Identity Theft: Fighting For Our Privacy

Owen Thor Walker, an 18-year-old New Zealander, was a member of an international hacking group that infected at least 1.3 million computers and caused losses upward of $20 million. His cybercrime ring used programs he designed to access personal data (including usernames and passwords), distribute viruses, and steal credit card information, among other crimes. Other cybercriminals used his software to commit misdeeds.

Walker, known as "Akill," "Snow Walker," and "Snow Whyte," taught himself computer programming; through experimenting, he was able to create, refine, and enhance virus programs. Anti-virus software couldn't detect his encrypted virus. Although he was self-taught, "international investigators considered Walker's programming to 'be among the most advanced' they had encountered."¹ The code "automatically disabled any anti-virus software on an infected computer and prevented the software from being updated. The computer could not tell the anti-virus software was not working."²

The New Zealand police, in conjunction with the FBI and Dutch authorities, uncovered Walker's network. The investigation began after a "distributed denial of service attack" caused Walker and University of Pennsylvania student Ryan Goldstein, apparently unintentionally, to crash the university's servers in 2006.³  

Walker and Goldstein attempted to covertly use the university's servers to upgrade the botnet by uploading dated software onto the server and then have the infected botnet computers connect to the server to receive the update. However, this wave of server traffic crashed the server and disabled access.⁴  

The FBI's investigation into the crash led them to Walker, while New Zealand police, working with Dutch authorities, traced payments from a company in the Netherlands to Walker. The company in question, ECS International, has been prosecuted for paying hackers to use their botnets to covertly install adware on unsuspecting users' computers. Walker earned about $36,000 for his work.⁵ This scam earned Walker and others a fee for each computer they infected.

Walker lived with his parents when he committed the crimes, but they thought he was just doing legal computer programming.⁶ His parents got a rude awakening when the FBI arrested Walker in November 2007 as part of its "Operation Bot Roast II." Walker later pleaded guilty to six computer crime charges, which carried penalties of up to seven years in jail on each charge.

The judge considered Walker's age, remorse, lack of criminal intent, and his condition (he has Asperger's syndrome, a mild form of autism) and dismissed the charges despite his guilty plea. However, he had to pay approximately $10,000 in damages plus about $5,000 in other costs.⁷  

At an event launch on Jan. 25, 1999, former Sun Microsystems CEO Scott McNealy stated, "You have zero privacy anyway... Get over it."⁸ McNealy made the comment when asked about what privacy safeguards he was including in a new technology he was promoting. Unfortunately, at the time he was right about the state of privacy in the wired world. But the growth of the Internet and identity theft requires a greater focus on protecting people and data.

After several years of reflection on his comment, McNealy in a speech in February 2006 said, "It's going to get scarier if we don't come up with technology and rules to protect appropriately privacy and secure data, and the most important asset we have is obviously the data on people -- our customers and employees and partners." He added, "And if we can't protect that, people are not going to go online."⁹  

Yet people are going online in even greater numbers each day. Facebook, MySpace, and LinkedIn are just a few of many popular social networking sites. Social networking "is the chosen mode of communication of everyone they know. So if you're not in it, you're just not in the loop," said Martha Irvine, author of "Social Networkers Beware: Applications Pose Risk," published in the Seattle Times on April 28, 2008.

We won't be able to stop the onrushing technology revolution or resulting dangers. Fraudsters have learned the value of the Internet for criminal activity. We knew it would happen. In a speech on March 15, 1999, then Attorney General Janet Reno said, "We cannot allow cyberspace to become the wild west of the information age." Unfortunately, that's exactly what has happened. (See the columns, Taking Back the I.D. and Digital Fingerprints from this issue) Identity theft and other fraud schemes are proliferating in the online world.

Ensuring privacy and protections in the Internet age is quite a challenge. In many cases, we're our own worst enemies. Avoidable security lapses could have prevented most of the recent data breaches. We can do better in ensuring privacy – from deleting all sensitive information from our laptops and encrypting the hard drives, to devising simple security procedures such as shredding confidential files before discarding them.

DEFINING 'PRIVACY' 

Microsoft defines "privacy" as allowing individuals to determine how and to what extent their personal information will be collected, used, and shared with others. Personally identifiable information (PII) is unique material that identifies a particular person including name, date of birth, Social Security number (SSN), e-mail address, telephone number, and financial and medical information.

This personal information has become a valuable commodity. Businesses need the data to grow, but consumers also want accountability. Although the legal requirements for privacy are critical, privacy is also about earning customers' trust.

