Identity theft is a crime whereby a malicious person gathers enough information to successfully impersonate another in order to gain some benefit. While most people may immediately think of identity theft as stolen credit card numbers or online banking details, identity theft encompasses a lot more than just this and has become integrated into a highly structured, organised crime.
Identity theft is usually conducted via two methods: active and passive. The passive method is one in which a malicious person gathers information from the target without deception. This is done by monitoring the user’s online activities on social networking sites, chat rooms, other public forums or even mail and discarded documents. In general, the purpose of such identity theft is to obtain enough information about a person in order to impersonate them to a third party, such as a financial institution, telco or other credit-based service provider. In Australia, these methods have successfully been used by organised crime gangs to conduct mortgage fraud, whereby a mortgage is taken out against the victim’s home and the criminals disappear with the proceeds.
The active method is one in which a criminal obtains information by deceiving the victim into conducting an action. These attacks are a form of social engineering and are achieved using phishing tactics. Phishing occurs when criminals trap unsuspecting consumers to enter sensitive or personal information into a fake website. This deception often takes place when the victim receives what appears as a valid email, phone call or posted letter by a website they are likely to use and asks them to log into the website. By doing so, it collects their personal details and may have even installed malware such as key loggers or document retrieval systems on their computer. These forms of attack are extremely common and are easy to conduct, and are surprisingly effective.
These attacks are so successful in fact that a complex market has arisen, with professional identity thieves operating schemes to steal identities and then sell them to organised crime gangs who will use these identities for their malicious purposes. There is also a complex pricing structure that takes into account which sites the identity will work for and how long ago the identity was stolen. In general, these attacks require two things to be successful: a target who clicks on the link, and a web service that utilises only username and password for authentication.
A strong defence against these attacks is the use of two-factor authentication (2FA), which combines something you know (username & password), with something you have. The easiest form of two-factor authentication to implement that is currently used in consumer applications is the one time password (OTP). This is where a device (which the user has) generates a password which changes and is valid for a fixed amount of time (about one minute).
What this means is that while a malicious person can obtain a target’s username and password, they will be unable to access the service as the OTP will have changed and there is no way of knowing what the current OTP is without the device.
While OTP has existed for some time, it has had low adoption outside corporate usage due to the costs of implementation, including the devices themselves and the distribution of devices. Recent innovations from leading security companies like VeriSign, with its cloud-based delivery model, has lowered the barriers to entry for this stronger level of security.
Regardless of technology chosen, using two-factor authentication mitigates username and password theft and business and consumers are strongly recommended to opt for services that utilise two-factor authentication.
Nick Savvides is a member of the System Administrators Guild of Australia (SAGE-AU) and the Security and Business Operations Manager for VeriSign Australia.