Little Green Identity Theft Eng

8/14/2019 Little Green Identity Theft Eng

1/24

THE LITTLE GREEN BOOKon identity theft

The little

green book

on identity theft


2/24

THE LITTLE GREEN BOOK on identity theft

Now the serpent was more crafty than any of

the wild animals the Lord God had made. He

said to the woman, Did God really say, You

must not eat from any tree in the garden?

The woman said to the serpent, We may eat

fruit from the trees in the garden, but God did

say, You must not eat fruit from the tree that is

in the middle of the garden, and you must not

touch it, or you will die.

You will not surely die, the serpent said to thewoman. For God knows that when you eat of

it your eyes will be opened, and you will be like

God, knowing good and evil.

Genesis 3, 1-4

This text from the very beginning of the Bible is probably the first exam-

ple of identity theft: The Devil, masquerading as a serpent, tricks Eve to

eat the fruit from the tree of knowledge of good and evil the Devil has

stolen the serpents identity.

Thus, identity theft is not a new phenomenon it has been there from thebeginning of time.


3/24


Norman ASA is not liable for any form of loss or damage arising from use of thedocumentation or from errors or deficiencies therein, including but not limited to lossof earnings.

The information in this document is subject to change without notice. No part of thisdocumentation may be reproduced or transmitted in any form or by any means, elec-tronic or mechanical, including photocopying, recording or information storage andretrieval systems, for any purpose other than the purchasers personal use, without theexplicit written permission of Norman ASA.

The Norman logo is a registered trademark of Norman ASA.Names of products mentioned in this documentation are either trademarks or reg-istered trademarks of their respective owners. They are mentioned for identificationpurposes only.

Copyright 2006 Norman ASA.All rights reserved.

Content

The different roles as a potential victim ................... 6

The intent of the identity thief .................................. 9

Techniques used for identity theft ...........................11

The Internet a plethora of information ................ 16

Social engineering THE most important tool to obtain information ... 17

How to protect yourself from identity theft ............. 18

Closing words ........................................................ 22


4/24


Introduction and

definition

This small book will discussidentity theft with particularemphasis on the extended pos-sibilities that the Internet and

computing offer.

One should note that identitytheft assumes many formsfrom the playful to the ex-tremely dangerous.

Consider these two scenarios:

1. By careful collection ofinformation, interceptionof mail and theft of Carlsoriginal proofs of identity,

Frank is able to become

Carl in all matters that

count. Only those whoknow Carl from before thetheft took place can knowthat Carl is Carl. In all othercontexts Frank is Carl.

2. Linda sends a postcard to

Yvonnes aunt from Spain,congratulating her withher birthday, and signs itYvonne. The aunt is amazedthat Yvonne remembers herbirthday while in Spain, and

tells herself that Yvonne is areally considerate niece.

Both are examples of identitytheft. Obviously the first ispotentially quite severe forCarl, while the latter may be to


5/24


A general definition of

identity theft as the act ofpretending to be another

person in communica-

tion with a third person or

persons.

Yvonnes advantage (e.g. in her

aunts last will).Thus, we cannot say that allkinds of identity theft arenecessarily bad, as one canborrow another personsidentity with good intent andoutcome as the second exam-

ple above shows.

We can therefore come upwith a general definition of

identity theft as the act of

pretending to be another

person in communica-tion with a third person or

persons.

However, identity theft is nor-mally seen as something bad,which will also be the main

theme in this book. We will

therefore hereafter restrict thegeneral definition and refer

to identity theft as the act of

pretending with malicious

intent to be another person

in communication with a

third person or persons.

This operative definitionstated above does not definewhether this malicious intentis directed against:1. The person that has his/her

identity stolen2. A third party that may suf-

fer from dealing with per-son x, while led to believethat it is person y that he isdealing with.

3. Both of the above men-tioned.

It is important to be awareof the fact that all these areidentity thefts. The party thatmight be hurt however will

differ. Although the situationmentioned in item 1 above isthe most focused in the pressand other media, item 2 maybe as important and as crucialto defend against.


6/24


This book will discuss various

examples of identity theft andtechniques used, as well asoutlining how you can defendyourself against being victim-ized.