The Privacy Rights Clearinghouse, a nonprofit consumer information and advocacy organization, believes the top privacy issues include:

• Identity theft
• Online privacy and e-commerce
• Video surveillance
• Biometrics technologies
• Wireless communications and location tracking
• Data profiling
• Background checks
• Information broker industry
• Public records on the Internet
• Financial privacy
• Medical records confidentiality
• Wiretapping and electronic communications
• Youth privacy issues
• Digital rights management
• Radio Frequency Identification (RFID)

DATA BREACHES 

Data breaches and identity theft were the main topics at the RSA Conference on Information Security in San Francisco, Calif., in February 2007. "Data are the currency of the Internet for legitimate -- and illegitimate -- businesses," said Howard Schmidt, former chief information officer at eBay.¹⁰ "It's a stupid system," commented Microsoft Chairman Bill Gates on the current credit card issuing system. "It's a weak system when someone with your Social Security number or mother's maiden name can apply for credit without you knowing ."¹¹ Gates' solution is a combination of biometrics and a system that requires a consumer's approval when any financial transaction occurs.

Data breaches are a significant risk to privacy. A 2005 study by security software provider Credant Technologies found that 90 percent of the hard drives on stolen laptops contained sensitive business and personal information. A 2003 Pepperdine University study found that data losses cost U.S. businesses more than $18 billion a year and it's significantly more today. A 2008 Ponemon Institute study found that 20 percent of data-breach victims cut their ties with the organizations after the breaches. Data breaches are bad for business.

Many of the data breaches in recent years have been the result of lost or stolen laptops. In December 2005, financial services company Ameriprise Financial learned that a laptop containing the names and SSNs of hundreds of thousands of employees and customers was stolen from an employee's car. Although the laptop was password protected, it wasn't encrypted as required by the company.

In May 2006, a laptop used by a data analyst with the U.S. Department of Veterans Affairs was stolen from the employee's home. The laptop contained personal information on more than 28 million veterans, military personnel, and their spouses.

Billions of dollars can be spent on information security systems, but just one weak link can compromise the entire system. Companies have hardened their defenses to limit what comes into their networks, laptops, and the data on them, but that's not enough. Sensitive information freely leaves work sites every day on employees' laptops. Best practices include conducting audits to ensure compliance by checking for unsecured files and sensitive files that don't belong on laptops and using encryption technology.

INSIDER THREATS 

Recent studies have found that the greatest threat for identity theft is from trusted insiders within organizations.¹²  

In 2003, a manager at H&R Block in White Plains, N.Y., and three of her friends, were charged with identity theft-related crimes for stealing the personal information of 27 customers. The manager and her friends used the PII to open credit cards in the names of victims, make purchases on those cards, and withdraw money from automated teller machines. The defendants used U.S. Postal Service change-of-address orders to divert credit cards from the victims' residences to the criminals' mail drops. The H&R Block employee also stole tax refund checks due to customers.

In another case, insiders stole financial information from dozens of customers of two Bellevue, Wash., businesses. One inside fraudster recruited employees of mortgage and escrow services companies and used them to steal information from victims' mortgage applications. Other conspirators created phony driver's licenses and documents to perpetrate the fraud. They used the personal and financial information to apply for fraudulent credit cards and withdraw money from bank accounts. The scheme continued from 2002 to 2005 before it was discovered.

WIRELESS (IN)FIDELITY 

Wireless networks (or Wi-Fi) are an increasingly popular way to connect to the Internet. Wireless networks allow users the freedom to access the Internet anywhere they get a signal -- at home, through their wireless routers, or in public Wi-Fi hot spots. Although Wi-Fi is convenient, it presents many unique dangers. Special measures need to be taken to prevent unauthorized data access, hacking, and identity theft.

Only a small percentage of home wireless users bother to secure their networks through encryption. Of course, setting up an encrypted wireless network and configuring multiple computers to access it can be a major annoyance. Many users simply don't bother. But hackers can steal all data sent over an unencrypted network including passwords, bank account information, and credit card numbers.

On the flip side, for those without Internet access, using open wireless can be very tempting. Although the law is unsettled, some have been arrested and punished for illegally using users' wireless networks. Furthermore, open wireless networks can be traps to catch sensitive data. It can be simple for a hacker to set up an open wireless network, wait for someone to log on, and then capture all the data sent over that network.

