Showing papers on "Identity theft published in 2009"

All your contacts are belong to us: automated identity theft attacks on social networks

Abstract: Social networking sites have been increasingly gaining popularity. Well-known sites such as Facebook have been reporting growth rates as high as 3% per week. Many social networking sites have millions of registered users who use these sites to share photographs, contact long-lost friends, establish new business contacts and to keep in touch. In this paper, we investigate how easy it would be for a potential attacker to launch automated crawling and identity theft attacks against a number of popular social networking sites in order to gain access to a large volume of personal user information. The first attack we present is the automated identity theft of existing user profiles and sending of friend requests to the contacts of the cloned victim. The hope, from the attacker's point of view, is that the contacted users simply trust and accept the friend request. By establishing a friendship relationship with the contacts of a victim, the attacker is able to access the sensitive personal information provided by them. In the second, more advanced attack we present, we show that it is effective and feasible to launch an automated, cross-site profile cloning attack. In this attack, we are able to automatically create a forged profile in a network where the victim is not registered yet and contact the victim's friends who are registered on both networks. Our experimental results with real users show that the automated attacks we present are effective and feasible in practice.

Toward an Understanding of the Online Consumer's Risky Behavior and Protection Practices

Abstract: This research draws upon protection motivation theory and social cognitive theory to investigate the extent to which the level of perceived threat and likelihood of threat along with online self-efficacy affect online behaviors. This article contributes to the literature by investigating a wide range of risky and protective behaviors and examining the role of online self-efficacy with a national online survey of 449 nonstudent respondents. Results show that both self-efficacy and demographic factors such as age have a differential impact on the type of behaviors taken online. ********** Self regulatory policy in the United States requires consumers to be, in part, responsible for their online behaviors and to protect their privacy and security. To do this, consumers must have an understanding of online security and privacy risks (Miyazaki and Fernandez 2001), what is happening to their data, what tools are available to protect them, and they must have the skills to do something about it. Research has suggested that consumers' level of awareness and skills vary, and that education is needed as a corrective prescription (LaRose and Rifon 2007a). For consumers to educate themselves and acquire such skills takes time and continued effort to be current with evolving technologies (LaRose, Rifon, and Enbody 2008). Indeed, consumers face a continuing array of privacy and security threats while shopping online. New tracking devices such as web bugs are being used and identity theft has been growing (Jakobsson and Myers 2006), while the opportunity for connecting to the Internet has expanded through the creation of a wide variety of abundant computing devices and increasing public online access points. Much has been made about the fact that consumers say they are concerned with their privacy, yet they continue to shop online and divulge personal information. Some take prudent actions to protect themselves, whereas others take risks with their personal information and security. Such a paradox exists at the macro societal level, and not until recently has investigation begun at the individual level (Norberg, Home and Home 2007). In this article, we examine what variables lead consumers to make adaptive or maladaptive responses in the face of privacy and security threats. Adaptive behaviors are actions taken with an online business to keep information safe. Maladaptive behaviors are avoidance responses that are driven by a more general fear of online shopping. In addition, our research examines factors that lead consumers to conduct protective and risky online behaviors. These factors are not specific to online shopping, but rather address other activities conducted online. Risky behaviors are specific computer-based actions that put people at risk, whereas protective behaviors are specific computer-based actions that consumers take to keep their information safe. More broadly, the purpose of our research is to examine how consumers' perception of the threat and likelihood of threat associated with online experiences affects the decision to engage in these behaviors. Importantly, in this research we examine the extent to which a consumer' s self-efficacy directly affects protection choices and also moderates the relationship between threat and protection decisions. We examine self-efficacy's role in terms of both security and privacy, which are intrinsically linked (Miyazaki and Fernandez 2001). Our research contributes to the growing literature using protection motivation theory and social cognitive theory to understand privacy behaviors (Rifon, LaRose and Lewis 2007; Milne, Cromer and Culnan 2006; LaRose and Rifon 2007a) by examining how self-efficacy affects (1) maladaptive and adaptive shopping behaviors and (2)protective and risky computer-based behaviors outside of an experimental context with a large sample of US online shoppers. By focusing on the online behaviors that either put consumers at risk or serve to protect them, we develop a more nuanced understanding of what background and contextual factors lead individuals to make such decisions. …