Although Internet-based tech-

niques for identity theft (l ikephishing) are almost exclu-sively in focus presently, as weshall see, other old-fashionedtechniques may be just aseffective, often even more.

No matter how sophisticatedmalicious software that is cre-ated, no matter which sneakyhardware devices that is set up the human being (wetware)is still the main security risk.

Nevertheless, this book willfocus in particular on theuse on Internet as means forIdentity theft.

Throughout this book we will,

when relevant, refer to the vic-tim of identity theft as a hewhile the identity thief will bea female. This is of course forsimplification reasons only.

The different roles

as a potential victim

Defining roles

When discussing the meansand techniques of identitytheft, it is often useful to con-

sider the different roles a per-son has in order to considerwhich types of identity theftthat you should beware of inthe different roles.

Key words in the differentroles are: Who you are What you know

Your role as a privateperson

As a private person youridentity may be interesting fora number of totally differentreasons, and the motivationfor stealing your identity maybe equally diversified.

If you for some reason haveangered a person and this per-son wants to take revenge, shehas a plethora of means liter-


7/24


ally available on her fingertips.

All of which involve stealingyour identity for a short while.A couple of examples are: She can use any phone and

order subscriptions of lotsof different magazines inyour name.

She can write a letter,signed in your name,cancelling your newspapersubscription with immedi-ate effect.

Common for these examplesof such ad-hoc identity theft isthat the thief is impersonating

you towards people who have

no (practical) means to checkif she is really you.

One may of course view theabove mentioned as merenuisances, which they to someextent also are. However,

it can be quite tedious andtime-consuming to cancelmagazine subscriptions all thetime. And the person that hasbecome your enemy for somereason can of course escalate

her harassment with evenmore annoying and severe acts(shutting off your electric-

She can use any phone and order subscriptions of lots of

different magazines in your name.


8/24


ity because in her mail to the

supplier - signed by you she states that she (you) isgoing away on a long journeyabroad).

Your role as a person in a

corporationOn the other hand you shouldconsider your role as e.g. anemployee.

A more popular scenariois when someone attempts tosteal your identity as a meanto steal something, like moneyfrom your bank account.Whether you are a tempting

target will of course dependon how much money you haveas well as how easy it is to stealyour identity. This scenariowill be discussed further in alater chapter.

Suffice it to say in this contextthat identity theft directed asthe private person you are, ismotivated by your character-istics as this person (rich, un-popular, popular, famous etc.).

The identity thief will haveyou as her ultimate target.

In this case it is not you whoare the target, but the corpora-tion in which you are em-ployed. Stealing your identityis only a means to be ableto access/obtain something

from your employer this isusually some kind of industrialespionage.

Again, some examples illus-trate this:

You work as a janitor and arecurrently deployed to cleanthe premises of a big com-pany. One of this companyscompetitors hires a personto steal your identity as a tool

to be able to go through thecompanys dustbins hoping to


9/24


find information of interest,

or adding a little black box atthe rear end of your computerthat monitors all key strokesfrom the keyboard. Imper-

Later in this book we will go

into more detail regardingthe implementation of thesekinds of identity theft. Thepoint we want to make here

By social engineering techniques she can trick a person to reveal

his user name and password to a company server.

sonating you (stealing youridentity) could be done easilyby showing up at another timeof the day than you usually do(who would notice in a largecorporation?).

Another scenario is if you areemployed in the companysIT department. The thief ofyour identity could then callsomeone in the companypretending to be you, and bysocial engineering techniquesshe tricks that person to revealhis user name and password toa company server. Again it ispossible to obtain informationthat the company does not

want to fall into the hands ofthe competitor.

is merely that it is your role asa corporate person that is theintermediate target here. Themain target is not you.

The intent of theidentity thief

Keeping the theft secretor not

The previous chapters exam-ples show that the time frameof the identity theft will differ,depending on the intent of theidentity thief.

In most of the cases the iden-tity thief only needed to steal

a persons identity for a veryshort time in order to accom-


10/24

0 THE LITTLE GREEN BOOK on identity theft

plish a particular task. Often

it does not even matter if theperson who had his identitystolen notices this after thetheft took place.

