Identity Theft

There has been much made of the lapse in Apple Inc’s security processes, or lack there of in recent days with the catastrophic failure of cloud services infrastructure and account security breach for Wired.com journalist Mat Honan.

Through a combination of exploiting the different – and appearingly unrelated – security practices from some of the worlds most well known online companies, a string of partial truths and critical pieces of information were collated by Honans digital assailants into a successful assault and conquest of his online identity. Through deft wielding of “social engineering” in bypassing security protocol by the hackers in question, Honan’s digital assets were compromised. Over the space of an hour, Apple iPhone, iPad and Macbook Pro were all systematically reset and the digital information on these physical devices and associated cloud services like iCloud were erased. It’s more the pity that our unwitting target lost a trove of personal memories in the form of photographs of his young family and a historical narrative from the previous 12 months. Memories like this are irreplaceable.

More about this tragic tale of digital invasion can be found here:

– Apple Insider: Apple tech support ‘socially engineered’ in hack of journalist’s iCloud account

– Wired: How Apple and Amazon Security Flaws Led to My Epic Hacking

This post is not about this particular tale – more it is a prompt for imparting some of my experience in helping to prevent this type of thing happening to you in this hyper connected world. It’s based around trying to give an insight to the type of data that hackers are interested in.

Much has been written about how the explosion of social media in recent years has enabled a level of sharing and connectivity which has up to this point, been unrivaled in history. At no other point, has it been convenient, and unobtrusive, to ‘checkup’ on your friends via Facebook, Twitter and other mediums to see what they are doing.

As a consequence, people’s natural filters in preventing key pieces of information from being disclosed are lower . What doesn’t help matters is that often these social media properties continually update and refine the interface and the privacy filters so that users are often left wondering what is being disclosed. Two major instances of the interpretation of privacy changing in the past 3 years, was when Facebook introduced Beacon, and the introduction of the concept of ‘Subscribers’ via Timeline and the option to publish your posts to “public”.

Beacon trials started to present information about users and their browsing/spending/buying habits based on their cookie laden search histories. For example if I went to visit the North Face Facebook page, and clicked on a link to their website about a new Goretex jacket, which took me to the website, this would be reported onto my Facebook wall as activity. Friends would see my activity on the North Face page and the items I would be looking at. This “sharing” of content went too far in most peoples eyes. Pity anyone who was looking a the jacket as a present for their partner. Or their mistress. Or both and they find out about each other.

The change to revealing your newsfeed or timeline to the public as a default setting via “Subscribers” caused an uproar when it occurred. The backlash that met Facebook for setting this as the default view whilst simultaneously burying deep within the settings the ability to revert it, caused consternation from many people that Facebook’s closed garden status had come to a crashing end. Facebook reverted the platform within a matter of days of this occurring, but the knock on effect from a negative press perspective still haunts them now. Any even inconsequential adjustment to their privacy settings or their privacy policy is met with a furore of press publicity. Coverage about how the creation of subscribers impacted on people’s timeline and what you can do about it, can be read here: http://www.paulspoerry.com/2011/facebook-timeline-privacy-how-to-take-control/

Privacy online is a moving target, with no real governance around what is “appropriate”.

Some background. 15+ years ago, I worked in retail, on the floor, selling product for a number years early in my career. This ranged from a little bakery in a regional town, the largest of the major department stores in the Melbourne CBD and a well known national retailer. As I got more experienced and tracked the course of my career, an unfortunate reality I learnt from my erstwhile mentors is that the more people you work with, the more likely it is you will encounter individuals that will take every opportunity to steal or ‘procure’ items, assets or services by material gain if they don’t think they will get caught. The ironic thing is that they know its wrong, but due to whatever circumstances they find themselves in, the chances of them getting caught, if its low, they will have a try. When I tell people my experience here, its either met with utter disbelief that people could act in this way or – in the minority – a weary nod of understanding and resignation

Regardless of the drivers, which is an entirely different topic of note, the outcome is that humanities capacity to act in in an ethical fashion is at times stretched more than we would like to acknowledge.

This forms the basis of what is termed ‘identity theft’ the practice of gaining another persons identity and using it for their own purpose. Those types of people that practice the art of ‘procuring’ personal information are really interested in any of the following:

Primary Information
Protection of Primary information is what falls into most peoples radars. They are relatively aware (to a certain extent) to protect this information. However what is less widely known or understood is that there is other useful and critical pieces of data which online thieves like to target:

• First Name, Surname, Middle name
• Mobile/Cell Phone Number
• Birthdate
• Postal Address
• Home Address
• Drivers Licence
• Credit card numbers (Main & CCV)

Of the above, people have a natural tendency with our real world economy to be circumspect and protective of their home address. But I see every day signs of ‘data fatigue’ in that people are less protective so of their birthday and mobile number.

