The Anatomy of ID Theft

Maiden name, pet's name, name of childhood best friend....When and where will a crack appear in your 'data exhaust'?
Maiden name, pet's name, name of childhood best friend....When and where will a crack appear in your 'data exhaust'?

Consider the following scenarios:

  • You’re sitting in a café sipping a beverage, munching a sandwich, reading something on the net, and listening to iTunes. A stranger approaches. But not a complete stranger: he knows your name, and after a few minutes’ conversation, it’s clear he knows your family. You invite him to sit down…
  • You try to log into your webmail account, but find you can’t: the system keeps rejecting your password, no matter how carefully you type it. Later, you discover that you can’t access your Facebook, LinkedIn, or Twitter accounts. Then, you soon discover your online banking and credit card accounts have been compromised. When you visit an ATM, you find your account has been drained…
  • You are in church on a Sunday. After the service, someone approaches you. You don’t know them, but they seem to work for your company: they name their department, and mention a few other familiar names. Later, they send you an email with an attached spreadsheet. You know them, and they work for your company. You click to open it…

The third of these cases is the most obvious: opening the spreadsheet infects your computer with malware that opens a hole into your company’s network. That was how RSA’s SecureID was compromised last year. The meeting at church is also real, spotted in the news by Trend Micro EMEA CTO Andy Dancer. On this occasion, the attempt was too clunky to fool the target, an Australian McAfee employee. The more sophisticated approaches of the future won’t be so easily spotted.

Stalking Made Easy

The first scenario comes from the Vermont lawyer Frederick S. Lane, author of Cybertraps for the Young, who observes that most people use their own names for their iTunes library, and these pop up when sharing is turned on. “I was sitting in a café using iTunes with the library sharing feature turned on”, says Lane, “and I saw the names of four different women in the café at the same time”. In a few minutes online, he could find photos to match and other details. “It’s amazing how much information you can gather in about ten minutes – and I could have had a conversation that made it sound like I’d known their family for years.”

This scenario is what really scares Richard Hollis, CEO of the security consultancy Orthus. “My fear is of physical violence”, he says. “Social media provides a platform for just about anybody who wants to find out where you are and get in contact with you.”

Working on last year’s Parliamentary inquiry into cyberstalking in the UK, the discovery that startled Hollis most was that more than 50% of stalkers were someone the victim had met through social media or a local online group.

Data Exhaust

The second scenario has several possible attack vectors: a poorly chosen, easily cracked webmail password; a data breach of the webmail server; or the reuse of a password from a second site that has been breached. The really dangerous element is that many people store everything in a single webmail account, including the security information for all their other accounts.

Social media consultant Suw Charman-Anderson adds genealogy sites as a risk because her name is uncommon and her family tree is easy to identify. But how about this perennial social media game: ‘What’s your porn star name?’ In one common version you pair the name of your first pet and your mother’s maiden name. It seems silly and harmless until you make the connection that password reset security questions – and banks – often ask for those same two pieces of information.

"As soon as you have real-world contact, then social networking impersonation becomes trivial" 
Andy Dancer, Trend Micro

Once someone has cracked your one-size-fits-all email account, says Charman-Anderson, you are in for a “world of hurt”. In the worst case, your identity is completely compromised and it takes you years to get it back and repair the reputational damage. “Wrestling back control of your accounts will be horrendous.” People need, she adds, to be aware of their “data exhaust” – that is, the information you don’t realize or remember you’re shedding. Fake psychics have conned people for centuries by exploiting this exact principle.

The Dark Side of Social Media

Trend Micro’s Dancer sees the church meeting as an early sign that online identity fraud is crossing over into the physical world. This threat can move from the well-trained employees of security companies to the less aware staff at suppliers, customers, or partners who think their companies have nothing worth such effort.

“As soon as you have real-world contact, then social networking impersonation becomes trivial”, Dancer says. He also notes privacy externalities: your privacy can be compromised by others, such as the newly appointed head of MI6 or the CIA, whose wife had casually posted their home address online.