In the example where youwere the victim of harassment

it is actually a point in itselfthat you are aware of the factthat someone is harassingyou. On the other hand, theexample of industrial espio-nage would probably be more

successful if it was not re-vealed that secret informationwas in the hand of the wrongpersons. If your bank accountis emptied, the identity thiefhas accomplished what shewanted; that particular theft

would probably not succeeda second and third time withyou and your bank account.

She becomes you

As a special case we should

consider when someone takesover your complete identity tobecome you. If this is conduct-ed in the most sophisticatedmanner it actually does notmatter if the scam is known ornot. As several horror storieshave shown, you may then

have a major problem proving

to lots of different public andcorporate parties, that youactually is you.

An interesting exercise foreach and every one of us is toconsider is this:

How do you proceed ifsomeone has managed to geta drivers license, a passportand several credit cards inyour name. She then takes

control of your bank account,asks for and is granted a loan(in your name of course) andthe monthly instalments arenot met. The credit cards areheavily used and you get hugebills from credit card compa-

nies you never had plans to dobusiness with.What do you do?

Industrial espionage

would probably be more

successful if it was not

revealed that secret infor-

mation was in the hand of

the wrong persons.


11/24


Techniques used for

identity theft

General

In a previous chapter a fewexamples of identity theft werebriefly discussed. We will in

this chapter discuss in moredetail some of the differenttechniques that may be usedfor information gathering. Inparticular we will emphasizethe use of tools available on

the Internet for such informa-tion gathering.

In general there are twoapproaches to informationgathering with the attempt tosteal someones identity:

Collecting as much infor-mation as possible aboutone or a very few individu-als

Attempting to harvest

information from a hugenumber of individualshoping that someone iswilling to offer the desiredinformation.

Specialized information

gathering

When the identity thief knowsa person and a few poten-tial persons whose identityshe needs to steal, there is aneed to gather some kind of

information about that personto facil itate this identity take-over.

There are different techniquesthat an identity thief may useto gather information aboutthe person she wants to be. Inmany cases she already knowssomething about the person


12/24


(name, gender, address etc.)

but this is not always the case.

Scenario 1 the victimis a particular identifiedperson

When some information (e.g.name) is known about the per-

stealing the victims bank

account statements) Purchasing credit informa-

tion on the victim Hacking the victims com-

puter Social engineering tech-

niques by using the

When the identity thief has the information she needs, she

can set the theft itself into action.son our identity thief wants to

target, she can use some of thefollowing techniques to gathermore information: Telephone directories for

obtaining telephone num-bers and address

Internet search engines forany information about theperson that is available onthe World Wide Web. Thisinformation can be any-thing from the extremelyuseful (for the thief) to the

trivial. Trash bin investigation (e.g.

telephone or email to obtain

particular information.

When the identity thief hasthe information she needs,she can set the theft itself intoaction by impersonating thevictim as needed.

Scenario 2 the victimis not identified, but hisrole is

This would be the case whenan organization is the ultimate

target. The identity thief willattempt to target the organiza-


13/24


tion by stealing the identity

of one of its employees. Sheis not interested in a randomemployee, but preferably onewho has particular accessrights and/or one from themanagement.

Internet sites host such infor-

mation, e.g.http://www.whois.org/,http://www.allwhois.com/etc.

After a few seconds she hasgathered information that

A good start would be to

identify the organizationsmanagement and technicalstaff in the IT department.The obvious starting point isthe corporations web site! It ismore normal than not that theweb site has information aboutmanagement, other contactpersons, telephone numbers,email addresses etc.She may add and cross checkthis information by check-ing the persons who are the

contacts on the corporationsdomain registration. Several

enables her to target more

systematically one or a few keypersons using the techniquesthat is mentioned in Scenario1 above.

Bulk information gathering

A totally different approachis used if the identity thiefwants to obtain some kind ofspecial information regardlessof whether it is obtained fromone individual or another, aslong as the type of informa-

tion is the same.


