A Bumper Year For ID Fraud

ITS what makes you unique among the Earths 6.65 billion humans - your identity. Your name, your date of birth, where you live, who you barrack for, even your pets name - private details now so easily made public on social networking sites that attract 500 million users around the world.

To an identity thief, these personal details are all they need to flesh out a fake ID that can let them clean out your bank account or set up a false credit card, loan, welfare payments or even a passport.

With 200,000 Australians now on social networking sites such as Facebook, MySpace and Bebo every day, security experts and consumer groups are predicting this year will be a bumper one for ID fraud.

Security software company Symantecs global internet security report for the last six months of 2007 shows malicious attacks are now focused on trusted websites putting the attackers in our midst.

"We used to tell people not to go down the dark alleys of the internet, but that doesnt apply today," Symantec Australia chief Craig Scroggie says. "Its not the back alleys, its the main roads like the social networking sites where the attackers are actively seeking us out."

Symantec monitors internet threats in 180 countries using more than 40,000 sensors and 2 million emails to collect spam. Last year, it detected 711,912 new threats, a staggering 468% increase on 2006, with 68% of the top 50 malicious codes designed to nab confidential information.

Where its happening is the most significant twist, with the latest data showing that trusted sites such as Facebook and Second Life are being infiltrated to strip individuals of their personal information.

"Identity theft and fraud are a multi-billion dollar business and attackers are making more money targeting personal information than they are out of targeting big business and government," Mr Scroggie says.

The Australian High Tech Crime Centre (AHTCC), a division of the Australian Federal Police, agrees that social networking sites are on the attack radar, delivering a higher probability of payoff to the webs underworld.

"Theyre not looking for the one big payoff, they realise the key to success lies in a series of smaller crimes with smaller amounts which people are less likely to report," AHTCC chief James McCormack says.

It seems cyber criminals have wised up to the psychology behind the thriving online communities where users come to hang out with friends or to hook up with strangers. The very premise of these cosy web circles invites members to peel back the layers of their lives and let their guards down, putting attackers in a prime position to pry and pilfer.

Mr Scroggie says: "Trusted websites like social networking sites, online gaming and persistent virtual worlds, these are places where people are comfortable sharing personal information about themselves."

And its those personal details used to protect your identity, such as your name and birth date, being made freely available online that are giving you away to impostors.

The BBCs Watchdog program recently uncovered that murky truth with a Facebook experiment using a fictional character called Amba Friend. Watchdog set up a Facebook account for her and sent out messages to 100 random Facebook users asking them to be her friend. Of those, 35 strangers said yes, including 23-year-old Scott Gould. Watchdog used the personal details on Mr Goulds profile, including his date of birth, to apply for an online bank account and credit card in his name. Both were instantly approved.

Software security provider Sophos followed suit, fabricating a character called Freddi Staur, who lured 82 users into handing over their personal details, including their phone numbers.

A spokesman for the Australian Consumer Association Choice, Christopher Zinn, says there is a false sense of security online that leads people to behave more recklessly than they would in the real world.

"Would people stick personal details like pictures of themselves growing up on a lamppost outside their house or on a public bulletin board in the supermarket?" he asks.

"The exuberance and the excitement that these sites generate tend to work against the cautions. But once you give those details out, youve lost control of them forever."

Digital strategist and researcher Julian Cole did his thesis on the way young people use social networking. He says security just doesnt concern them.

"This generation is much more forward in the information theyre giving over to sites like Facebook," he says. "Theres no reservation in revealing date of birth, schools, football teams, even mobile phone numbers. They dont have that worry about security."

Mr Cole says that while security upgrades on social networking sites now allow you to make your profile visible only to your network, some people feel embarrassed about doing this, preferring to give access to strangers to gain kudos by having a greater number of friends.

This careless attitude may be fuelling the online black market where stolen credentials are being bought, sold and traded by organised crime groups - with bank accounts selling for $10 to $1000, credit cards from 40 cents to $20 and full identities from $1 to $15.

Mr Scroggie says: "Its a mature underground economy where you see volume pricing, bulk discounting, value-added incentives - buy this many identities and then get additional stolen information free. Were even seeing competition."