System and method to support identity theft protection as part of a distributed service oriented ecosystem

Abstract: A system and method to support identity theft protection and, in particular, to a system and method for supporting identity theft protection as part of a distributed service oriented ecosystem in Internet protocol (IP) multimedia subsystem (IMS) and non-IMS networks. The system includes an identity session initiation protocol (SIP) application server configured to act as a security assertion markup language (SAML) bridge, which allows an SIP enabled device or a non-SIP enabled device to attach to a telecommunications service provider network. A user may accept or reject an authorization request using the SIP enabled device or non-SIP enabled device.

Identity theft, computers and behavioral biometrics

Abstract: The increase of online services, such as eBanks, WebMails, in which users are verified by a username and password, is increasingly exploited by Identity Theft procedures. Identity Theft is a fraud, in which someone pretends to be someone else is order to steal money or get other benefits. To overcome the problem of Identity Theft an additional security layer is required. Within the last decades the option of verifying users based on their keystroke dynamics was proposed during login verification. Thus, the imposter has to be able to type in a similar way to the real user in addition to having the username and password. However, verifying users upon login is not enough, since a logged station/mobile is vulnerable for imposters when the user leaves her machine. Thus, verifying users continuously based on their activities is required. Within the last decade there is a growing interest and use of biometrics tools, however, these are often costly and require additional hardware. Behavioral biometrics, in which users are verified, based on their keyboard and mouse activities, present potentially a good solution. In this paper we discuss the problem of Identity Theft and propose behavioral biometrics as a solution. We survey existing studies and list the challenges and propose solutions.

Data Breaches: What the Underground World of Carding Reveals

Abstract: I. INTRODUCTION A. Large Scale Data Breaches The term "data breach" is generally and broadly defined to include "an organization's unauthorized or unintentional exposure, disclosure, or loss of sensitive personal information, which can include personally identifiable information such as Social Security ... numbers, or financial information such as credit card numbers." (2) Since 2005, there has been a rash of reported high-profile data breaches involving the compromise of large volumes of personal information. (3) This rash began with the reported compromise of 163,000 consumer financial records from the computer systems of a large consumer data broker, Choicepoint Inc., in February 2005. (4) Choicepoint's security breach became public after it notified approximately 35,000 California consumers, pursuant to California law, that it may have disclosed their personal records. (5) The California law at issue had been passed in 2003, making it the first state to enact legislation requiring consumer notification in the event of a security breach involving the unauthorized acquisition of personal information. (6) In response to the increased fears of identity theft resulting from these publicized breaches, a majority of states have since followed California's lead and passed security breach notification laws. (7) Often, large scale data breaches involve the compromise of personal financial information, such as credit or debit card account information, rather than other types of personally identifiable information, such as Social Security numbers. (8) Three of the larger, more highly publicized data breaches in recent years, including DSW, Inc., (9) CardSystems Solutions, Inc., (10) and TJX Companies, Inc., (11) have involved the compromise of millions of credit and debit card account information. In these cases, hackers targeted the credit and debit card account information held by merchants or third party data processors as the result of credit and debit card retail transactions. The compromise of credit and debit card account information most often results in the type of identity theft referred to as "account takeover," which involves fraud on existing financial accounts. (12) Account takeovers occur, for example, when a criminal uses a stolen credit card number to make fraudulent purchases on an existing credit line. Account takeovers are the more common type of identity theft, in contrast to a second type of identity theft referred to as "new account creation." (13) New account creations involve the fraudulent creation of new accounts, for example, when a criminal uses stolen data to open a bank or credit card account in someone else's name. (14) Often, in order to engage in this type of identity theft, the criminal must steal more personal information than merely credit and debit account information. (15) Accordingly, if individuals suffer any harm as a result of a large scale data breach, that harm is most likely to be in the form of unauthorized use of a debit or credit card on an existing account. (16) This harm often results in little or no economic loss for the individual because consumer liability for unauthorized credit and debit card use is limited by law (in most cases to $50).17 Nonetheless, the individual may suffer significant non-monetary losses such as invasion of privacy, inconvenience, and reputation damage. Moreover, the economic loss for both the financial institutions issuing payment cards and the corporate entities from which cardholder account information is stolen is significant. Issuing financial institutions may experience three types of losses, including "(1) costs associated with reissuing new payment cards, (2) costs associated with monitoring open accounts for fraud (with or without reissue), and (3) fraud losses." (18) Merchants, data processors, and other companies suffering from the breach, in turn, face significant losses in the form of lawsuits, (19) credit card association fines, customer notification costs, stock price decline, lost business, and loss of existing customer confidence. …