14/24


Typically this may be

password(s) to access aspecial resource (e.g. bankaccounts)

valid credit card numbers

This can be carried out by em-ploying a different set of tools.

However, use of the Internet isunrivalled as the tool to use inthese cases, as it facilitates: a certain degree of anonym-

ity on the identity thiefsside

malicious programs thatcan be installed on userscomputers to reveal confi-dential information to theidentity thief

possibilities to send a hugenumber of emails to poten-

tial victims setting up fake web sites

tailored to the identitythiefs needs

The use of the Internet togather information with theattempt to commit fraudis called phishing (derivedfrom fishing). This will bediscussed in more detail in aseparate chapter below.

Phishing a specialcase of bulk informationgathering

Phishing is an increasinglypopular way to obtain infor-

mation from users infor-mation that may be used tocommit crime. New phishingattempts are set up daily.

A typical phishing schemewould be carried out in thismanner:

1. The identity thief purchasesor harvests electronically in


15/24


some manner a large set of

email addresses.2. She sends an email to these

addresses with a spoofedsender (e.g. a bank)

3. In the email she claims thatsomething wrong happenedwith the users account and

requesting a confirmationof the password.

Quite a lot of such emails havea spoofed link to a web sitethat looks (almost) identical to

the institutions real one. How-ever, it is of course a fake sitethat attempts to obtain secretuser information with theintent to commit fraud.

An identity thief may also use

special malicious programs tocollect information. Detailsregarding the techniquesused to insert such malicious

programs (malware) on a com-

puter are beyond this book.Suffice it to mention thatdistributing malware throughemails, network spreaders,utilization of vulnerabilitiesin operating systems andapplications, are all popular

and widely used techniques todistribute malware.Keyloggers, trojans and back-doors are typical malware usedby the identity thief.

Although these tools aremainly used in a bulk informa-tion gathering scheme, it isobviously likely that malicioussoftware may be targetedon a particular person/or-ganization exclusively. Then

it would be quite difficult todetect, as most antivirus andantispyware products maynot uncover it unless detectedby SandBox-like techniquessimilar to the one integrated in

Normans antivirus products.

Online questionnaires are alsoefficient tools to gather infor-mation about you informa-tion that you normally wouldnot offer to anyone, but which

you may be tricked into giving

The use of the Internet to

gather information with the

attempt to commit fraud is

called phishing.


16/24


because the questions appears

on an official looking (thoughfake) web site.

Norman has previously pub-lished Normans little greenbook of phishing, which cov-ers this topic in more detail.

Please refer to this book formore in-depth information.

Internet may be so danger-

ous with respect to identitytheft is that its electronic formenables automatic processingand systematization. As moreand more personal informa-tion (hospital records, bankinformation, insurance data

etc.) are accessible through theInternet, it is of utmost impor-

The Internet has made the

task for the identity thief mucheasier.

The Internet a plethora ofinformation

Although identity theft hasbeen possible and carriedout for ages, the Internet hasmade the task for the identitythief much easier. We havediscussed some of these issuesabove.

One of the main reasonswhy the information on the

tance that this information isstored in a way that ensuresthat it cannot be accessed bysomeone who is not legitimate.Unfortunately we often seeexamples that this is not the

case.

Securing digital informa-tion is becoming increasinglyimportant as our lives areevolving more and more into anetworked society.


17/24


Social engineering

THE most impor-tant tool to obtaininformation

Regardless of the fact that theInternet has made the identity

thiefs task easier, the by farmost important tool for her isgood old social engineeringtechniques.

The most famous hacker ofour time Kevin David Mit-nick is (in)famous for break-ing into high-profile computersystems. He was eventuallyarrested (in 1995) and spentsome years in prison. Thefact, however, is that Mitnicks

attacks were mainly based onsocial engineering techniques.It is maintained that he wasvery convincing and persua-sive in his attempts to trickpeople to disclose informationthat he needed.

The reason why socialengineering techniques are soeffective is that most humansare eager to please. Whensomeone asks you for assist-

ance your initial reaction is tohelp that person.

