Cyber attacks and identity fraud are on the rise—partly because it’s easier than ever for thieves to access your most private informationBy Melissa Wade
When friends of Hamilton resident Dusan Lukic received an email from him informing them he’d been mugged at gunpoint while vacationing in London, England, and that his cash, credit cards and cell phone were stolen from him and he needed money to settle a hotel bill, many responded with, “Tell me where I can wire the money.” But one of his friends replied with a more sober thought: “I think your account has been hacked.” He was right. Lukic, though, has some heady company. In 2008, 22-year-old David Kernell, an economics student at the University of Tennessee and the son of longtime Democratic Tennessee State Rep Mike Kernell, hacked into the email account of then Governor of Alaska, Sarah Palin. From a cyber geek standpoint, it was simple stuff. He used Yahoo’s standard password reset feature, provided for users who have forgotten their own password. Kernell discovered Palin’s email address—the now-defunct firstname.lastname@example.org—through publicly available sources, then went about resetting the system. To do so. he had to supply three pieces of personal information: Palin’s birthday, her zip code and the place she met her husband.
As the website JohnCoverdale.com notes, “Before Kernell was arrested, a person claiming to be the hacker posted the following in an online forum: ‘It took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from Wasilla, and it only has 2 zip codes ….The second [security question] was somewhat harder—‘where did you meet your spouse?’ …they met at high school, so I did variations of that: high, high school, eventually hit on ‘Wasilla high.’”
Last spring, actress Salma Hayek had her email hacked into and had private information and travel plans publicly leaked across the internet. But the list of victims goes on and on, and is spreading by the second.
Now, imagine it was your business email account that has been hacked, or that a cyber thief has woven his way into your personal computer and copied your credit card information, addresses, private emails and other tidbits that can be used to commit fraud. That also happens more than you may think, and according to a recent report released by security software maker Symantec, Burlington ranks No. 1 on the list of Canadian cities most vulnerable to cyber attacks.
Dean Turner, the director of Global Intelligence Network Symantec Security Response, says that cyber criminals are increasingly using social engineering techniques to find their way into companies’ systems. Every time you open an email and click on a link or download an attachment, you may very well be handing over your customer’s information to criminals who plan to use it to commit identity fraud.
“That email or attachment can contain a piece of code, a virus, worm or Trojan, which installs a malicious code on that system and then opens up a back door and starts leaking the confidential information off the small business’s system and back to the attacker—that’s one way,” Turner explains. The widespread vulnerability of many systems was confirmed last August in the U.S., when a task force representing the financial industry sent out an alert urging its members to implement many of the same precautions used to detect consumer bank and credit card fraud.
“In the past six months, financial institutions, security companies, the media and law enforcement agencies are all reporting a significant increase in funds transfer fraud involving the exploitation of valid banking credentials belonging to small and medium sized businesses,” the alert noted of a series of attacks believed to have originated in Eastern Europe. It was sent to members of the Financial Services Information Sharing and Analysis Center, a group operated by financial powers such as American Express and Morgan Stanley.
Among the losses cited by the industry group, an electronics firm in Louisiana was bilked out of nearly $100,000, a school district near Pittsburgh had sued to recover $700,000 and a Texas company was robbed of $1.2 million.
Several companies were infiltrated in the manner Turner describes above, with a targeted email sent to their controller or treasurer, its message containing a virus-laden attachment designed to steal passwords. With that information in hand, the criminals initiated a series of wire transfers, usually in increments of less than $10,000 to avoid the major banks’ anti-money-laundering reporting requirements.
For the same reason break-ins occur more often in homes than banks, small businesses are often targeted simply because there’s the impression they will not have the same level of security protection as a large enterprise. And once a company’s customer or client database is leaked into the wrong hands, things get out of control in a hurry. For one, credit card numbers are sold in the underground economy.
