PGP Blogs

Offline Identity Theft
30 Oct, 2006

Last week, we covered the myriad ways your identity can be stolen using simple offline techniques. This week, we’ll look at the slightly more sophisticated and no less criminal approaches being used by online crooks. Let me make one observation before I dive into this topic. In the computer business, we’re prone to giving things cute names to indicate they’re new or somehow important. I think we can credit Steve Jobs with starting this phenomenon when he began naming products after fruit. Just as there were apples long before there were computers, there were also offline versions of things like phishing and pharming long before there was an Internet. And make no mistake about it: All of these are crimes, regardless of what they’re called or how they’re perpetrated, and should be treated as such by both consumers and the criminal justice system.

By far the most common approach used online is called “phishing”. A phishing scam involves sending out thousands of emails to you and other prospective victims asserting that your bank account’s online access has been suspended and will remain so until you “log-in to reset or reconfirm” your password. One of these emails typically contains a link that connects to a facsimile of your bank’s actual online system with the usual log-in screen. The idea is that the unsuspecting victim “logs in” to this system, thus revealing account information and authentication credentials to the phisher. The phisher then uses this information to deplete or completely clean out the account and disappears without a trace.

I’d like to be able to tell you that there are simple, effective technology solutions to phishing, and a few companies have developed some very interesting products that do address this issue. But, as Crispin Cowan, one of PGP Corporation’s advisors likes to say, the problem with phishing “lives between the keyboard and chair” and it’s us—all of us. As we develop systems to prevent email containing phishing attempts from reaching their intended victims, the phishers are moving their bogus pitches offline and calling prospects on the phone or even sending actual mail containing their claims and urging you to contact them immediately.

The good news about phishing is that the solution also lives between the keyboard and the chair. Phishing attacks became so common last year that every reputable financial firm announced they would not attempt to contact customers via email in the event of an account issue and if they did, the email would contain no link: If you needed to access your account online, you’d need to type in the address yourself. My advice is that you shouldn’t even do that. Instead, if you think there’s a problem with a bank, credit card, or other financial account, call the toll-free number found on the card or statement. You’ll find that customer service departments are highly sensitized to this issue, can address your problem quickly, and can determine if someone has gained unauthorized access.

One final step is to remember to never, ever give out personal identity information to anyone that calls. If your institution calls and claims they need such information, ask which department they work in and state you will call back. Do not take a number from the caller, but get the customer service number for the institution off a statement or their website and call that number and ask if they’re actually seeking the information and why.

While we’re talking about phishing, I should also touch on a slight variant of this sort of attack known as “pharming”. In a pharming attack, the criminal is able to redirect legitimate Web traffic to a bogus site that collects user information and uses it in the same way as a phishing attack to deplete victims’ accounts. Typically, a pharming attack is perpetrated in the network infrastructure. In most cases you don’t have to worry about pharming because nearly all ISPs have taken steps to prevent such redirection. However, you do need to be careful if you like to use the public wireless Internet services that are now available in many coffee shops and restaurants. For the large well-know services provided by companies such as T-Mobile and other major carriers, it’s not an issue. If you find yourself using “Java Joe’s Neighborhood Wireless Network”, however, I’d resist the temptation to access your credit card or bank accounts until you can get access to a wired network or a wireless network you trust.

There’s one other type of pharming attack that targets individual users. It involves the use of spyware to alter your browser configuration so that traffic is redirected to a criminal’s look-alike website. By now, most of you are familiar with spyware, and it presents lots of dangers beyond initiating a pharming attack. For those of you not familiar with it, spyware consists of small, mostly invisible programs that are surreptitiously installed on your computer when you download a supposedly useful application or utility. Besides potentially altering your Web browser’s behavior, spyware applications can also log key-strokes, scan your hard drive for useful information, or simply damage your system.

There are two things you need to do to prevent being victimized by spyware and other malicious programs. First, get a good anti-spyware utility and use it. There are a number of very good products available now from companies such as Symantec or LavaSoft. The other thing you need to do is to use some care when downloading software from publishers with which you’re unfamiliar. I’ve made it a practice never to download a product directly from such a publisher’s site. If a publisher is unknown to me and I still want to test the product, I’ll try to find it on one of the popular download sites such as Download.com or TwoCows. Although this strategy isn’t foolproof, most of these sites are pretty good about quickly deleting products with which users have experienced problems.

We’ve covered phishing, pharming, and spyware and what you can do to prevent becoming victimized. Although each of these threats presents a clear and present danger, they aren’t nearly as dangerous as the current offline attempts to steal your identity and later your money. In the offline world, you can be victimized even if you do everything right. The good news about these online attacks is that until your identity or authentication credentials are breached, you are in control of them. By exercising care and using a few simple security utilities, you can probably prevent the bad guys from winning.