Site Network: Beskerming.com | Skiifwrald.com | Jongsma & Jongsma

Innovation in Information Security

Coverage of important Information Security and Information Technology news and events from the research team at S?nnet Beskerming.

Username: | Password: Contact us to request an account

Identity Theft

Most people are aware to be cautious with their credit card details, in case someone steals them and fraudulently spends money using the details. This is important, as it is the source of most of the identity theft cases reported each year. Fewer people, however, are aware that they need to be just as cautious with their online banking details.

Particular caution should be applied if you want to access your bank account from an internet cafe, internet kiosk, or other public internet terminal. The quick solution is - don't do it. It is not possible to be sure of what software is running on a public terminal, and the simple rule of thumb is to not do anything which you would not want anybody else to see, or replicate. Your home terminal may not be much better if it is running any spyware, adware, viruses, worms or other malicious software. One of the most common payloads that these applications tend to include is keylogging software.

Keyloggers are applications which watch a computer, keep track of all keys pressed, and then report back to an email address, or wait for a specific user to access the system, with a complete list of all keys pressed over a certain period. Information that can be captured from such an application includes bank account details, login / password combinations for any application / website that was used, including webmail, ssh, telnet, or any number of other services. The implication of this is that the malicious user could have complete access and ability to control your online identity.

There are a number of steps that can be taken to mitigate these problems for public terminals. If you have access to the CD-ROM drive, and are allowed to reboot the system, the use of a Linux LiveCD is an option. A LiveCD is a CD-ROM which contains a full operating system, and can be used to boot a computer into a Linux desktop, complete with internet browser, and other tools based on different requirements. To use this, it is essential that you know how to connect to the network, and you have permission to use it on the computer. If there is no problem, the use of the LiveCD will bypass any malware (malicious software) on the hard disk of the computer, which means that any keylogging software that is present will be disabled while the LiveCD is being used. If use of a LiveCD is not permitted, ensure that you have a temporary login / password combination that you will only use for that one time access from the terminal, and change it immediately, as soon as you have access to your normal terminal, and check to make sure that no one has accessed your account in the meantime.

In addition to the problems caused by malicious software tracking the progress of computer users, phishing emails are becoming a greater risk to computer users, with users who are less technically proficient being at a greater risk of losing information. Whilst related to spam (also known as UCE - Unsolicited Commercial Email), phishing emails usually appear to be legitimate emails from financial institutions or other online entities such as eBay or PayPal. The content of a phishing email can vary, but generally follows one, or a combination, of the following basic forms:

The links in the email will use any number of tricks to hide the address of the site that the link will take you to when you try to login and validate your details. The site that you are taken to will not be the site of a financial institution, or of PayPal, or eBay, but will be owned by the phisher, despite its appearance otherwise. If you enter your details, it will enable them to control your bank accounts and allow for full identity theft. The From: or Reply-To: email addresses may give some clues that the phishing email is not legitimate. If you are not convinced that the email is false, the best way to make sure is to manually type in the address of the site into your web browser. If it is a real email, then you should see something on the homepage relating to your email. If you don't, then you should just ignore the email and delete it. The compromise of your private finances, and personal identity, are not worth a simple login / password combination.

Even if you take care of all of your details, and follow the above advice, it is still possible for you to have your identity stolen, and there isn't very much that you can do about it. March 2005 saw a significant number of major breaches of corporations, universities and other institutions being reported. The breaches related to theft of privacy data relating to large numbers of people who have had business with the agencies, and sometimes the only reason was due to a Californian state law.

In an effort to increase protection of the Californian population, a law was passed which mandated that any company which held personal data of any Californian resident, and suffered a potential theft of that data, was to notify them of that theft. This was to allow Californian residents to check their credit records and attempt to mitigate the effects of identity theft.

Some of the agencies affected included:

Cumulatively, millions of individual people had their identities compromised through these breaches, potentially for identity theft. The key fact that ties the above listed breaches together is that none of them involved online transactions by any of the victims. This means that even if you never use the internet for anything at all, you are still at risk of online identity theft.

There is no way to be sure of avoiding identity theft, but applying caution and forethought when handling personally identifying data and financial information will help reduce your risk of exposure. Depending on your location you will be able to obtain copies of your credit records, and you should check them regularly to look for unauthorised credit applications. Likewise, you should regularly review your financial status to check for unauthorised withdrawals. It may also be possible to place a fraud alert on your credit record which will force your record provider to contact you any time that credit is applied for, which will also help aid you in avoiding identity theft.

Components of this report were compiled using figures from The Register.

4 April 2005

Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis

Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.

Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.

Comments will soon be available for registered users.