the original string. A rainbow table contains thousands of hashes of known words and phrases, typically harvested from dictionaries and from other password lists. Each hash is stored with its original unhashed string.
When presented with the hash of an unknown password, the attacker can attempt to match it against hashes in the rainbow table. If a match is found, then the attacker knows the password.
In this way, identity thieves can easily gain access to the accounts of many individuals at once. In some ways, such data is far more valuable than basic credit card data, suggests Jules Campeau, chief marketing officer at NuData Security, which specialises in anti-fraud analysis technology.
“Really they’re starting to trend much more towards personally identifiable information that they can use to take over accounts,” he says of identity thieves. “If you can take over an account you can then access store credit mechanisms and execute on a whole array of different types of things like banks and ecommerce and really exploit the information they’re getting to a much higher degree.”
In many cases, this can happen without any site hacking at all. Criminals can harvest everything they need using basic online searches in a technique known as open source intelligence (OSINT). This can be used to answer the security questions posed by websites during password recovery, for example. In the past, this was used to hack the mailbox of then-presidential candidate Sarah Palin, and to access the iCloud accounts of various celebrities during the now infamous nude-picture scandal.
One way to offset this problem is to use an additional factor of authentication. Two-factor authentication (2FA) is becoming a de facto standard for access to web sites.
In the past, this has commonly involved the use of hardware tokens. Some of these can contain digital certificates, which must be communicated via a USB port or other reader. Other tokens are synchronised with the web server, each of which has agreed upon a constantly-changing code to be entered for access. Google’s Authenticator app, used to access its online services, is a popular 2FA mechanism that effectively uses a smartphone as a hardware token.
Something you are
Increasingly, 2FA techniques are moving more towards biometrics, on the basis that it is harder to fake something you are than it is to fake something you have or something you know. Fingerprint recognition is a common technique, especially now that it is becoming more widely available on smartphones, which are themselves becoming a popular form of account access.
Voice identification is also becoming more popular among high-risk financial institutions that need to protect their customers’ accounts from fraudulent access. In late October, Tangerine (formerly ING Bank), which relies heavily on Internet access for its customer service and has few branches, deployed voice identification technology for its users. More recently, life insurance firm Manulife and large Canadian retail bank IDC adopted voice recognition technology, which can analyse around 100 parameters including voice pitch and tone.
False acceptance and rejection rates are important metrics with these technologies, as too big a margin of error on either side will either endanger customer accounts by granting access to the wrong people, or will make it inconvenient for genuine customers when they are refused access. In most cases, customers are given an alternative means of verification such as a password, or asked to complete both for added security.
Some would like to go further with biometrics, installing a mandatory state ID system to help weed out the fraudsters. Robert Siciliano, CEO of idtheftsecurity.com and author of several books on ID theft, points to the United Arab Emirates as a leader in state identity management.
“More than anyone, they have effectively identified the majority of their citizens. That means they have identity documents in place that physically connect with a human in some way, such as smartcards with biometric information that has been encrypted,” he comments.
However, the involvement of governments in ID management schemes naturally creates privacy concerns for many, he adds, which is probably why not many governments have followed suit.
Another approach to mitigating ID theft eschews biometrics in favour of back-end analysis. If fingerprint readers focus on something you are, then this class of identity verification looks at something you do.
How do you do it?
NuData Security analyses the online access sessions of its clients’ customers, looking for patterns in their activities that it uses to determine a baseline of behaviour.
There can be up to 1200 data points in these analyses, explains Campeau. These range from data about the time of day when people access their account and the location that they access it from, through to the IP address and device that they use to log in.
The metrics are even more precise than that, though. They also take into account usage patterns on the device, including typing speed, spelling errors, how the user moves a mouse, and even accelerometer readings from mobile devices that show how users are holding them.
These metrics are used to baseline the user’s own behaviour across a period of time, but they are also compared to aggregate activity among a website’s users.
“We collected 14 billion transactions between the user and the customer website,” says Campeau, adding that this year, the figure will increase to 38 billion. “That lets us understand the user in a different dimension from what’s typically done.”
Data analytics can also help to address synthetic ID fraud, in which there is no real person whose behaviour can be analysed, says ID Analytics’ Coggeshall. The firm handles this by “looking for strangeness,” he says, adding that this is proving particularly useful when it comes to analysing social security numbers (SSNs) in the USA.
In 2011, the US Social Security Administration (SSA) randomised the way that social security numbers were produced, moving away from a predictable pattern in which segments of the number represented specific information such as region. The randomisation made fraud easier for criminals, Coggeshall argues.
“We investigated the pattern. Even though it claims to be random, it isn’t entirely random. We also looked at the statistics around the vacancies of SSNs in the past. Combining that with other information, we can make a judgement about whether a person is a likely immigrant for example,” he explains.
The battle over identity ownership continues. As the criminal operations become more sophisticated, technology will play a big part in protecting personally-identifiable information. The onus is on institutions to use it effectively. *