By Ubong Kingsley-Udoh
Identity theft can simply be defined as the crime of obtaining another person’s personal or financial information in order to make unauthorised transactions, access accounts, create new accounts, or perform fraudulent activities. The oftenness of this crime has risen at a steady pace, and criminals often use electronic means to obtain the personal information needed to carry out this crime.
Any personal data is vital to perform ID theft and aid in crafting believable spear-phishing emails that can appear to be sent from trusted sources. Through this activity, an attacker can gain control of the target device, enabling access to more PII (Personally Identifiable Information). Information such as age, salary, phone numbers to mention but a few is very critical for an ID thief to succeed in stealing an identity.
The threat actor’s motives may include but not limited to attempts to ruin reputations, create legal conundrums or cripple financial status. The attackers come in various shades or forms like Hacktivist, disgruntled former/current employees, cybercriminals etc. All of these factors result in a deepening cyber risk environment and therefore requires greater vigilance on the part of individuals to protect private information.
PERSONAL INFORMATION RELATED TO PERSONALLY IDENTIFIABLE INFORMATION
A mix of Identifiers/Credentials could constitute PII
MAIN IDENTIFIERS
ACCESS CREDENTIALS
PHYSICAL
Full Name/Previous Names
Account Numbers
Height
Address
Email Addresses
Weight
Date of Birth
Medical Information
Eye Colour
Driver’s License Number
Biometric Information*
Race/Tribe
Phone Number
Mother’s Maiden Name
Gender
Travel Passport Number
Passwords/PINs
Eye Colour
*Common biometrics information include Fingerprints, Voice, Iris, Signatures etc.
In 2015, the threat landscape was quite fierce. The threat is real as evidenced in some research by the US Department of Justice, Victims of Identity Theft Report 2015 who lost US$10 Billion and in Nigeria, ID theft constituted about 47% of total losses by the financial system to cyber-criminals in 2014. These unfortunate tide needs to be stopped and the subsequent paragraphs will focus on how to mitigate identity theft using these triads — Systems Mitigations, Behavioural Mitigations and Best Practices for Monitoring.
MITIGATIONS — SYSTEMS (Hardware, Software, Services)
There are several steps that can help protect hardware, software and services against ID theft and this includes securing systems, constraining exposure (physical & logical), applying software restriction policies, and service partitioning. The areas that require keen interest include home networks, storage, games, mobile devices, eMail services, authentication and applications.
Home Network
Home networks are very personal, the more reason why it should be secure. In security, the best offence is a great defence. Home networks need consistent updates to patch against web infection. Basic anti-virus has firewall capabilities and this goes a long way in eliminating threats. Browsers and browsers plug-ins (e.g. Flash) must be updated, automatic updates should be enabled and users could consider disabling Java in-browser. User privileges should be limited such that accounts for children and guests should be separated from the main account. Passwords should be changed periodically and wireless access points and domain name servers should be made secure.
Storage (USB Flash Drives, SD Card, File Sharing, Backups, Hard Drives)
The media devices must be sanitised through virus scanning or reformatting. Autorun capability must be disabled and media items should be accessed using non-privileged accounts (e.g. guest). Make use of document viewers to have a peek view first instead of full applications. Prior to disposing of removable media, computer or smartphone with fixed media, delete all the data or physically destroy the media.
Games and Applications
Games from untrusted or unknown websites should not be downloaded or installed. Users should avoid filling in their personal information during game installation, surveys, sweepstakes, promotions etc. Geo-location services should be turned off. The level of access privilege allowed by an application should be lowered. Opt-out of any multi-sharing request between different applications e.g. Twitter wanting to synchronise with Facebook and vice versa.
Authentication/Passwords
Most online services use password-based authentication by default. To achieve a considerable level of security, passwords should be made complex, and the same password must not be used for multiple accounts. Most services offer password reset questions based on various personal information. Often time, these questions have answers that can be used to facilitate ID theft when discovered. There are newer methods that can be used to mitigate these threats and create a wholesome authentication process like physical tokens widely used in the financial services sector. Many others allow the use of a second authentication channel such as SMS with a passcode.
Email and Cloud
eMails or eMail attachments from untrusted sources should not be open. Opening eMail attachments from untrusted sources can spread malware and sensitive information can be accessed via malicious means such as phishing. For optimum protection, eMail filters must be turned on, anti-malware and virus scans must also be enabled.
Mobile Devices
Physical control of the device must be maintained. Virus scanner should be installed to help detect any intrusion activity. Only install a trusted application. An integrity scan should be performed where applicable. Utmost caution must be applied when using public Wi-Fi networks. Bluetooth, Wi-Fi, GPS technologies should be turned off when not in use. If a device is inactive, enable automatic screen locking.
MITIGATIONS — BEHAVIOURAL
ID Theft isn’t just a technical issue. Human behaviour is a perplexing subject matter and it takes planning and effort from an attacker to get vital information from an ID theft victim.
Online Interactions
There are tons of impersonators on the Internet these days and it’s of utmost importance to know who’s receiving your personal and financial information. Personally Identifiable Information shouldn’t be given out via phone or eMail unless you are the one initiating the communication or the contact is a trusted source. For example, if a bank claims you have an account with them and ask you to send a PII, do not click links in the eMail. Instead, access the company’s website from a browser and contact them directly through their customer support desk to confirm if the company sent the request truly or not.
Offline Interactions
The best form of security is physical security. Financial documents, bank cards not used should be locked in a safe. Before providing PII, inquire why it’s necessary. Furthermore, ask how the PII will be kept safe and also, the consequences of not sharing. Make sure you shred every piece of paper containing financial information or passwords that are no longer used. Before disposing of a computer or mobile device, make sure you wipe out all the information and delete the device tie-up with any cloud account.
Social Media
Social Media platforms are somewhat vulnerable these days and users should desist from providing too much information that captures habits and interests such as shopping or entertainment choices etc. Other information that should be minimised includes personal address and phone number. Do NOT accept invites from total strangers on social media platforms. Make sure you establish and maintain relationships with known people.
Travel
When travelling, it’s advisable you use cash to purchase personal items. Try and maintain a low profile while embarking on trips. Friends and family members should desist from posting your travel plans on social networking sites.
