As the use of the Internet for commercial transactions grows, so do the incidents of identity (ID) theft. Computer security incidents involving the collection of personal information and other credentials of individuals for criminal purposes are reported frequently, and they have a significant impact on people's trust in online transactions. Despite the number of reported incidents, cases of online ID theft are currently examined in an ad hoc empirical fashion, as the field of computer forensics is a relatively new discipline and practice, and it lacks structured approaches to guide crime-specific investigations. This article discusses the issue of online ID theft and the need for co-ordinated actions for its forensic examination.
Figures and Examples
ID theft is the action of using the personal information of another person. It is considered illegal in any form and is mainly used for reasons of financial gain.1 ID theft is not a new concept; history is littered with examples of such instances. However, it has evolved into a more sophisticated form due to computer technology, the Internet and other technologies.
According to research statistics, fraud associated with ID theft increased by 400 percent in the UK during the past five years. During 2004, the rise was 45 percent.2 British business experienced a loss from electronic crimes of £2.4 billion in 2004, according to the National Hi-Tech Crime Unit.3
The US Federal Trade Commission (FTC) estimates that 4.7 percent of the US population (approximately 10 million people) were victims of ID theft last year. This equated to US $5 billion of loss by individuals; US businesses lost in excess of US $45 billion to ID thefts.4 The following statistics concerning ID theft outline the severity of the threat in the contemporary world:
- In 1999, 20,000 cases of identity theft were reported in the UK; in 2001, 53,000 were reported, and in 2003 the number had almost doubled.5
- The Association for Payment Clearing Services (APACS) claims £402 million of fraud on plastic cards in the UK in 2003.6
- Victims of ID theft can take as much as 300 hours to sort out the theft with banks and credit card companies.7
- 70 percent of all ID thefts can be traced to employees who steal personal data from their employers.8
The statistics show that ID theft is growing and becoming more prevalent each year. However, many cases of ID theft go unreported, as victims consider telling the police a waste of time. South Wales Police Chief Constable Barbra Wilding indicated that prioritising such crimes was a problem since only one in 140 police officers has any knowledge of high-tech crime.9
In November 2003, six British men were successfully convicted of ID theft and were given custodial sentences. The men admitted charges of having defrauded £350,000 from several financial institutions, including Lloyds TSB Bank, the Halifax Building Society and the Co-operative Bank. In addition, it is believed that they gained several more millions of pounds from other banks that preferred not to report their loss, as they felt it would impact on their reputation as a financial institution. The case was revealed after the co-operation of the online database service 192.com and the National Hi-Tech Crime unit.
The fraudsters were using the common ID theft hoax of forged passports and driver's licences to obtain bank accounts, cheque books, platinum credit cards and loans. They used 192.com and the Experian online credit reference service to find out the details of people who had recently died and had a respected credit history.
The steps the fraudsters followed to steal millions of pounds were remarkably elegant. At first, they registered a fictitious company at Companies House, where the directors and shareholders were non-existent persons. The fraudsters were then able to obtain a consumer credit licence for the company, which enabled them to be registered with credit reference services such as Experian and, thus, be authorised to perform online credit checking. They then needed to identify people who had recently passed away. One method they used to accomplish this was to subscribe to online property auction sites. The next step was to use the 192.com database to find out more personal information about a person, while the deceased person's credit information was obtained from the credit reference services that had already been authorised through the fictitious company. When a deceased person proved to be an appropriate target, forged passports and driver's licences were produced in that name. The victim's mail was subsequently requested to be redirected from Royal Mail to the fraudsters' address. Consequently, the fraudsters were able to open bank accounts and apply for credit cards and loans in the deceased persons' names. They also used Internet banking for transferring money from one account to another.
However, the fraudsters did not consider, or else ignored, the message on the 192.com web site that informs visitors that all searches are recorded and are available for distribution to the police when requested. This was the evidence that was used for the arrest, as the IP address used by the ID theft gang was identified as belonging to an office in Whetstone, North London, UK. The police found five computers containing e-mails and temporary Internet files that confirmed the crimes. The men were jailed for 15 years in total, and their case is one of the largest fraud cases in the UK.10 The previous example demonstrates opportunities that arise for fraudsters as well as a successful investigation and prosecution. The lack of controls to ensure the accuracy of the details of the newly registered company and the ability to use the financial histories of deceased individuals provided this ID theft gang with the capability of conducting this criminal act. On the other hand, the existence of logging controls provided the police with critical digital evidence to perform the investigation.
