Identity Fraud – A Golden Business
Jul 26, 2018
Maria Genova is a research journalist and the author of a book on identity theft. She is a frequently invited speaker on privacy, identity fraud and information security. This blog is based on her FRAUDtalks presentation.
In order to commit identity fraud, the computers of individuals are hacked, data of these individuals is collected and all kinds of companies are defrauded, including insurance companies. This means, it is done with the data of other people, of honest citizens.
When I started my book, I was one of these numerous law-abiding citizens. I thought: “I am not of interest to hackers, I have nothing to hide". But to them every one of us is interesting. Why? Usually they start off by hacking a computer and then they look what data they can find. To be honest, we all save interesting data on our computers; insurance policies with a huge amount of personal details, a copy of our passport, tax returns. Combined this is enough to steal a complete identity. There are also many companies that leak our personal data, because they have been hacked.
Data is the new gold
How do these hackers get access to our computers? In the past a lot of technical knowhow was required, but nowadays almost everyone can do it. All those petty criminals are turning to the internet. They use the many free tools and step by step instructions that can be found there in abundance. Most hackers are lazy so-and-sos that rather stay at home sitting at their computer and use automatic programs to do the hacking. Distance is not an issue, take for example the Russians. They are interested in our data, because it is worth a huge amount of money. Data is the new gold.
Easy access to personal data
Hackers often gain access because people click on a link in an email. The phishing mails are getting better and better; there are more and more versions without any spelling mistakes and they use the identity of familiar companies and organizations. If you click on a link, the hacker gains access. Recently someone in the audience said he had received such an email and as he did not quite trust it, he opened the email at his work the next day. Bingo.
This is how entire organizations are hacked, including insurance companies. And in this way the hackers often also gain access to the data of the clients. Therefore it has become vitally important to tell your employees in an awareness session about the growing digital risks and all the things they need to look out for. This not only prevents reputational damage, but also a lot of distress for clients. It can also save money, as nowadays files are often encrypted by hackers and companies pay them hundreds of thousands of euros to buy back their own files. All because an employee clicked on a single link.
Track and trace
These days nearly all of us shop online, which immediately makes us potential victims. After placing an order, you often get an email with a track and trace number of a delivery service. You click on the link and you get hacked. These hackers have no idea whether you have ordered anything, but they send huge numbers of emails at the same time and there is a great chance that some of the recipients have just placed an order somewhere and are expecting this kind of email.
This also applies to the email you receive from your telephone provider when you have just returned from a holiday saying that your bill is unusually high. You are annoyed, you want to find out more, you click and they have gained access.
Victims of Identity Fraud
What does it mean in practice if you have been hacked and your data has been used for identity fraud? For my book ‘Komt een vrouw bij de h@cker' I spoke with many victims and I was surprised at the misery these people had to go through and how difficult it turned out to be to actually set right identity fraud. Often a copy of a passport suffices to steal an entire identity, the actual document is not required. The hackers steal such a copy from your computer or from a car rental company in Spain.
This is when the misery starts. For example, Boudewijn got a call by the police to say that he had to go to the police station. Someone had rented houses in his name and the police had discovered cannabis plantations on these premises. The police showed him the rental agreements with his forged signature and a copy of his passport. The police did not believe Boudewijn when he claimed that, yes, these were his details, but that he had nothing to do with it. He lost his job and even after the case had been dismissed after 2.5 years due to lack of evidence, Boudewijn was still left with a problem. One wrong tick in the police system meant he could not get a certificate of conduct (VOC) so he could no longer apply for jobs in his field.
Another example of Identity theft
A man’s driving license was stolen and the thieves managed to register 1700 cars in his name. The council stopped his social benefits, because he did not need them if he owned so many cars. Because of this, he could not pay his rent and became homeless. He had to go to court, taking his case all the way to the European Court of Human Rights. Eventually, after 17 years, he won his appeal and was awarded €9000 compensation.
Hacking can also be done in another way – via social media. It is easy to, for example, set up a LinkedIn account based on a name and public data. Then you invite colleagues to link to you. Who does not trust a colleague? A few weeks later the hacker sends all the ‘colleagues’ an attachment with a virus. Currently, many social media accounts are straightforward to hack, because the passwords are too simple. A password such as Now18! is easy to hack. We also share a huge amount of information via social media, as you can clearly see in this video.
Identity verification easy to mislead
Organizations in the Netherlands often use the date of birth, as well as name and address to verify the identity of the person they are speaking to. Name, address and date of birth (Facebook!) are easy to find online. I can obtain all kinds of information: financial data or medical records. I can even change the email address by phone: “Since last week I have a new email address.” “Thank you for letting us know, we will immediately change it in our database.” On request, a week later they will send your rental agreement or insurance policy to the wrong email address that they have in their system. An ideal set of data for identity fraud.
By using information from social media, it is also very easy to put together custom-made phishing emails. If I know where you play tennis, I can send you an email on behalf of your tennis club inviting you to a clinic with a celebrity: please click here to register. I find out where you followed your education on LinkedIn and, piece of cake, here is the invitation for a reunion. The attachment contains a virus which will not be recognized in time by most antivirus scanners. They are nearly always a step behind.
Passwords – two tips and a bonus tip
What can you as a law-abiding citizen do to make things more difficult for hackers? Take care with phishing emails: first click on the email address of the sender and then you will see an entirely different email address appear. When in doubt, hold your mouse over the link in the email - obviously without clicking on it - to see which site you are redirected to. Most of us come up with one strong password and use that for more than one or even every website. That is not a good idea: if one site is hacked and they get hold of you password, they can use it to, for example, sell goods on an auction site in your name. Naturally, they will not deliver the goods and it is you who is the swindler, because it is your account.
But there are so many sites – how can you come up with a different password and remember it as well? Here are two tips:
Use a password manager – a software program that generates a very strong password for every site. In future you will only have to remember one strong, long password. All the passwords are stored encrypted and thus are useless if they are hacked.
For those who prefer to remember the passwords themselves: come up with one strong password and adapt it for each site by changing one letter. For example, you password is ‘aprettylocation1!’ and you replace one fixed letter with a letter from the website. For example, the first (or second or last) letter of LinkedIn becomes the fourth letter of your password: ‘aprlttylocation1!’
And finally, a bonus tip: if you visit websites with banners, your computer can even become infected without clicking. This can be largely prevented, because hackers use leaks in the software and there will be updates for this. So always install updates as soon as possible and do not continue clicking on ‘Ignore’, that is the best way to protect yourself against hackers.