The most critical of these is the birthdate – it is the security key to almost every default security process that requires human interaction. In the past, before social media, it was commonplace to not disclose this as freely as one does now. However MySpace, Facebook, Twitter, you name it, they want your birthdate so that they can deliver a more personalised – read advertising – experience to you. Adverts for holidays at the snow and ski equipment pop up on my Facebook feed. When I put down that I like France to travel too, miraculously hours later, adverts to ski somewhere in France pop up. This is the world we live in now.

Secondary Information
The items in the Primary Information list are pretty self explanatory as to why you would like to protect them. The below is what I term secondary information and by its nature is less protected.

• Library card number
• Healthcare card number
• Health insurance number
• Gym Membership
• Car Number plates & Registration
• Store membership numbers  e.g. Myer, David Jones, Starbucks, Nespresso,
• Utilities company details – Electricity, Gas, Water, Telephone,
• Cable TV subscription details

When looking at the above,  many people say “Really? Why would they like my library card?”

Any focus on Identify Theft is around trying to recreate the critical “hidden” bits of information with the pieces that are more freely available. The term “social engineering” has been coined as the process whereby information is gathered and deconstructed by clever and at times artful questioning and dialogue with people who unwittingly disclose key pieces of seemingly unrelated information. In relation to the video card, the most targeted part is the postal address and the billing address. They can be the same. They can be different. They can be changed. So if you have a postal address on the video card, you can change this easily enough, with no ID really. They say photo ID. Colour printers and a laminating machine have changed this, so that the 16 year old kid who mans the counter at the video shop doesn’t, in the main, really care about such foibles as identifying a fake ID. This continual chipping away at the fringe ID’s leads to a gradual change over of other pieces secondary information – gym membership, leads on to library card membership, leads on to car dealership service records, leads on to cable TV bill, leads onto telephone bill, onto electricity bill, gas bill and the holy grail: bank account details. It happens. Every day.

What people fail to think about is this: People who are in the business of Identity Theft are INCREDIBLY patient. The best of them are also incredibly organised and thorough, leaving no tracks at all.  They use state of the art security, equipment, process and know every single loop hole to block and be wary of – because this is exactly what they use on unwitting you.

3rd Party App Developers
Apps being installed on Facebook is something I’m very wary of. Recently I have been getting a spate of requests to join up to the App: My Birthday. This is being sent by well meaning friends who want to keep tabs on when my birthday falls. This is nice and all, but from my perspective, whilst Facebook can have my birthdate so that I can have targeted adverts sent to me, I’m less likely to give my (in this case) birthdate to a 3rd party App Developer.

Here’s why: Facebook pays its employees the best salaries in the industry to code and protect its consumers data. It’s great success is that up until now, it has successfully protected the absolute mammoth amount of personal information with the elite of the elite in terms of database and security experts money can literally buy.

Facebooks reputation and notoriety is such that they work hard to prevent the type of public relations disaster that would cascade them down to the depths of hell, if any of their users data was released to the cloud. They invest heavily in making sure this eventuality never happens.

Any 3rd party app dev house? Maybe. Maybe not. The risk needs to be assessed on each and every case. is not worth while.

It is for this reason I’m a strong advocate of not having your birthday showing as visible on your profile. Don’t give your ‘Friends’ the opportunity to have a go at stealing some of your personal information. Remove your birthday from Facebook’s visible profile. The friends that matter, will know when your birthday is.

Action points:
– Remove your birthdate from visible status on social media sites. Better still, create a false ‘birthdate’ which you use online for social media properties.
– Uninstall Apps from developers who aren’t well known or that you don’t use anymore. Well known would be high profile organisations such as your bank, mobile carrier or household brands like Nike, Virgin, Apple etc.
– Don’t have the same password for different websites. If security of one of them gets breached, your erstwhile assailants are stone walled on that one site.

Ongoing:
– Run quality Antivirus & Firewall software. The cost of $30 to $50/year far outweighs the inconvenience of a keystroke logger being loaded onto your computer and putting you through the pain of closing down your bank accounts, getting a new drivers license, reconnecting your household utilities.
– Change your passwords regularly on a secure, clean computer. Regularly should be every couple of months. Reality is at LEAST every year.
– Scrutineer your ‘friends’ list on Facebook, LinkedIn, Twitter every now and again and remove those people who you decide shouldn’t be there anymore. It’s social media. It’s not an invitation to your wedding.  Those that will kick up a stink, well – you probably don’t want to hang out with them anyway. I run an easy rule on mine – who would I have happily around to my house for dinner? Taking it one step further – who would I let babysit my children. THAT sorts out your ‘friends’ list quick smart.