Dr. Dobb's is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Channels ▼
RSS

Security

How Identity Theft Works


At that point, all of the elements needed to start controlling the person's identity were in motion. We had obtained his Social Security number, established a mailing address, and become his employer. We stopped our attack at that point -- we had no wish to hurt the person. However, if we had continued, we decided that establishing credit through a major retailer would be the easiest method.

We confirmed our hypothesis by going to a large sporting goods store, which advertised a 10 percent discount to customers who used its "quick and easy" approval process to obtain one of its credit cards. When I asked the manager how the store can establish credit so quickly, he explained that they verified the person's credit by asking for another credit card, then verifying credit through that company. If another card wasn't available, they would simply contact the person's employer as a financial reference. At that point, we knew we were in, because we had already established ourselves as the victim's employer.

This is just one example that shows how easy it is to gain a dangerous amount of access to personal information. There are lots of other exploits that we could have tried, and any one of them could have been just as effective.

Many people are careful to protect their Social Security information, but end users really should be concerned about all of their data. Identity thieves can collect data from many sources, including trash and recycling bins, discarded mail, and Internet sites. Sites where users share personal information, such as MySpace and LinkedIn, can make the problem worse. Sites that deal with family reunions, genealogy, and sports statistics may seem harmless, but they can become great resources for valuable personal data.

For IT and security people, however, the message is more complex. IT organizations should sanitize any online resources that contain personal data about their employees, maintaining only the bare minimum online. Personnel profiles or applications should never be kept on systems that are widely accessible over the Web. If there is a need to post personal information on a Web-accessible site, consider securing it with some sort of two-factor authentication, such as the technology offered by RSA Security.

Finally, IT departments should constantly monitor themselves for vulnerabilities. If a pen tester hadn't come and shown the college the flaws in its alumni system, how long would it have taken its IT folks to find and fix them? A vulnerability can often be found in a system that may seem peripheral to the business or relatively unimportant to the enterprise. Once that vulnerability is exploited, however, the consequences for users, customers, or employees could be disastrous.


Steve Stasiukonis is VP and founder of Secure Network Technologies Inc. Special to Dark Reading.


Related Reading


More Insights






Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.