Avatar

Who are you? Removing the obvious existential questions for a minute, your identity is often represented as a bundle of personally identifiable information (PII). In the United States PII begins at birth with a name, date of birth, and social security number (SSN). This morning’s KrebsOnSecurity post details the unauthorized access of computer systems (via malicious code) at Lexis Nexis and Dun & Bradstreeet. Both of these organizations aggregate and sell consumer and business PII.

When PII is misrepresented, the experience for the true PII owner can range from unsettling to pure exasperation due to the fact that the victim’s virtual identity must be reclaimed and a consistently proven remediation roadmap still does not fully exist. A recent survey estimated that in 2012 over 12 million Americans were the victims of identity theft.

Fortunately, in addition to the standard PII definition a majority of states –such as California’s Penal Code §530.55 – now include credit card numbers and even computer media access control (MAC) addresses. The comprehensive definition and accompanying legislation is giving law enforcement the ability to charge suspects with identity theft and aggravated identity theft, but individuals still need to be aware of the risks and respond accordingly.

Below are five realistic almost universal U.S.-centric identity theft risk factors followed by guidance on proactively saving you those precious resources – time and money.

1. You don’t control your PII.

Numerous third parties control your PII including federal, state, and local government agencies, employers, medical providers, financial services providers, and the list continues to grow.

The confidentiality of your PII is only as good as the information security policies and procedures of the myriad third party organizations that hold it. Unfortunately the last decade of headlines indicates that they are largely failing to keep your PII secure. They try of course, but the demand for data accessibility specifically from the web has created exploits with technical names (like SQL injection and Cross Site Scripting) that continue to plague organizations. FBI Director Robert Mueller publicly opined that there are two types of companies – those that have been hacked and those that will be.

Thus criminal threat actors continuously steal various pieces of victim PII from third party databases often with specific monetization methodologies in mind. When identity theft is the goal, often times partial PII may be completed using additional online criminal resources such as a SSN search tool.

The below screenshot depicts an online form that returns a victim’s matching SSN. The SSN lookup costs a few dollars paid via the WebMoney virtual currency. With resources like this it’s never difficult to find missing victim PII which makes you wonder about data that hasn’t been compromised yet.

SSN-search-register

SSN-search

2. Your pilfered financial PII (primarily payment card and bank account details) continues to experience high demand in the criminal marketplace.

While filling out credit card investigation affidavits is not time intensive, waiting for the replacement of bank account funds is frustrating and the partial PII loss may escalate into full blown identity theft. Criminal threat actors continue to compromise financial PII through multiple physical and electronic channels and ultimately this type of fraud may affect all consumers by raising financial services costs.

It’s surprising (depending on your perspective) that physical payment card risk continues to be problematic. A decade ago  fraudsters regularly attached physical skimmers to ATMs, but presently the skimming device tends to be much smaller. Current generation skimmers are typically inserted into the anti-theft device itself in tandem with an overlaid PIN pad or camera in order to extract the victim card’s associated PIN.

Gas pumps are also lucrative targets because the parasitic skimming device is completely hidden inside the gas pump door leaving no sign of tampering. Gas pump skimmers also tend to compromise PII over a longer period of time before being discovered.

Third, you routinely hand your payment cards to service industry workers who disappear with them and reappear minutes later to request a signature. Unscrupulous fraudsters often take the opportunity to run the card through a small portable magnetic stripe card reader (skimmer) for duplication at a later time.

Fourth, when you swipe your payment card at a physical merchant’s point of sale (POS) terminal (typically running Windows together with proprietary merchant software) your financial data may be compromised either in storage or in transit across the network. Additionally, PIN Entry Device (PED) modification remains a danger to consumers paying by card as a PIN or zip code is typically required and like the gas pump, the information obtained is more complete and the tampered device is more difficult to detect.

In a world where physical interaction is rarely required, ATMs, gas pumps, and POS/PED systems remain physically vulnerable to financial PII theft.

Last, as I previously mentioned, Internet commerce databases continue to be susceptible to common attacks and resulting unauthorized access. Thus when you purchase goods/services on the Internet, threat actors are often stealing your card not present (CNP) details (known in criminal parlance as “cvv”) which typically includes your physical address, email address, and phone number. Victim CNP data is often sold for $1 or less in fraud forums because the criminal supply vastly outpaces demand.

cardsmarket

3. Businesses are legally selling your PII.

Online PII aggregators make a living selling your personal information. KrebsOnSecurity mentioned the traditional resources such as Lexis Nexis, Dun & Bradstreet, and HireRight, but more recent entrants to this business segment like PiplSpokeoPeekYou, and many others are also in the business of filling in the consumer PII gaps for anyone willing to pay modest fees. Thus when threat actors obtain a partial PII profile they can often complete it using one of these online aggregators.

4. Your tax return may have already been filed and accepted.

Looking at the numbers over the past decade it’s evident that identity theft is a growth industry and monetizing a victim’s PII is trivial and lucrative, specifically via tax return fraud. With a name, date of birth, and SSN a fraudster will file your tax return and route the inevitable refund to a controlled address or better yet apply it to a virtually untraceable pre-paid debit card. One fraudster recently collected $3.3 million in tax refunds from over 2100 spurious returns and all of the checks were mailed to the same Michigan address.

In Miami, police report that many criminals once selling illegal narcotics are now engaged full time in the lucrative business of identity theft and tax return fraud. You know how much time is required to correctly file a tax return, imagine trying to convince the IRS that you have not yet filed your return and you still need your refund (thankfully it’s becoming easier).

5. You use the same password for multiple online accounts.

It eventually happens to all of us. Our memory is finite and the list of third party online accounts only seems to grow larger with time. The problem is that when one of your account password hashes is compromised and decoded, there is a real probability that the rest of your accounts will fall like dominos to include email, social networking, ecommerce, etc. The best case scenario involves spamming malicious links from your email and social network accounts to all of your contacts. The worst case scenario involves data deletion, account lockouts, and identity theft.

The problem is that while passwords are often stored in databases using password storage best practices, one database breach means that an attacker can download password hashes and work offline to crack the passwords using freely available tools.

Life is one big risk assessment and most of us tend to feel comfortable somewhere in the middle between extreme caution and life threatening risk. When it comes to identity theft here are five reasonable counter measures that may help reduce some of the risk.

1. Limit your exposure by refusing to provide PII to third parties unless it’s absolutely mandatory.

2. Check your credit report annually and look for new credit lines that you did not approve. You can check your credit report for free with each of the three credit bureaus (Equifax, Experian, and TransUnion) at Annual Credit Report.

3. Use a credit lock. The fees differ by state and the credit profile must be unlocked before you make major purchases, but if major purchases occur infrequently this is a useful option because it substantially limits identity theft potential. Contact each of the three credit bureaus directly to activate a credit lock.

4Request profile deletion from online aggregators. Most of these online services place a link at the bottom of the home page for consumers to request profile deletion. This is only partially effective as the aggregator will inform you that the information is populated for multiple sources. Thus to truly remove all available PII a lengthy notification process may ensue.

5. Use a password manager. There are numerous free apps on both iOS and Android that will store and encrypt your credentials. These software managers will facilitate different passwords for every online account and if you lose or damage your phone you can still access your credentials from another Internet enabled device.

If you ever find yourself the victim of identity theft we recommend using the FTC resource center which will assist with concrete steps to take toward replacing your virtual self and if a tax return was falsely submitted in your name contact the IRS immediately.



Authors

Levi Gundert

Technical Lead

Cisco Threat Research, Analysis, and Communications (TRAC)