Privacy protection issues in social networking sites

Abstract: Social Networking Sites (SNS) have become very popular during the past few years, as they allow users to both express their individuality and meet people with similar interests. Nonetheless, there are also many potential threats to privacy associated with these SNS such as identity theft and disclosure of sensitive information. However, many users still are not aware of these threats and the privacy settings provided by SNS are not flexible enough to protect user data. In addition, users do not have any control over what others reveal about them. As such, we conduct a preliminary study which examines the privacy protection issues on Social Networking Sites (SNS) such as MySpace, Facebook and LinkedIn. Based on this study, we identify three privacy problems in SNS and propose a Privacy Framework as a foundation to cope with these problems.

Bounded rationality of identity thieves: Using offender‐based research to inform policy*

Abstract: Data for this study were collected in semistructured interviews with 59 individuals serving time in federal prisons for identity theft. We explore how offenders’ experiences and life circumstances affected their subjective assessments of risks and rewards and thus facilitated the decision to engage in identity theft. Our findings suggest that offenders perceive identity theft as an easy, rewarding, and relatively risk-free way to fund their chosen lifestyles.

Data Hemorrhages in the Health-Care Sector

Abstract: Confidential data hemorrhaging from health-care providers pose financial risks to firms and medical risks to patients. We examine the consequences of data hemorrhages including privacy violations, medical fraud, financial identity theft, and medical identity theft. We also examine the types and sources of data hemorrhages, focusing on inadvertent disclosures. Through an analysis of leaked files, we examine data hemorrhages stemming from inadvertent disclosures on internet-based file sharing networks. We characterize the security risk for a group of health-care organizations using a direct analysis of leaked files. These files contained highly sensitive medical and personal information that could be maliciously exploited by criminals seeking to commit medical and financial identity theft. We also present evidence of the threat by examining user-issued searches. Our analysis demonstrates both the substantial threat and vulnerability for the health-care sector and the unique complexity exhibited by the US health-care system.

PhishCatch - A Phishing Detection Tool

Abstract: Phishing has become the most popular practice among the criminals of the Web. Phishing attacks are becoming more frequent and sophisticated. The impact of phishing is drastic and significant since it can involve the risk of identity theft and financial losses. This paper explains the most popular methods used for phishing and the PhishCatch algorithm developed to detect phishing. The PhishCatch algorithm is a heuristic based algorithm which will detect phishing emails and alert the users about the phishing emails. The phishing filters and rules in the algorithm are formulated after extensive research of phishing methodologies and tactics. After testing, we determined that PhishCatch algorithm has a catch rate of 80% and an accuracy of 99%. The approach used in developing this algorithm, the implementation details and testing results are discussed in this paper.

Identity theft vulnerability Neoliberal governance through crime construction

Abstract: Under the rubric of neoliberalism, the governance of populations occurs through new technologies and techniques of social control. Contemporary neoliberal discourses of crime control, in particular...

Payment Processing Platform

Abstract: A method for generating a child product that is linked to a core account. A payment processing platform receives a user selection of control parameters that define use restrictions for the child product and the core account that provides financial backing for the child product. The child product is generated and may be used for payment transactions within the use restrictions defined by the control parameters. The child product is delivered to a recipient as a physical card or as a virtual card or both as a physical card and a virtual card. Advantageously, the financial institution needs to modify its legacy payment processing infrastructure minimally in order to process payment transactions made using the child product. From a user perspective, child products protect consumers from fraud or identity theft and limit a customer's exposure when child products are lost or stolen.

