Understanding identity theft and its repercussions is information security's greatest challenge for companies and consumers alike in 2005. Hackers are making use of a combination of technology, social engineering and the clear profit a stolen identity, or parts of it offer.
While the techniques to steal an identity online or offline are neither new, sophisticated or ultimately 100 percent effective, the fact remains that identity theft is now seen internationally as an organized and profitable business run by people who are motivated by one thing alone. Profit.
Australian High Tech Crime Centre managing director Graham Ingram said the revolution that has taken place in the online world is that organized crime groups have recognized the opportunity to illicit financial gain through various forms of electronic identity theft and a high rate of innovation and attack capabilities have evolved as a result.
Ingram added that the growth in networks and e-commerce have changed the overall landscape of the Internet which has in turn led to an increase in the number of potential targets to attack.
"Organized crime is not new but the opportunities now emerging for online ID theft are a driver ... if I were to categorize what we are seeing it would be as an attack system - a number of components that form an end-to-end attack capability," Ingram said.
"The drivers are the targets and vulnerabilities in systems as we see the Internet as not necessarily the most robust place for financial transactions and e-commerce.
"Some of these people [those stealing identities online] can reasonably and safely conduct attacks in Australia and globally with little chance of being prosecuted or even traced back to their home country. Criminals are benefiting from this revolution and currently they are winning.
Identity theft is not a problem specific to banking but "one that undermines the basis of trust for the information economy", he said, adding the task of identity theft has more in common with information warfare due to the fact successful identity theft, today, involves multiple attackers with a common purpose.
"Organized crime has effectively bought three elements into one system - hackers, spammers and fraudsters with dedicated skills, well resourced and organized that live and breathe to achieve financial gains. Fame has nothing to do with it as what they do is designed to be under the radar and not detectible.
"We see more or less an arms race because as soon as we counter one move they [the bad guys] improve and it doesn't stop," Ingram said. "The reason why I think technologists have been unsuccessful in this type of attack is that they have not been doing it for money; organized crime knows how to move money, then put technology in front to make a system."
Ingram said it appears from his conversations with law enforcement agencies that such groups have child pornography, digital copyrighting, DDoS (distributed denial of service) extortions and phishing as business lines, and things like money laundering and counter intelligence works to support the business of getting money.
While no one doubts the insidious nature of identity theft, some experts have questioned who is hit hardest. Information security director at Vectra, Jo Stewart-Rattray, said identity theft is the current security buzzword, adding the real concern for companies in regard to identity theft is the irreparable damage to the company just one confirmed instance of theft makes, especially to a smaller enterprise or small business.
Stewart-Rattray said the theft of an ID, whether from an internal employee or customer, is difficult to put a value on especially when it comes to corporate reputation.
"There are issues around reporting information security breaches - look at the Australian High Tech Crime Centre statistics which had 181 respondents to the last survey. These 181 respondents may have a bigger proportion of the budget to spend on security than a smaller organization - it is very different for smaller organizations to report incidents of data theft and they are not encouraged to do it," Stewart-Rattray said.
"There are concerns we don't have a full understanding of what happens in the SME or SMB space, except by anecdotal evidence." Tales of large-scale organized identity theft have been surfacing for the past year. In February this year US data collector ChoicePoint (rumoured to have information on every living adult in the US) had to front up and admit to some 145,000 customers that they have become potential identity fraud targets after ChoicePoint were "tricked" into selling personal information to identity thieves posing as legitimate customers. In early March, hackers were found to have stolen information on at least 32,000 people held in databases owned by the LexisNexis Seisint division. Seisint collects data on individuals, which is used by law enforcement and private companies for debt recovery and fraud detection.
The hackers stole social security and drivers' licence numbers of legitimate customers, as well as passwords, names and addresses. The Bank of America also admitted to losing credit card details of 1.2 million federal employees, as well as 60 US senators, after using a commercial flight to transfer digital tapes, which were "lost", containing the private data.