In research into his next book – on social media for educators – Frederick Lane has uncovered many instances of identity fraud perpetrated against teachers, usually, but not always, by their students using social networks. “Teachers have been dealing with identity theft and hijacking in social media to an extent I hadn’t realized”, he says. “I almost want to applaud the creativity of the kids, but it’s pretty scary what they can do – and district leaders don’t understand the technology that well, so they rush to judgment against the teachers.”

In sample cases, a fake Facebook page set up in the name of a teacher in Bloomington, Minnesota, was used to send ‘inappropriate’ messages to students. The fake Twitter feed set up on behalf of a teacher at a special needs school in Panama City, Flordia, posted derogatory comments about autistic kids, attracting emailed complaints from all over the world.

In August 2011, the Facebook account belonging to an Australian teacher and prominent anti-racism campaigner was hacked by white supremacists – probably not by students – apparently to discredit the teacher. “I could have come up with many more”, Lane says.

The Illusion of Privacy

In general, he adds, the severity of consequences to the teachers is directly related to how technology-savvy their administrators are. The damage is often considerable regardless because, “these cases instantly hit the headlines and the parents freak out”.

That’s the problem; so what’s the solution? For many individuals, jettisoning social media would mean destroying their social lives as effectively as if they refused to set foot in a pub. Companies cannot expect millions of employees to curtail their social contacts every day, as if we were all potentially being watched by Gestapo spies. As Rik Ferguson, TrendMicro’s director of security research and communications in EMEA, says, “the risk comes from just acting like a normal person”.

But a large part of the problem comes from the illusion that setting privacy controls means you’re ‘among friends’. Instead, always assume, say both Ferguson and Dancer, that everything you post is public.

"So the problem with feeding false data to profiles is the illusion of security – the risk that those people start saying more than they would otherwise"
Suw Charman-Anderson

“If you always operate by that principle, your worries are minimized from the outset”, Ferguson contends. In addition, “protect anything you do share from being publicly indexed and reaching a wider audience than you intended”.

Many people, he adds, mistakenly overlook LinkedIn’s fundamental nature as a social network. “There’s really no difference at all, and in a targeted attack, the information available on LinkedIn often has a lot more value than stuff on Twitter or Facebook”, Ferguson notes. “On LinkedIn, people post their entire career history, expose professional links between themselves and other people, what projects they worked on, when, and for how long. In terms of constructing a credible email with a link you hope they’ll click on to infect a machine, LinkedIn has great value to make it look credible.”

Also Know As…

Hollis recommends avoiding the truth as much as possible. “I always find myself advocating aliases and bad data”, he says. He maintains three aliases; many of his 26 staff have as many as seven, for which they track names, addresses, proxy servers, and authentication.

Via spokespeople, Facebook and LinkedIn both stress that they take privacy and safety seriously, and offer security advice to users that boils down to this: choose good passwords, be suspicious of links, and use the supplied privacy controls. But this advice only scratches the surface – just looking at your friends list can be very revealing, especially when compared across services.

Charman-Anderson recalls, for example, a 2005 exercise in which someone began by scraping a friend’s list from Flickr and by following those friends and cross-referencing, was able to build up a detailed picture of who that person’s core friends were.

“It was disturbing how far he could get with a very small starting point”, she says. “So the problem with feeding false data to profiles is the illusion of security – the risk that those people start saying more than they would otherwise. The user patterns for different accounts are going to be blindingly obvious. You’re not going to put the same time into an account with false information as into a real one.”

Hollis has to admit this, too: “You can’t get around your personality. It will shine through any alias.”

Charman-Anderson believes it’s very important to regularly review your friends list, as many people will friend anyone who asks, putting all their friends’ information at risk.

November 2011 research from the University of British Columbia in Vancouver confirms this: bots with fake profiles sent friend requests to over 5,000 randomly selected Facebook users. In the first round, 19% accepted; in a second round sent out to 3,000-plus friends of those new friends, 59% accepted. In all, the bots harvested some 250Gb of personal information.

“If you’re giving out any kind of personal information you need to do it with people you actually know”, says Charman-Anderson. “It’s so counter to the messages that social media companies give out that I think the vast majority of people aren’t going to learn until they’ve been diddled.”

What’s hot on Infosecurity Magazine?