Method and system protecting against identity theft or replication abuse

Abstract: A system detecting and protecting against identity theft by abusing a computer users ID and password or protecting a user against identity replication through parallel user session via a second authentication level using a second channel, a one-time-passcode and user contextual location information. When accessing networks, computer systems or programs, the said networks, computer systems or programs will validate user ID and password and collect contextual information about the user, the device, the used network etc. Once validated, a message is send by a second means that may be a cell phone SMS network or an instant message, said message containing a real-time session-specific one-time passcode. The session specific code and the collected information provides information enabling the user to detect a compromised identity through a mismatch between presented information and the information representing the user and the passcode protects against fraudulent access.

Countermeasure Techniques for Deceptive Phishing Attack

Abstract: Phishing is a form of online identity theft. Phishers use social engineering to steal victims' personal identity data and financial account credentials. Social engineering schemes use spoofed e-mails to lure unsuspecting victims into counterfeit websites designed to trick recipients into divulging financial data such as credit card numbers, account usernames, passwords and social security numbers. This is called a deceptive phishing attack. In this paper, a thorough overview of a deceptive phishing attack and its countermeasure techniques, which is called anti-phishing, is presented. Firstly, technologies used by phishers and the definition, classification and future works of deceptive phishing attacks are discussed. Following with the existing anti-phishing techniques in literatures and research-stage technologies are shown, and a thorough analysis which includes the advantages and shortcomings of countermeasures is given. At last, we show the research of why people fall for phishing attack.

Systems and methods of sharing information through a tagless device consortium

Abstract: The invention provides one or more consortia of networks that identify and share information about users and/or user devices interacting with the consortia. User devices may be identified, at least in part, by a delta of time parameter between a user device used and a reference time. Other parameters may be analyzed to identify a computer user and/or device and noteworthy transactions. The invention may be used for identity-based applications such as network security, the detection of fraudulent transactions, identity theft, ratings-based communities and law enforcement.

Criminal Uses of Information & Communication Technologies in Sub-Saharan Africa: Trends, Concerns and Perspectives

Abstract: The proliferation of Information and Communication Technology (ICT) in Sub-Saharan Africa has brought with it tremendous positive changes in socio-economic growth and development within the region. Paradoxically, ICT has also evolved to become a sophisticated tool in the hand of criminal for perpetrating different forms of cyber crime. Unintended issues such as e-mail scam, identity theft, child pornography, organized crime and solicitation for prostitution are some of the vices that have become recurring indices on the internet. A wave of fraudulent mails and other sharp practices referred to as “419 scamming” generally believed to be traceable to Nigeria pervades the West African internet webscape. This trend if not combated could serve as a breeding ground for cyber terrorism where some African countries harboring terrorists could recruit, train and plan terrorist attacks with just laptops and internet access. This study presents an overview of criminal uses of ICTs in Sub-Saharan Africa with special emphasis on the Nigerian 419 scam. We examined the emergence, trend, concerns and effects of these malaises and seek to present strategic policy perspectives on how to address the dilemma. The strategies proposed represent a set of commonalities among developing nations, similar to those of Sub-Saharan Africa, that are confronted with these problems. We conclude with implications and recommendations for research and practice.

Do You Trust Your Phone

Abstract: Despite the promising start, Electronic Commerce has not taken off mostly because of security issues with the communication infrastructures that are popping up threateningly undermining the perceived trustworthiness in Electronic Commerce. Some Internet security issues, like malware, phishing, pharming are well known to the Internet community. Such issues are being, however, transferred to the telephone networks thanks to the symbiotic relation between the two worlds. Such an interconnection is becoming so pervasive that we can really start thinking about a unique network, which, in this paper, we refer to as the Interphonet. The main goal of this paper is to analyze some of the Internet security issues that are being transferred to the Interphonet and also to identify new security issues of the Interphonet. In particular we will discuss about mobile phones malware and identity theft, phishing with SMS, telephone pharming, untraceability of phone calls that use VoIP and Caller ID spoofing. We will also briefly discuss about countermeasures.