If you work in a large organi-

zation and someone calls youon your phone, saying that sheis from your organizations ITdepartment and asks for yourpassword because she has toupdate your account (for what-ever reason), most persons

would be inclined to give thepassword rather than chal-lenge the callers identity.

Another trick it to count onyour vanity. Like it or not,

most of us are susceptible toflattery, and a skilled personcan utilize this to persuadeyou into giving her informa-tion that you should not partwith.

The set of conventional socialengineering tools availablefor the identity thief is onlylimited by her imagination.

When discussing social engi-

neering however, the socialengineering aspect involvedin identity theft by use of theInternet as a channel cannotbe ignored. Most phishingattempts will rely on social en-gineering. The more elegantly

performed the more likely to


18/24


succeed. An email written in

English attempting to phishfor secret user informationfrom users of a Norwegianbank is not likely to succeed(real life example!)

Social engineering works over

and over again because unfor-tunately users are gullible!

How to protectyourself fromidentity theft

General

It is presumably possible tobe totally protected againstany kind of danger. The dis-advantage is that if you are,it will either be extremelyexpensive or, conducting yournormal tasks will be extremelycumbersome or even impos-sible.

The correct general approachto risk is therefore not elimi-nation, but rather finding thecorrect balance between therisk you expose yourself to andthe price you pay if you arebeing hit by an incident that

is not avoided (for whateverreason).

This view should also be taken

when protection from identitytheft is the issue.

Different protectiondepending on the thiefsapproach

Obviously there are differ-ent approaches that shouldbe applied to the differentkinds of identity theft that arediscussed in previous chapters.We will go through some use-ful guidelines here.

It is presumably possible

to be totally protected

against any kind of

danger.

Two general guidelines to keepin mind:1. Everything is not necessar-

ily what is seems like2. There are some people that

may not have your welfareas their top priority


19/24


Protection against

conventional socialengineering

Social engineering is probablythe most difficult to resist.One approach that may workquite well is to switch into a

permanent paranoid mode:

Assume that anyone who

contacts you for whatever

reason is not the one she

claims to be, and that her

intensions are nasty.

activity, not to mention that

you will loose all your friendsin quite a short time.

A better operational ap-

proach is use intelligent

scepticism.

Try asking yourself whetheran initiated contact and herreason for contacting you isprobable. Would a personfrom the IT department re-ally need your password? Is it

This may be a temptingapproach to shield againstconventional social engineer-ing, but will probably not beapplicable in real life. It will be

too cumbersome to conductnormal social and professional

likely that the person from thecredit card company doesntknow and cannot find yourcredit cards number andexpiry date? Why would your

bank representative need yourpin code?


20/24

0 THE LITTLE GREEN BOOK on identity theft

By asking yourself such com-

mon sense questions insteadof supplying the requestedinformation just to be helpful,you will be better prepared

what information you disclose,

in which environment, and towhom.

It may be wise to destroy your

It may be wise to destroy your credit card statementsbefore throwing them in the dust bin. It is not particularlysmart to leave your cash dispenser withdrawals receipt inthe open beside the bank

and protected from becomingthe victim of social engineer-ing techniques.

Protection against

conventional espionageEspionage with the intent ofidentity theft would use a lotof the same techniques as seenin spy movies: dustbin harvesting

telephone tapping monitoring conversationsbehind closed doors

impersonation information gathering and

systematization

The general rule to observeis that you should beware of

credit card statements beforethrowing them in the dustbin. It is not particularly smartto leave your cash dispenserwithdrawals receipt in the

open beside the bank. Themost secret company infor-mation drafts should not bedisposed of in an off-handmanner.

Protection against Internetbased social engineering

Much of the same approachis sufficient when protectingyourself from Internet basedsocial engineering techniques

as for conventional socialengineering. Again:


21/24


Use intelligent scepticism.

Is it likely that your local bankis sending emails in English?Why would your Internet shop

You will also remember to

update your operating systemand applications with the latestprogram patches, as you knowthat authors of malware are

ask for your password canyou think of anything crediblethat explains such a request?

