The context of this word has changed in recent years. Identity theft is sadly becoming more common than 'theft' as we once knew it.
Scenarios leading to this come in all shapes and sizes, many of them unbelievably unlikely. If you're ever a victim of identity theft, the culprit is far more likely to be someone local, just tinkering at hacking, than a bona fide, professional hacker. Nothing is more humiliating than getting hacked by a wannabe and it's certainly no consolation when we realize we've been hacked. At least we could be hacked by the real McCoy, right? Rarely the case.
Globally organized crimes gangs are much more involved in computer hacking than ever before, utilizing multitudes of these wannabe-types, so it is easy to imagine how being in a "hacker gang" attracts all kinds - the talented and the not-so-talented. Membership criteria is pretty loose, to say the least.
Computer identity theft can happen in a number of ways. Crime gangs use their own hackers, hire college students and/or just buy stolen information from other, more professional hackers. Whatever the case, the result is the same:
- Most if not all data breaches in the last year were the result of successful hacking.
- Hacking accounts for the largest number of compromised personal records in the last 12 months, having affected more than 40 million people.
- Well-known brands that have been hacked recently include Polo Ralph Lauren, DSW Shoes, Target, pretty much every financial institution we've ever kept any money in and, don't so soon forget the infamous Hello Kitty hack.
What happens to stolen identity information?
Stolen credit card numbers and Social Security Numbers will likely end up on a network of black market trading sites where hackers around the world buy and sell large amounts of personal data.
These black market networks are flourishing and often have thousands of active members. One of these generated over $5M in less than 20 months trading 1.5M stolen credit card numbers before it was shut down.
A transaction on one of these sites might look like this:
- Stolen credit card numbers (and/or other personal information) are posted for sale, either to be purchased or used in "joint ventures."
- In joint ventures, other members use stolen numbers to purchase goods or services and send them to a drop site for pick-up by other network members. The goods are then sold and the proceeds shared amongst the joint venturers.
- New or unproven members are often required to prove credibility by participating in a number of test runs to confirm the seller and the stolen cards are genuinely and committed to stealing identities for profit (and are not cops).
Sites that sell sensitive information also include rating systems, where users share feedback on the quality of stolen identities and other information offered for sale. Many of these sites solicit requests for specific types of stolen identity-related information and sell complete phishing tools and email templates so anyone, regardless of their technical fluency, can easily run their own phishing scams with little or no technical assistance.
Professional computer hacking culture used to be all about the thrill and the fame. Now, these hackers are doing it for strictly for profit. The risks are higher, so the payoffs are larger. Hackers, even those who assist lesser-talented ones, face real jail time for even small hacks. In most cases, real hackers find the opening and sell the info to the less-able but no-less-willing who, in turn, commit the actual thefts to sell the stolen info.
Another common type of identity theft involves former employees accessing former employers' networks and/or computers they used at their old job, using either insider knowledge or password accounts that were not changed or disabled. One fellow stole 30,000 credit records from his former employer over a two-year period after he left the company. The cost to the company?
Estimated at more than $100M.
Disgruntled employees may justify these kinds of actions by convincing themselves it's "just compensation."
Opportunist hackers, often amateurs but sometimes also professionals, spend hours a day scanning the Internet for unprotected opportunities. When they find one, it's only a matter of time spent poking around inside the network or computer to find what's worth taking. Any personal or financial information is of value to somebody, somewhere.
And with nearly 4,000 hacking sites on the web, anyone can learn how to become an accomplished hacker for free. Criminals who may have once lurked in doorways with a blunt objects now lurk in front of laptops armed with nothing more than some rudimentary skills and a lack of ethics. They know it's much easier to break into a business through the Internet to commit identity theft than through a weak door or skylight. A no-brainer to a would-be thug.
Small businesses are especially vulnerable because they usually offer the easiest access to sensitive information of all kinds, such as employee payroll files. Most small businesses don't use or keep access logs, so even if their information has been stolen, they won't know it or have much recourse to solving and/or proving due diligence to cyber insurance providers.
How does it Happen?
In a number of ways:
- Attacks on computers that don't have firewalls active or are otherwise vulnerable due to lack of proper LAN infrastructure
- Keystroke loggers or other malicious tools installed by hiding it in email attachments or phishing websites
- Exploitation of browser vulnerabilities that have not been properly patched (becoming more common)
- Exploitation of weak or poorly protected passwords (very common)
- Hiding malicious code in downloads or free software (be careful!)
- Hiding malicious code in images on websites and waiting for unsuspecting users to click them
- Employees or other trusted users accessing accounts that are still active
- Exploiting poorly installed networks, especially home and wireless networks
What Can We Do?
- Make sure your home and/or office network has a firewall and is configured to protect against would-be intruders
- Ensure computers you use in your home or office have firewalls turned on and anti-virus software installed
- Keep up-to-date with the latest patches for your operating system(s) and especially for all browsers you use
- Make sure that everyone who uses your computer(s) understands your commitment to security best practices, associated risks and rules
- Be scrutinizing of suspicious emails that may be phishing scams
- DON'T SAVE PASSWORDS IN BROWSERS - 99% of us do it. DON'T. It's inconvenient, I know, but it also makes it REALLY CONVENIENT for hackers to STEAL THEM
- Mostly - be careful about the websites you visit, what you click on and what you download - common sense is the only real solution to any of these challenges
Questions? There are no silly ones. Get in touch.
waxieus is committed to making us all smarter and safer.