Understanding Identity Theft Offenders’ Accounts of Their Lives and Crimes

Abstract: Researchers typically label acts as “white-collar” based on the respectable status of the offender (populist perspective) or on the characteristics of the offense (patrician perspective). However, some crimes, such as identity theft are not easily classified into either of these categories. The current study is designed to contextualize previous research and to situate the crime of identity theft within these two broad perspectives of white-collar crime. To do this, 59 identity thieves incarcerated in federal prisons were interviewed to offer the offenders’ perspectives on existing research describing characteristics of thieves and the techniques they employ to complete their crimes. Results show that identity thieves are a diverse group in terms of demographic characteristics (age, race, gender, and social class), employment, and criminal histories. They employed a variety of methods to both acquire information and convert it to cash. The most common methods of acquiring information were to buy it from o...

Computer Security: Protecting Digital Resources

Abstract: Today, society is faced with numerous internet schemes, fraudulent scams, and identity theft that threaten our safety and our peace of mind. Computer Security: Protecting Digital Resources provides a broad approach to computer-related crime, electronic commerce, corporate networking, and internet security, topics that have become increasingly important as more and more threats are made on our internet environment. This book is oriented toward the average computer user, business professional, government worker, and the education community, with the expectation that the user can learn to use the network with some degree of safety and security. The author places emphasis on the numerous vulnerabilities and threats that are inherent in the Internet environment. Efforts are made to present techniques and suggestions to avoid identity theft and fraud. Readers will gain a clear insight into the many security issues facing the e-commerce networking, web, and internet environments and what you can do to keep your personal and business information secure.

A better deal for fraud victims:research into victims’ needs and experiences

Abstract: In recent years the needs of crime victims have become much more recognised in the responses of the justice system and other agencies. There have been campaigns to improve the situation of victims of domestic violence, sexual assaults, gun and knife crimes. However, few campaigns have focussed on fraud victims, resulting in fraud being described as a ‘silent crime’, with victims receiving little support or restitution. Research carried out by the authors of this report has started to fill this gap. Their reviews of the research literature and the fraud support infrastructure (Button et al., 2009a, 2009b) illustrated: the diversity of frauds that affect individuals and small businesses in England and Wales; the perpetrators of fraud; and the techniques employed. It identified victim typologies; discovered what victims want in response to frauds; assessed information and support currently available to victims. This report adds to a growing body of research by presenting new findings from surveys conducted in Summer 2009 on the largest group of fraud victims in the UK to date. Using face-to-face interviews, focus groups and telephone interviews about 800 victims have provided information on their experiences and their attitudes to the support available. The findings reveal that, similar to more visible crimes, victims of fraud are a diverse group, ranging from the young, educated and professional through to the elderly and more vulnerable. The impact of a fraud is often individualised, depending on specific factors relating to the victim. The same fraud can affect multiple victims very differently. This has implications for the level of information, support and services required, with some requiring greater support than others.

In Defense of Data: Information and the Costs of Privacy

Abstract: The commercial use of information on the Internet has produced substantial benefits for consumers. But, as the use of information online has increased, so have concerns about privacy. In this paper we argue that acting on those concerns would be counterproductive. Far from a 'free lunch,' more privacy implies less information available for producing benefits for consumers, including targeted advertising and the valuable web services it supports, e.g. search engines, email, and social networks. Concerns about privacy may also be misguided. Most data collected about individuals is anonymous, and reducing legitimate uses of online information is not likely to reduce identity theft. Firms appear to be responsive to consumers’ privacy preferences, which also points to a properly functioning market. Our analysis suggests that proposals to restrict the amount of information available would not yield net benefits for consumers.

A Typology of Identity-Related Crime: Conceptual, Technical, and Legal Issues

Abstract: Identification is ever more important in the online world, and identity-related crime is a growing problem related to this. This new category of crime is not restricted to high-profile instances of identity theft or identity fraud; it is wide-ranging and complex, ranging from identity deletion to unlawful identity creation and identity theft. Commonly accepted definitions are lacking, thus blurring available statistics, and policies to combat this new crime are piecemeal at best. To assess the real nature and magnitude of identity-related crime, and to be able to discuss how it can be combated, identity-related crime should be understood in all its aspects. As a first key step, this article introduces a typology of identity-related crime, consisting of conceptual, technical and legal categories, that can be used as a comprehensive framework for future research, countermeasures and policies related to identity-related crime.

Medical identity theft and telemedicine security.