Protection against Inter-net based espionage

If you follow the generalguideline about intelligentscepticism you will also tosome extent be protectedagainst Internet based espio-nage. You will of course notopen the attachment in theemail (allegedly) from yourfavorite female movie star whofor some weird reason hasdecided to email you her nude

photographs.

effective in util izing newlydiscovered program deficien-cies. And of course you updateyour antivirus and antispam

programs often, and you use afirewall.

In spite of all these precau-tions someone may write amalicious piece of softwarethat is placed on your PC

without your knowledge. Anadditional level of protectionwould then be to encrypt theinformation that is availableon your hard drive or network.


22/24


Closing words

This book has brieflydiscussed some aspects ofidentity theft. Much moreinformation is freely avail-able in interesting articles on

the Internet and as printedbooks. Although as shownat the very start of this book identity theft is not a newphenomenon. The Internetand gathering of electronicinformation about each and

every one of us in huge data-bases (that may in some casesbe cross-referenced) make

stealing a persons identity

easier and much more difficultto reclaim. The presence of In-ternet accessible databases thathold electronic informationabout each and every one ofus makes identity theft easier.And more difficult to reclaim

your identity if stolen.

There are strong indicationsthat identity theft will prevailfor a long time in some formor another. To end this book

on a similar note as it started this time from the end ofthe Bible, where the identitythief is imprisoned:

And I saw an angel coming down out of heaven,

having the key to the Abyss and holding in his

hand a great chain. He seized the dragon, that

ancient serpent, who is the devil, or Satan, and

bound him for a thousand years. He threw him

into the Abyss, and locked and sealed it over

him, to keep him from deceiving the nations

anymore until the thousand years were ended.

After that, he must be set free for a short time.Revelation 20, 1-4


23/24


NorwayNorman ASA

Strandvn. 37, Postboks 431324 Lysaker, Norway

Tel: +47 67 10 97 00email: [email protected]

www.norman.no

DenmarkNorman Data Defense Systems A/S

Blangstedgrdsvej 15220 Odense S, Denmark

Tel: +45 63 11 05 08email: [email protected]/dk

SwedenNorman Data Defense Systems ABProNova Science Park, Korsgata 2

602 33 Norrkping, SwedenTel: +46 011-230 330

email: [email protected]/se

UKNorman Data Defense Systems (UK) Ltd

15 Linford Forum, Rockingham DriveLinford WoodMilton KeynesMK14 6LY, UK

Tel: +44-1908 678496email: [email protected]

www.normanuk.com

GermanyNorman Data Defense Systems GmbH

Gladbecker Strasse 340472 Dsseldorf, Germany

Tel: +49-211 / 5 86 99-0email: [email protected]

www.norman.de

Germany

Norman Data Defense Systems GmbHNiederlassung MnchenLudwigstr. 47

85399 Hallbergmoos, GermanyTel: +49-811 / 5 41 84-0email: [email protected]

www.norman.de

SwitzerlandNorman Data Defense Systems AG

Mnchensteinerstrasse 434052 Basel, SwitzerlandTel: +41-61 317 25 25email: [email protected]

The Netherlands and Luxemburg

Norman/SHARK BVPostbus 1592130 AD Hoofddorp, The Netherlands

Tel.: +31-23-7890222email: [email protected]

Belgium

Norman/SHARK BVGrote Baan 119/23511 Kuringen (Hasselt), BelgiumTel: +32 89 24 37 04email: [email protected]

FranceNorman France8 rue de Berri75008 Paris, FranceTel : + 33 1 42 99 94 14email: [email protected]

Spain

Norman Data Defense Systems

Camino Cerro de los Gamos 1, Edif.128224 Pozuelo de Alarcn MADRID, SpainTel: +34 (0)91 790 11 31email: [email protected]

Italy

Norman Data Defense SystemsCentro Direzionale LombardoVia Roma, 108

20060 Cassina dePecchi (MI), ItalyTel: +39 02 951 58 952email: [email protected]

USANorman Data Defense Systems Inc9302 Lee Highway, Suite 950AFairfax, VA 22031, USATel: +1-703 267 6109email: [email protected]

www.norman.com


24/24


Little Green Identity Theft Eng

Documents

Transcript of Little Green Identity Theft Eng