There are numerous other reported incidents detailing the methods fraudsters choose for compromising online transactions and acquiring illegitimate personal and financial information. Online ID theft is increasingly being examined by the computer forensics field, which is a relatively new discipline and, as such, lacks a formal, structured working environment. This article, in addition to elaborating on cases of ID theft and how the crime was revealed, reviews the information collection techniques, examines the evidence left behind, and discusses related forensic examination practices and their interfacing with the closely related field of IT audit, another area of the digital investigations arena.
Threats and Techniques Used to Collect Personal Information
Vulnerability breeds criminality, whether it relates to an individual, a group of people or even a corporation. A false name obtained online can help the thief avoid detection, especially if such things as drug trafficking and organised crime are involved. Fraudsters are willing to take the risk and indulge in criminal activities, as they perceive that the benefit of making money outweighs the risk of being caught.11 Once a false identity is created, the thief adopts the victim's identity and, therefore, has access to everything online that the victim could do. One convicted ID thief reported he could spend US $20,000 in an hour.12
According to Bruce Potter, national head of the Technology Group at Morgan Cole, one in 11 employees is misusing corporate data in some way.13 With most business information worth more than the bricks and mortar, misuse of company information by a poorly paid or otherwise demoralised employee may prove to be very lucrative financially. Ex-employees can cause significant problems by using their knowledge to access the company's computer systems, databases, etc. They may corrupt data and software, sell company data, or provide access into the company's computer systems for others.
In light of this, it is also found that the ID thief may be a disgruntled employee or someone who wants to punish or harm an individual or a corporation and had a close relationship with the entity and access to personal or customer data. ID thieves set out to own as much of the victims' data as possible. A fact that makes the risk of such exposure even greater is that this type of crime may not be a policing priority.14
In a 2005 session at the E-crimes Summit, Lyn Hynds reported that phishing (commonly referred to as automated ID theft) is growing at an alarming rate. Phishing is the sending of e-mails that appear to come from a company asking for verification of a customer's personal data and account details. The customer is then directed to a cloned web site that looks very similar to the actual company's web site. This is where the customer will be asked to enter personal data and details for 'verification' purposes. Thieves usually target the customers of large, established financial institutions. These customers have entrusted their personal finances to the company and, therefore, trust the institution implicitly. Cloned web sites are professionally produced and aim to mislead the public. Most of these sites are hosted in Eastern Europe where the laws are very lax regarding high-tech crime.
Near-miss domains are a common type of phishing attack. For example, www.halifax.co.uk might be abused as www.halifax-bank.co.uk (domain not in use as of 11 August 2005). Another type of theft is the 'error' or cross-frame attack. This is where users enter their details and then an error message is displayed; pressing 'ok' will then redirect the victim unknowingly to the real site for them to enter their details again. This method is also referred to as pop-up attacking.15
Financial account hijacking is often simple once the personal information has been given to the ID thief. Passwords and accounts can be altered and, of course, money removed from the account. The 11 September 2001 attackers had 35 bank accounts that they set up using false Social Security numbers, and they used the Internet to fund their finances. According to Silver Lake Publications, terrorists also are becoming experts at ID theft.16
Unsecured wireless media, such as Wi-Fi and Bluetooth, are an excellent way for an ID thief to masquerade an identity. Gaining access to other networks or intercepting a signal could be all that is required to gain anonymity. War-driving is a popular activity involving the identification and location of unsecured wireless networks by driving around an urban area looking for such networks. These wireless networks are intended solely for use by company employees, hospital staff, college students, etc., but the security issues are often overlooked, resulting in an unsecured, open access wireless network. Therefore, anyone who can connect to the network with a wireless device could have access to company information.17 In a similar fashion, conventional wiretapping for data or voice (bugs, sniffers, etc.) can provide personal information.
In addition to wireless interference or conventional wiretapping, malicious software is another agent for ID theft and a problem even for the most adept computer user. Key logging software can send data back to the thief, providing information such as passwords and PIN numbers. Bots, computer programs that run automatically, are becoming more powerful, collecting more and more personal information. Therefore, profiling a person and building up his/her identity is becoming much easier.