Abstract: M edical identity theft is defined as the use of patient identification information and=or physician identification information used to bill or obtain medical services. This is differentiated from the more common form, financial identity theft, in which identifying information like Social Security Numbers and credit card numbers are fraudulently used for financial gain. According to a 2008 Federal Trade Commission (FTC) estimate, medical identity theft represents 3% of all identity theft cases, or approximately 250,000 incidents annually. Health and Human Services, however, has jurisdiction over medical identity theft, not the FTC. Furthermore, the Fair Credit Reporting Act cannot be used to remove fraudulent medical records. The World Privacy Forum (WPF) and Blue Cross Blue Shield Association estimate that approximately 1% of all fraud is medical identity theft. The WPF also provides another interesting statistic. The ‘‘street value’’ of a stolen Social Security number is $1. The ‘‘street value’’ of stolen medical identification information is $50. It’s worth noting, however, that in many cases medical ID numbers are Social Security numbers.

Browser-Side Countermeasures for Deceptive Phishing Attack

Abstract: Phishing is a form of online identity theft. Phishers use social engineering to steal victims' personal identity data and financial account credentials. Social engineering schemes use spoofed e-mails to lure unsuspecting victims into counterfeit websites designed to trick recipients into divulging financial data such as credit card numbers, account usernames, passwords and social security numbers. This is called a deceptive phishing attack. In this paper, a thorough overview of a deceptive phishing attack and its countermeasure techniques, which is called anti-phishing, is presented. Firstly, technologies used by phishers and the definition, classification and future works of deceptive phishing attacks are discussed. Following with the existing browser-side anti-phishing techniques in literatures and research-stage technologies are shown, and a thorough analysis which includes the advantages and shortcomings of countermeasures is given.

Risks of the CardSpace Protocol

Abstract: Microsoft has designed a user-centric identity metasystem encompassing a suite of various protocols for identity management. CardSpace is based on open standards, so that various applications can make use of the identity metasystem, including, for example, Microsoft Internet Explorer or Firefox (with some add-on). We therefore expect Microsoft's identity metasystem to become widely deployed on the Internet and a popular target to attack. We examine the security of CardSpace against today's Internet threats and identify risks and attacks. The browser-based CardSpace protocol does not prevent against replay of security tokens. Users can be impersonated and are potential victims of identity theft. We demonstrate the practicability of the flaw by presenting a proof of concept attack. Finally, we suggest several areas of improvement.

A TYPOLOGY OF IDENTITY-RELATED CRIME: Conceptual, technical, and legal issues

Abstract: Identification is ever more important in the online world, and identity-related crime is a growing problem related to this. This new category of crime is not restricted to high-profile instances of identity ‘theft’ or identity fraud; it is wide-ranging and complex, ranging from identity deletion to unlawful identity creation and identity ‘theft’. Commonly accepted definitions are lacking, thus blurring available statistics, and policies to combat this new crime are piecemeal at best. To assess the real nature and magnitude of identity-related crime, and to be able to discuss how it can be combated, identity-related crime should be understood in all its aspects. As a first key step, this article introduces a typology of identity-related crime, consisting of conceptual, technical and legal categories, that can be used as a comprehensive framework for future research, countermeasures and policies related to identity-related crime.

Preventing identity theft with electronic identity cards and the trusted platform module

Abstract: Together with the rapidly growing number of services in the Internet, authentication becomes an issue of increasing importance. A very common situation is that for each service, users must remember the associated name and password they are registered under. This method is prone to identity theft and its usability leaves much to be desired. The Trusted Platform Module (TPM) is a microcontroller with cryptographic functions that is integrated into many computers. It is capable to protect against software attacks. TPM can generate and store non-migratable keying material for authentication and is an effective safeguard against the acquisition and use of an identity by an adversary. Even though TPM prohibits identity theft, Internet services still have few options to verify the true identity of a user. Electronic identity cards (eID) assert for the identity of their owner. Their large-scale deployment can be expected in the near future. The use of eIDs is impaired, though. They must be present for each authentication, and all devices must be equipped with a compatible card reader. We mitigate the problems of both approaches by using eIDs for establishing trust in user specific TPM authentication credentials. The eID and a compatible reader must be present only at one time for establishing the initial trust. We integrated our identity theft resistant authentication method with the OpenID identity system to allow a large number of services to profit from verified and trustworthy identity assertions.