Threat Level: green Handler on Duty: Jim Clausing

SANS ISC: A Case of Identity Theft - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
A Case of Identity Theft
ISC reader Aaron sent along a story in the News Tribune in Tacoma, WA. In short, it's the case of a serial identity thief who never got arrested but stole money from someone who is friends with a reporter. (Don't mess with journalists or their friends, oops. :) It's a pretty good read and a decent case study on ID theft and on the limitations in actually bringing these people to justice.

In this case, the identity theft took place because the individual involved had physical access to the victim's mail (it was a roommate). Right now, most identity theft takes place using non-technological means (i.e. dumpster diving). However, I still posit that electronic ID theft is not only dangerous, it is more dangerous. It takes time and effort to steal someone's identity in person. Online, with the right piece of malware and a good infection vector, you can steal thousands of identities in seconds. The only protection that is provided to consumers (at least in the United States) that I have been able to discern is that the existing fraud models limit the amount of money stolen by a particular attacker. Of course, risk management models allow companies to predict the amount of loss due to ID theft and pass it back down to the consumer in the form of increased prices. One day, someone will be smart enough to figure out how to bypass the fraud models.

It doesn't help that in the United States we have a weak national ID that easy to steal (we call it a Social Security Number). Getting that number makes everything else easy. It certainly doesn't help that organizations like the US Department of Education use SSNs for authentication, making it easy for keyloggers to steal them. SSNs as authentication are stupid... once you know the 9 digit number the game is over. Keyloggers and other malware has successfully compromised (this is different from actually stealing all the money) about $55 billion in US assets alone (an increase from my earlier estimate).

In short, protect your identity as best you can, from both physical and electronic theft.

--
John Bambenek, bambenek/at/gmail/dot/com
University of Illinois
John

245 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!