Search facilities, such as Lexis Nexus, provide a lot of information on news articles. Combine this with such web sites as Friends Reunited, and one can begin to gain a considerable amount of information about a person and draw an accurate profile of him/her.18 Another method of obtaining information is tombstoning—obtaining records of deceased persons or applying for birth certificates that are then used to create accounts. Credit reference agencies online can then provide information about an individual or an organisation for credit worthiness. Information brokers are useful sources of personal information, as they can provide information such as credit reports via online sources.
Social engineering may be used if the thief has only part of the personal information required for ID theft, such as bank account details. The thief may contact the potential ID theft victim to confirm a purchase that the victim did not make. The worried consumer will then, without thinking, often give the ID thief whatever details are asked for in the belief that the person on the phone is from the bank.
Setting up temporary mail boxes is another way to get parcels delivered, as many commercial web sites allow goods being delivered to another address as long as they know a home (card billing) address. This type of card-not-present fraud is also common.
Last but not least, spoofing or much simpler, but similarly deceiving, techniques can be used over e-mail attacks. For example, changing the 'from' field in an e-mail message can be quite fooling. A fraudster can change the name in the options setup to 'Customer Product Recall'. The shock factor associated with such an introduction and that initial scare tactic may trick some people into giving information about a transaction they performed.
Investigation of ID Theft and Construction of Evidence
As discussed earlier in the case of the ID theft gang, the existence of logging controls that allowed for the monitoring of the gang's activities and provided traces of their whereabouts played a critical role in the investigation. However, many times similar evidence is not available, as the appropriate controls were not functioning properly or were not set in the first place. Therefore, the first objective to meet in regard to digital evidence is assuring the existence of evidence through the deployment of appropriate monitoring controls.
There is a direct interfacing of forensic investigations with the area of audit and control of information systems. Forensic investigators need to be aware of the existing controls set to prevent ID theft and also of the controls set to monitor operations. They need to assess whether they can rely on the former and collect the evidence produced by the latter. That is more than essential, in the case that forensic investigators lack the knowledge, expertise or resources in the area of computer forensics.
However, the conversion of data to evidence is a lengthy and costly process that has to be made understandable to a jury. The digital trail involves examining how a crime was committed using computers and the Internet, and it may involve investigations of such things as tracing credit card transactions. Forensic extraction and analysis of data from a computer hard disk will detail much of this information.
The investigation should identify how the leak of personal information occurred that made it possible to conduct a misuse of resources, such as a credit card number. It should also include details such as dates, goods purchased and amount spent. If possible, the perpetrator should also be identified. The latter is perhaps one of the most challenging tasks as, unlike DNA evidence, computer records can identify user accounts that are logically, not physically, linked to individuals. There is an open area in assisting evidence reliability assessments, much in the same way that audit evidence is assessed (e.g., in the US General Accounting Office's report 03-273G, for assessment of reliability of computer-processed data).19
The information contained in a suspect's computer may be extensive, containing personal information of ID theft victims, e-mail messages, computer logs of Internet activity, etc. ID theft evidence might involve a variety of records and logs as well as time stamps. Times and records commonly referred to as time stamps prove an event took place (for example, an e-mail was sent). Other evidence is in a more familiar form to internal and financial auditors, such as deviations from normal spending behaviour or statements showing large cash withdrawals. Publicised cases have drawn attention to a number of items considered as evidence in case of ID theft. However, there is no systematic recording and analysis of those to aid a digital investigation in such a case.
Despite the nature of digital evidence, computer records can indeed convict criminals. There are other advantages to digital evidence as well; computers cannot refuse to appear in court, cannot be intimidated and cannot lie.
The Need for Providing Guidance to Forensic Investigations of ID Theft
In a computer forensics investigation, technical issues to extract evidence are combined with the legal and practical challenges, especially in large infrastructures.20 This holds especially true in cases of ID theft, as they may involve a great deal of digital evidence distributed over multiple systems (online, databases, bills, etc.).