The officer in charge of the RCMP’s Canadian Anti-Fraud Centre (CAFC), Inspector Kerry Petryshyn, says that criminals often use online chat rooms to “exchange best practices” when it comes to buying and selling data. “It’s quite amazing the network they have and how they can find one another on the internet. It’s sophisticated but it also seems quite simple too.”
But these quick and simple exchanges can have devastating, long-term consequences for companies and, subsequently, the Canadian economy. According to the Canadian Council of Better Business Bureaus, identity theft may cost consumers, banks, credit card firms, stores and other companies more than $2 billion annually. Hard numbers are impossible to determine since it’s happening more often than individuals and corporations can keep track of. Which is why cyber theft is a growing concern among Canadian consumers. Over the past two years, the McMaster eBusiness Research Centre (MeRC) has conducted two comprehensive studies of identity theft and fraud in Canada. They revealed that one third of Canadian consumers say that their level of concern about identity fraud is higher than it was a year ago. They’re certainly justified. According to this year’s survey, 6.5 percent of Canadian consumers, or almost 1.7 million people, were victims of some kind of identity fraud in the past year.
Hamilton Detective Duncan McCulloch investigates internet fraud, such as those involving classified ad sites like Kijiji and Craigslist, and says fraud is fast becoming the type of crime most people are likely to be a victim of. Internet fraud, in particular, puts consumers at risk due to cyber thieves’ ability to conceal or create personas.
“The offenders go onto those trading sites using fake names and fake email addresses and post items for sale—usually at a nice discount,” McCulloch explains. “People respond, following the instructions of the offender, and send money, while (the offender) fails to deliver the products.” McCulloch stresses that these sites are generally safe for the peddling of goods. but that consumers must carefully follow a site’s recommendations for trading.
Still, online shopper confidence appears to be waning. The MeRC’s studies revealed that 20 percent of consumers reported that they have stopped or reduced the amount of shopping they do online because of internet fraud and identity theft concerns, while nine percent added that they have stopped or reduced online banking activities.
To combat this decline in confidence, MeRC resarcher Susan Sproule says a company must do more than protect its consumers’ information; it also has to educate consumers that their information is secure.
“With online banking, the banks do a good job of promoting their security. (Similarly), if you know who you’re dealing with—that they’re a reputable organization—you shouldn’t be afraid of shopping online.”
Back in the tactile world, chip technology has decreased the risk of credit card fraud since, unlike magnetic strip cards, the data is encrypted. But Inspector Petryshyn warns that there is a variety of devices used to “skim” information off debit and credit cards, the most common being an easily concealed magnetic reader.
“Some can be very tiny and fit in palm of your hand or your pocket, and hold hundreds of cards’ worth of data—all working off an AA battery,” says Petryshyn. These perpetrators are sometimes staring you in the face, with criminal organizations planting employees, equipped with a magnetic reader, in convenience stores or other small-business facilities.
“If they know that a gas station or convenience store has a high turnover rate and is constantly looking for employees—especially ones who will work night shifts—some organizations will target those places by recruiting teenagers who are willing to work a few shifts solely to help skim card data. Then they either quit or don’t show up again.”
A more sophisticated form will see the planted employee replace the PIN pad terminals or apply an overlay to the machine, allowing them access to customers’ PIN numbers or credit card data.
“They swap it out with one that they’ve compromised and it has its own little circuit board inside that will capture the data, so that the terminal still processes the data and transactions, and nobody knows,” says Petryshyn. “It also has a Bluetooth device inside that transmits the data wirelessly to someone who, say, is sitting out in the parking lot with their laptop computer capturing it all.” One of the most elaborate of these schemes occurred in late 2008 at Toronto’s lavish Elmwood Spa. According to police, three of the accused distracted employees at the desk, while one switched the spa’s PIN pad device with a dummy look-alike. Overnight, a special chip was inserted into the real machine, which recorded credit card numbers and personal data. The following morning, the machines were swapped again. More than a month later, the perpetrators returned and stole the PIN pad. The financial data stored on the chip was used to create gift cards, credit cards embossed with phony names and driver’s licences to confirm their fraudulent identities, police said. At that point, a nearly $500,000 shopping spree commenced, involving 1,241 purchases. It was the first time in the spa’s 30 years of business that its customer security had been compromised, and it took immediate action to secure its systems and train employees. But while credit card insurance covered its patrons’ losses, the Elmwood’s integrity was now, unfairly, in question for many would-be customers.