Camouflage is the weapon of choice for attackers looking to clone consumer DNA. With 40,000 bot-infected computers in Australia - robots used to collect personal information - and the rise of steganography, which hides malicious code in standard applications and tools such as those on social networks, its getting harder to spot a scam.

"Its not the president of Nigeria who needs to hide his $10 million," Mr Scroggie says. "You clearly know thats spam and you hit delete. Because the information we share now is significant, were being phished in a far more targeted way.

"If your profile shows you love cats, they might send you an email about cat photos, so theyre using social networking sites to target their activities," says High Tech Crime Cente boss Mr McCormack.

"They call it spear phishing - where crims use your personal story to try to lure you into clicking on their phoney links."

Social networking might be free but the side-effects could cost you dearly.

Beyond the $1 billion annually that identity fraud is costing Australian business, AusCERT (Australias National Computer Emergency Response Team) says online identity theft losses have risen by 58% in 2006 to $27,000 a case.

Choice says that beyond the financial losses, victims of identity theft take years to restore their credit rating.

"Even if youve not got much in your piggy bank, they can use your identity to commit all sorts of other sins that you will have to clear up." Mr Zinn says. "Your name and your credit history are incredibly valuable things and if you think they arent, just speak to someone whos been caught in this way."

Sydney student Katrina Ryan had her credit card details stolen online last year by a thief who went on a $2000 spending spree. She believes her lack of internet security left her wide open allowing a fraudster to forge a copy of her credit card, which they promptly maxed out on a big-screen TV and alcohol.

Ms Ryan suspects her eBay account or MySpace page was to blame.

"I cancelled my eBay and MySpace and I dont give out any details online any more," she says. "Knowing how people can get to it so easily, Im a lot more careful."

While the bank reimbursed Ms Ryan within weeks, reinstating her credit rating took months of paperwork.

Dispute Assists Bruce Ford, who handles banking disputes for customers, says banks have no duty to disclose fraud with a credit reporting agency.

"There is no obligation for financial institutions to keep a record that youve been a victim of fraud - its discretionary," he says.

"If someone stings you for your ID and then you cant clean up your good name with the credit reporting agencies, that can crucify you for the rest of your life."

And he says local privacy and identity fraud laws are just as flimsy.

The Privacy Commissioner Karen Curtis says "it is likely that individuals posting information on social networking sites would be exempt from the coverage of the Privacy Act" as the act doesnt extend to individuals or organisations based overseas such as Facebook and MySpace.

In his recent report on identity crime, Federal Home Affairs Minister Bob Debus pushed for new laws against identity theft, including victim certificates issued by the courts to help undo damage done by identity thieves.

Only in South Australia and Queensland is it an offence to assume or steal another persons identity. By comparison, identity theft is a federal crime in the US with penalties of up to 15 years jail and fines of $250,000.

AUSTRALIAN Privacy Foundation chairman Roger Clarke says that beyond companies and criminals, theres also reckless behaviour coming from individuals using social networking sites.

"Weve always assumed fraud was a threat in big organisations," he says. "Now weve reached the stage where individuals are a threat to one another in handling data like disclosing photos of someone off their brain, which a boss might see before a job offer."

But Mr Clarke argues stricter laws arent the answer.

"When somebody uses a social networking site, its a consent-based arrangement," he says. "What we dont want to do is wreck the balance between freedom and protection."

Ultimately, he believes web users might find their own solutions. "As we get a bigger pile up of embarrassment and significant loss, well see a lot more use of pseudonyms, like spelling your first name in an interesting way, so that only your group knows who you are."

Digital researcher Mr Cole urges social network users to do their own security checks, verifying the information of new friends on the "comments" wall. He says fake spammer profiles offer few offline details such as reports on their weekends activities.

The security fraternity also advises using a "defence in depth" strategy, which includes overlapping security such as using anti-virus, a firewall, regular patches and cyber street-smarts against "friends" asking too many questions.

Which means you bare all on Facebook at your own risk - it might just earn you a reputation you didnt bank on.

Tag Cloud

External Information

Additional Information

Where Am I?