However, hackers and fraudsters are far more likely to focus on places where they can retrieve large amounts of data from multiple sources such as public wireless hot spots. In a survey of 14 United States and three Asian airports, 57 percent of the networks had no encryption, 28 percent used the easily breakable Wired Equivalent Privacy (WEP) encryption, and only 15 percent used the more secure Wi-Fi Protected Access (WPA) encryption. This survey included both publicly accessible Internet and the private systems used for airport functions such as baggage handling and ticketing.¹³  

Hackers have multiple methods of collecting data from public Internet users. An "evil twin" is a wireless network that appears to be a real Wi-Fi connection like those available at coffee shops, hotels, and airports. A hacker can monitor all communications including passwords and credit card numbers with this tool.¹⁴ Hackers can entice users into giving up information by creating fake log-in pages that look identical to legitimate ones; for instance, a user could see a screen prompting him or her to input credit information to purchase Wi-Fi access.¹⁵ 

A "man-in-the-middle" attack is similar; the hacker sets up a deceptive Wi-Fi signal but then routes the connection into the legitimate network.¹⁶ This attack "can make it appear that a user has a secure 'SSL' connection,"¹⁷ indicated by a small padlock in the corner of the browser. However, "the hacker sets up one secure SSL connection with the Web surfer, and a second secure connection with the bank or other destination site. Information looks encrypted at either end, but it is decoded and viewed by the hacker in the middle."¹⁸  

Fraudsters also seek usernames and passwords from people logging on to company networks from Wi-Fi hot spots. In one case, a financial institution traced a data breach back to an employee working on a laptop in Manhattan's Bryant Park. The employee thought he was using a public signal; in fact, it had been set up by a hacker. When the employee logged on to the company network, the hacker stole his username and password.¹⁹ 

In September 2007, the federal government indicted another hacker, Max Butler, on charges of wire fraud and identity theft. Butler would rent hotel rooms and apartments using stolen credit cards and false identities and use a high-powered antenna to intercept wireless traffic. He hacked into financial institutions and data processing centers to obtain even more personal information.²⁰  

Despite the dangers of Wi-Fi, you can significantly reduce your risk of identity theft. Home users should always enable WPA encryption on their routers and change both the default network name and the default access password.

When using public hot spots, always act as if someone is watching your every move. Don't access sensitive information over a public Wi-Fi network. Consider turning off the computer's wireless function when not in use so as to not inadvertently connect to an evil twin network.

The FBI offers some further recommendations about Wi-Fi usage:

• Make sure your laptop security is up to date with current versions of your operating system, Web browser, firewalls, and antivirus and antispyware software.
• Don't conduct financial transactions or use applications like e-mail and instant messaging.
• Change the default setting on your laptop so you have to manually select the Wi-Fi network to which you're connecting.²¹ 

PROTECTING PII 

Security breach laws have either been introduced and/or enacted in most states in the United States. California set the standard with a 2003 law requiring companies to notify customers when data breaches involve PII. California and Texas allow consumers to sue companies that fail to safeguard their personal data.

The European Union has had tough privacy laws for years. It bars member countries and their citizens from buying and selling personal data including data that are collected in business transactions.

The U.S. Federal Trade Commission is focused on privacy and privacy initiatives. Read its highly recommended publication "Protecting Personal Information: A Guide for Business."

The guide is built on five key principles:

• Take stock. Know what personal information you have in your files and on your computers.
• Scale down. Keep only what you need for your business.
• Lock it. Protect the information that you keep.
• Pitch it. Properly dispose of what you no longer need.
• Plan ahead. Create a plan to respond to security incidents.

The message is clear: Your private matters are no longer private. Do what you can to protect your privacy, but always remember there's much that is beyond your control.

Look for Part 2 of "Identity Theft" in the September/October issue.

Regent Emeritus Martin T. Biegelman, CFE, ACFE Fellow, CCEP, is Director of Financial integrity for Microsoft Corporation. He's a member of the ACFE Foundation Board.

REFERENCES 

1. "New Zealand Teen Convicted Over Global Cyber-Crime Ring." AFP (Agencie France=Presse). April 1, 2008.

2. Shenagh Gleeson. "Superhacker Convicted of International Cyber Crime." New Zealand Herald. April 2, 2008. 

3. Ibid.

4. Phil Taylor. "Bot-Boy Caught in His Own Net." New Zealand Herald. Dec. 8, 2007. According to "Maarten Kleintjes, manager of the New Zealand Police national electronic crime laboratory, [bot herders] are unlikely to have powerful enough computer systems themselves to control a million other computers and so control their botnet by sending commands via hijacked 'motherships,' usually powerful machines belonging to big businesses or universities that can handle thousands of simultaneous connections."

5. Gleeson. "Superhacker Convicted of International Cyber Crime."

6. "New Zealand Teen Convicted of International Cyber Crime." AFP.