Aside from credit card and debit data, a customer’s personal information, such as social security numbers or date of birth, are also of value in the underground economy. They can aid a criminal in carrying out more sophisticated ruses such as opening up credit lines at a bank, or committing mortgage or health care fraud.
“The greater the identification data I have on you, the more valuable it is—the larger the potential fraud I can create,” says Petryshyn. To ensure that your data is safe, David Gamero, owner of Burlington’s Braintank Solutions, advises “multiple layers of defense” for its clients. That means anti-virus software, spam filtering and a firewall—not merely at your gateway, but where your servers are hosted.
“We don’t generally like the routers that you can buy at Future Shop or Best Buy,” says Gamero, whose gateway of choice is Untangle and recommended router is Cisco. “They’re great for a small office or home office, but if you rely on your internet connection to do business, you want something that’s really heavy duty and that can really handle attacks when they come.”
Turner from Symantec notes that individual computer systems within the business environment need to be protected as well, particularly considering potential security threats may come from within.
“A small business really needs to take time and decide who has access to their system,” says Turner. “When you look at the statistics, a lot of data theft and data loss occurs from insiders.”
Establishing polices on how employees access systems, as well as identifying the data that needs to be protected and taking the necessary measures to do so, are not merely useful steps in securing customer data—it’s the law, according to the Personal Information Protection and Electronic Documents Act (PIPEDA), the federal private sector privacy law that ensures that customer databases are protected from internal or external threats. Additionally, the Office of the Privacy Commissioner of Canada’s advises businesses to implement controls such as staff training, security clearances and limiting access on a need-to-know basis.
But if, despite your best efforts, your data is still compromised, don’t spend too much time trying to plug the leak. Notify your customers and the appropriate authorities of the data breach immediately.
“In general, notification is viewed as good business practice,” Sproule advises. “Certainly, you’d feel better if a company notified you that there was a breach (as soon as they were aware of it). It lets you take protective action and watch for anything happening with your accounts.” Corporal Louis Robertson, the head of criminal intelligence for the Canadian Anti-Fraud Phone Centre, wishes more businesses reported data breaches. “If somebody asked me what’s the extent of fraud here in Canada, I don’t know,” Robertson admits. “How much are we losing every year? How much do small businesses lose? I don’t know.”
According to the U.S. Department of Justice, North American law enforcement agencies have seen a growing trend in both countries towards greater use of identity theft as a means of furthering other types of crime, from fraud to organized criminal activity, to terrorism. However, detailed statistics are also unavailable.
“We now have some laws on identity theft, but they’re so new that there hasn’t been any opportunity yet to see if we can collect any data out of that,” Sproule notes. “And there isn’t a lot of reporting and prosecution on these cases, so it’s not going to be a big source of data.”
Petryshyn says that up until recently the peddling of client data in Canada was a routine undertaking. But in January, amendments to Bill S4 flagged the early stages of identity-related crime, including “obtaining and possessing identity information with the intent to use the information deceptively, dishonestly or fraudulently.” An offence carries a five-year maximum prison sentences. In addition, the legislation gives courts the power to order offenders to pay restitution to victims of identity theft as part of their sentence.
Although some laws have been updated to meet 21st century challenges, Robertson says Canada lags behind much of the world in our abaility to combat internet crimes. He also feels that the Bill S4 modification and the introduction of the Anti-Spam legislation are not enough.
Petryshyn says the RCMP has a draft of the National Mass Marketing Fraud Strategy that may provide them with additional resources to tackle more internet crimes. But individuals and companies need to take cautionary measures regardless.
And that includes not sending money to Dusan Lukic the next time he emails you from England.