Identity theft and Social Engineering

Identity theft - The Application of Social Engineering

Identity theft occurs when someone represents themselves as you and then enters into one or more transactions on your behalf. They can open a bank account, apply for a credit card, apply for a passport or other government ID, and they can even steal your house – selling it while you live there. The consequences of identity theft to someone’s life can be enormous and very arduous to undo.

Identity thieves rely on basic values that are part of the fabric of society – honesty, common sense and the desire to help one another.

Different Social Engineering (synonymous with manipulation) techniques work differently with different people. Chinese philosophy identifies 5 different types of personalities, and each type makes decisions based on different criteria. For example there are some people that very cold and sharp and make fact based decisions. Social Engineering for these people will involve explicit deals that they can't refuse. Another example is the compassionate personality, people who love to help other. Social Engineering for these people will involve a heart-breaking story which will make them give the thief what they seek.

Each personality is susceptible to different approaches. You can develop a custom Social Engineering technique for each type of personality.

Tools

Thieves will use Phone, Email, SMS (text messages), paper Mail and even direct contact to accomplish their task which is getting critical information from you. All types of Social Engineering are directed to the same goal and that is manipulating you into sharing sensitive information with the thief. The most common way of running a Social Engineering attack is by phone or email.

Common attack scenario

Someone contacts you by phone in order to get some data from you. They may introduce themselves as “Rob, calling from the Visa security department”. They will alert you to a $2500 transaction on your account from a location in Thailand and will ask you if you initiated this transaction. This immediately alarms you and puts you off balance wanting to make the problem go away and to assure your good standing with Visa. So when “Rob” asks you to confirm a few details such as your Visa account Number and expiry date so he can cancel the transaction, you will be only too happy to oblige.

Now you have equipped the thief with all the information he needs to run up real charges on your card, or worse he can use that information as leverage to commit an even bigger crime such as empty your bank account or steal your house. The people committing these crimes have no conscience and will gladly take anything and everything they can from anyone.

The same types of information gathering ploys are at work over other communication mediums such as Email and SMS.

Dumpster Diving

Dumpster diving is when the thief takes a less over approach and literally digs through your garbage looking to gather data that way. Pre-approved credit applications from your bank are a great example something valuable for an identity thief to take from your garbage. They can accumulate a fair amount of information from a few pieces of discarded mail.

Prevention

1. Everyone should own a shredder and should use it with any discarded mail, especially anything of a financial nature.
2. Be wary! There is no free lunch. No one will give you anything for free. No one can profit by giving anything away. When you receive email, paper mail or a phone call with a free offer, delete shred or terminate the conversation as appropriate.
3. If you own property, call the lawyer that worked on the transaction for you and ask him if you have Identity Theft Insurance for your property. It is also commonly referred to as Title Insurance. If you have it, ask him to send you a copy and verify it’s content. If you do not have title Insurance then by all means get it immediately. It is not comparatively expensive and should only be a one-time fee. In the event that someone steals title to your house and sells it without your knowledge or consent, you can get your money back. It is common today for a lawyer working on the purchase of a house to require the buyer purchasing the house to get Title Insurance as condition of the deal.
4. Treat Email as the most unreliable communication possible! You can get Emails from a thief that appear to be from someone you know. Email is very easily altered. Banks and other financial institutions will never ask you to send them sensitive information using Email. If you get Email that asks you to send your information or click on a link to login to your account, this is likely fraud.
5. In the event that a Bank, a government agency or any other service provider calls you regarding a problem and asks you to identify yourself, stop the conversation. Ask the person for his name and department and tell them that you are going to call the company and ask for them. Use the phone number that being published on their website or printed directly on your credit card. Do not trust the phone number that they may offer to provide you.
6. Your system administrator (either at work or your provider at home) will never ask you to divulge your password. Usually when a thief contacts you and asks you to change your password, he will try to put pressure on you so you will not think and will oblige him. Once you offer you password they can obviously do damage.
7. In North America people tend to trust each other unless they are alerted to something amiss. Be more suspect of information requests and don't be afraid to ask questions and challenge people (politely of course J). If you see someone that you don't know that working in your office (electrician, cable guy, etc). ask your office manager who he is or if you are the manager try to find out who he is and who gave him the permission to work in the office.
8. Free software and hardware are common way to for thieves to gain your identity details. They perhaps will send you a CD with free software or provide you a free USB key with great options on it. Once you use it a spy program (Trojan horse) will likely be installed on your machine and it will:
• Send the thief all your passwords, personal files, browser history and all the information you like to be protected.
• Install a key logger that will send the thief everything you type on your keyboard which is another venue to trap passwords
• He can also then use your computer as a penetration point to more computers on your network or anywhere on the web
• He could also remotely install software on your machine that will make your computer a “zombie”. A zombie is a totally controlled soldier unit that acts as part of a big army that when commanded by the attacker, can participate in attacks on targets inside or outside your company (which is a criminal offense that you now have been an unwitting part of).

Trojans can be integrated into any software, even cool screen savers, games, etc. and they can do enormous damage.

Everything you have read here is from my personal experience as an IT security consultant. Feel free to use this information however you like, passing it on to other as you wish. The more people that know how to defend against Identity theft the harder it will be for the thieves to find victims. Be alert and when in doubt in this realm it’s always best to err on the side of caution.