7. "NZ teenage hacker charges dropped." BBC News. July 16, 2008.

8. Polly Sprenger. "Sun on Privacy: 'Get Over It.'" Wired. Jan. 26, 1999.

9. Robert Lemos. "Private Identities Become a Corporate Focus." SecurityFocus.com. Feb. 20, 2006.

10. Jon Swartz. "Tech experts plot to catch identity thieves." USA Today. Feb. 9, 2007. 7B.

11. Ibid.

12. Bob Sullivan. "Study: ID Theft Usually an Inside Job." MSNBC. May 21, 2004.

13. Stephen H. Wildstrom. "Public Wi-Fi: Be Very Paranoid." BusinessWeek. March 24, 2008. 85.

14. Kevin J. Delaney. " 'Evil Twins' and 'Pharming.' " The Wall Street Journal. May 17, 2005. B1.

15. Joseph De Avila. "Wi-Fi Users, Beware: Hot Spots are Weak Spots." The Wall Street Journal. Jan. 16, 2008.

16. Ibid.

17. Jonathan Sidener. "Using Unprotected Public Wi-Fi Poses Major Security Risk." San Diego Union Tribune. May 11, 2008. 

18. Ibid.

19. Joseph D Avila. "Wi-Fi Users, Beware: Hot Spots are Weak Spots." The Wall Street Journal. Jan. 16. 2008. D1.

20. Kimberly Kiefer Peretti. "Data Breaches: What the Underground World of 'Carding' Reveals." To be published in Santa Clara Computer and High Technology Journal. 

21. "Wi-Fi Security: Some Advice from the FBI." Federal Bureau of Investigation. May 6, 2008.

P2P Networks Cause Business Problems 

Peer-to-peer networks (P2P) facilitate sharing of many kinds of information. The technology facilitates many legitimate uses, such as the sharing of medical records or facilitating access to government documents. (In a concurring opinion to the Supreme Court MGM v. Grokster, Justice Breyer listed a number of legitimate, noninfringing uses for P2P software.)

However, the technology is best known and most frequently used for illegal purposes, specifically the unauthorized sharing of copyrighted music, movies, and software.

A recent study by Dartmouth Business School researchers reports that P2P networks are "an increasingly dangerous means of transmitting confidential information," according to "P2P Dangers Growing" in the October 2007 issue of BusinessWeek. Use of such networks has risen steadily, reaching more than 10 million users in 2006, according to the article. The Dartmouth researchers, focusing only on the top 30 U.S. banks, were able to access numerous sensitive documents using P2P networks. They found 1,708 documents containing sensitive bank information.

This danger isn't simply academic. Several incidents of data theft have been traced back to P2P intrusions. A Pfizer worker has been blamed for leaking personal financial information on more than 17,000 current and former company employees. The information breach came after the employee installed unauthorized file-sharing software on a company laptop. The sensitive files were then accessed by one or more third parties, according to the BusinessWeek article.

In another incident, a Citibank employee using LimeWire, a popular P2P program, inadvertently leaked the names and SSNs of 5,200 Citibank customers onto the Internet, according to "The Hidden Risk of File-Sharing," by Joseph D Avila in the Nov. 7, 2007, issue of The Wall Street Journal.

Businesses may have policies prohibiting P2P programs at work, but they also need clear policies for laptop usage and access of business files on home computers. For example, businesses need to clearly prohibit the use of P2P programs on take-home laptops or home computers if employees will be accessing work files on those computers.

The possibility of data loss comes from the installation process. The user is asked to choose a folder for downloads and to share the contents of that folder. Many times the user will choose the "My Documents" folder, which often contains sensitive personal information. Depending on the program's settings, this information might be shared inadvertently. Many P2P programs circumvent firewall protections, which dilutes user protection.

Makers of the most popular file-sharing programs, including LimeWire and BearShare, have taken steps to help prevent users from inadvertently sharing sensitive material by restricting sharing to media files such as music and video only, according to De Avila's article in The Wall Street Journal. Even though a user may restrict sharing to a limited section of the hard drive, viruses can expand access to other parts of the drive, which gives fraudsters freer access, according to "Indictment Marks ‘New Age' of ID Theft," by David Bowermaster in the Sept. 7, 2007, issue of The Seattle Times.

P2P networks are rife with viruses, spyware, and other forms of malware. Unsurprisingly, free pornography, music, and movies are an effective form of distribution. Users think they're downloading legitimate files but they're Trojan horses or other equally insidious types of malware.

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.