ID theft is a rapidly spreading threat that leads to financial loss and an invasion of privacy. As a relatively new method of fraud, fuelled by information technology, ID theft cases introduce challenges to law enforcement agencies that are inexperienced in the forensic examination of ID theft and IT. The previous section highlighted at least three areas where there is a need for research and delivery of a professional's support (dealing with the existing controls and identifying the evidence, a systematisation of the identified related evidence, and evidence reliability assessment).
As there is not currently a lot of research in these areas, it should be the responsibility of the security research community to deliver rigourous proposals that are relevant and can assist the professional practice. There is also an opportunity for professional organisations in the general area of digital investigations to facilitate the forensic practice through the establishment of specialised standards and guidelines for the investigation, in the fashion of the standards for the audit profession.
Such initiatives will facilitate the investigation of Internet identity theft cases and the handling of the related digital evidence, and an investigator/forensic analyst will be:
- Aware of the vulnerabilities in systems and the information collection techniques that may have been used, as well as the trail they leave behind
- Able to identify the ID theft digital evidence trail and assess the evidence reliability
- Aware of the assumptions/conditions for successful implementation of ID theft attacks
- Able to perform an assessment of the capabilities that were required from the perpetrator and profile those for future reference
1 Schweitzer, Douglas; Internet Security Made Easy: A Plain-English Guide to Protecting Yourself and Your Company Online, Amacom, USA, 2002
2 "Identity Theft…How to Deal With This New Crime," www.home-security-action.co.uk/identity-theft.html, accessed 24 July 2005
3 McKenna, Brian; "Cyber Attacks on Banks Double From 2003," Computer Fraud and Security, issue 6, 2004, p. 3
4 Fraud Watch International, www.fraudwatchinternational.com/ identitytheft/index.shtm, 2005
5 Op. cit., Porter
6 Cybersource, "5th Annual Online Fraud Report: Credit Card Fraud Trends and Merchants' Response," 2004, www.cybersource.com
7 Op. cit., Porter
8 Hinde, Steven; "Confidential Data Theft and Loss: Stopping the Leaks," Computer Fraud and Security, issue 5, 2004, p. 5-7
9 Wilding, Barbara; session at E-crime Summit, 8 July 2005
10 Goodwin, Bill; "IT Staff Helped Police Crack Bank Fraud Case," Computer Weekly, 24 November 2003, www.computerweekly.com/Articles/2003/11/24/198867/ITst affhelpedpolicecrackbankfraudcase.htm.
11 Goodwin, Bill; "British Identity Theft Fraud Gang Jailed," 24 November 2003, www.computerweekly.com/Articles/2003/ 11/24/198901/Britishidentitytheftfraudgangjailed.htm.
12 Dwan, B.; "Internet Scams—Fraud Trends," January-December 2003
13 Potter, Bruce; session at E-crime Summit, 8 July 2005
14 Hynds, Lyn; session at E-crime Summit, 8 July 2005
15 Hamadi, R.; Identity Theft: What It Is, How to Prevent It, and What to Do if It Happens to You, Vision Paperbacks, London, UK, 2004
16 Silver Lake Publications, Identity Theft: How to Protect Your Name, Your Credit and Your Vital Information…and What to Do When Someone Hijacks Any of These, Silver Lake Publishing, USA, 2004, p. 107
17 Ibid., p. 81
18 Hollis, Richard; session at E-crime Summit, 8 July 2005
19 US General Accounting Office, "Assessing the Reliability of Computer-Processed Data," GAO-03-273G, 2002, www.gao.gov
20 Barrett, Neil; lecture at Swansea University, 16 November 2004
Theodore Tryfonas, Ph.D., CISA
is a lecturer at the School of Computing of the University of Glamorgan. He specialises in the field of IT audit and previously worked for a leading auditing firm. He has research interests in the areas of computer forensics and competitive intelligence. His current research includes continuous auditing of ERP implementations and ID theft investigation.
is a senior lecturer at the School of Computing of the University of Glamorgan. She is experienced in computer forensics, systems development and mobile technologies. Her research interests include wireless protocols and security as well as security management. Her current research concerns security and forensic recovery of PDA devices.
is a post-graduate student of the MSc Information Security and Corporate Intelligence course at the University of Glamorgan. He is an associate member of the British Computer Society (BCS). His current research includes identity theft, evaluation and investigation.
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.
© Copyright 2006 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights res erved. ISCATM Information Systems Control AssociationTM
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.
INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 1, 2006