Showing posts with label identity theft. Show all posts
Showing posts with label identity theft. Show all posts

Thursday, 6 May 2010

Identity fraud on the rise - CIFAS report

UK fraud prevention organisation CIFAS says identity fraud has increased 19.86% in Q1 2010 compared with the same period in 2009, with an over 20% increase in the number of victims of impersonation compared with the first quarter of 2009. But "Overall fraud levels remain consistent, with nearly 60,000 proven frauds identified in the first three months of 2010."

And there's been a 32% increase in "current address fraud", where criminals impersonate people at their current address.

"Not only must consumers dispose of physical details in a secure manner, but they must also ensure that sensitive electronic documents are kept separate from each other. Scanned documents and account details must, preferably, not be kept on computer hard drives but, more preferably, be backed up onto discs and full virus and malware protection products must be in place," said Richard Hurley, CIFAS Communications Manager.

CIFAS table (Identity Fraud includes false identity and identity theft.) -

  Jan to Mar 2009 Jan to Mar 2010 %age change

Identity Fraud – Granted
Identity Fraud – Not Granted
Identity Fraud - Total


Application Fraud - Granted
Application Fraud - Not Granted
Application Fraud - Total
False Insurance Claim 138 161 16.67%
Facility Takeover Fraud 5,856 5,617 -4.08%
Asset Conversion 87 119 36.78%
Misuse of Facility 12,991 12,235 -5.82%
Victims of Impersonation 20,730 26,874 22.86%
Victims of takeover 6,211 5,717 -8.64%

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Monday, 8 March 2010

How to commit identity theft

Bob Walder of Gartner recounts, from Gartner's Identity and Access Management (IAM) Summit, the true story of Bennett Arron who was the victim of identity theft:

"It all started with a mail-shot from a home shopping catalogue company to an old address, which allowed the unscrupulous person now residing at that address to place an order and open an account with the home shopping company. That credit account allowed him to acquire a mobile phone or two. From there it was not too difficult to open bank accounts and obtain credit cards – all in Bennett Arron’s name.

The end result was Arron, who had already given notice on rented accommodation to buy a house, failed to acquire a mortgage, couldn’t rent another property, couldn’t get a line of credit, burned through savings and ended up penniless and living with parents with his pregnant wife. It took him two years to clear his name, by which time property prices had tripled and he could no longer afford to buy a house anyway!"

Arron appeared in a documentary for Channel 4 where at a local shopping mall he social engineered 18 (out of 20) people to give him their personal details, credit card numbers etc, by pretending to be someone advising on the dangers of identity theft!

He also proved how easy identity theft can be, using the example of politician Kenneth Clarke. Walder reported that:

"Arron applied for a duplicate birth certificate in Clarke’s name, and within 3 days it arrived. Using that, he applied for a duplicate driving license from the UK Drivers & Vehicle Licensing Authority (DVLA), which took just a couple of weeks to arrive. As part of this process, the DVLA requested photographs for the license which had to be authenticated on the reverse with a statement from a trusted, non-family member that this was a true likeness of Kenneth Clarke. This Arron completed himself using a false name. Something of a root trust issue, here, I think….

Naturally, with a birth certificate and driving license Arron could have gone on to open various accounts, building up to bank accounts and credit cards. Scary stuff. One good thing came from this – it is now no longer acceptable to use a birth certificate as the sole means of ID when applying for a UK driving license. Wonder if they have plugged that photo certification loophole too?"

It's real life examples like these that bring home how our society has a very long way to go yet in protecting citizens against identity theft. A root trust issue, indeed. As I mentioned in my suggested Data Dozen of identity management for privacy, proper verification of the base information has to be the foundation.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Tuesday, 20 October 2009

Measuring Identity Theft - ANSI's IDSP report published

The American National Standards Institute's Identity Theft Prevention and Identity Management Standards Panel (IDSP) have just released a workshop report "Measuring Identity Theft" (195 pages long , free to download - if you fill in a form giving a bunch of personal details such as mother's maiden name! I say nothing further on that…).

As they put it, the report (my emphasis):

"addresses various facets of how research companies measure identity theft. The report finds that disparities exist in the way that key terms are defined in statute versus in practice—terms such as identity theft, identity fraud, and data breach. This potentially causes confusion in the marketplace and creates impediments to fixing the underlying problems. The publication also reviews research studies and methodologies for studying identity theft and makes best practice recommendations for how research companies should measure and report on the issues."

And highlights include:

  • "A comparison of how key identity theft and fraud terms are defined in [American] statute and in research surveys with a discussion of why they are sometimes different.
  • A catalogue of 166 research studies on identity theft and data breach trends, identity theft protection services and information security solutions, with notes on contradictory research findings, gaps in existing research, and observations on what makes a study useful.
  • A recommendation that identity crime research that is publicized or intended to shape public policy should include a lexicon of significant terms and a methodology statement, with specific elements of the methodology statement defined."

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Monday, 12 October 2009

Identity fraud up: National Identity Fraud Prevention week report

A report prepared by CIFAS for UK National Identity Fraud Prevention Week, which started today, includes statistics and tips etc on ID fraud (aka identity theft) and account takeover fraud.

See the report entitled The Anonymous Attacker -  A special report on Identity Fraud and Account Takeover, and write ups e.g. by ComputerWeekly and the BBC (which led on firms binning rather than shredding customers' sensitive personal data).

Key findings (as summarised in the CIFAS press release) include:

  • "Over 59,000 victims of impersonation have been recorded in the first 9 months of 2009 - an alarming 36% increase from the same period in 2008
  • The overall number of identity frauds has increased by 33% in the first 9 months of 2009 from 2008
  • Account takeovers have risen by 23% in 2009 when compared with the same period in 2008 - and by a staggering 238% in the last 24 months
  • More than 1 in 2 account takeovers have targeted victims' plastic card (i.e. credit card) accounts
  • Mobile phone account takeovers have already more than doubled in 2009, from 2008 levels
  • The South East London (SE) and Birmingham (B) postcode areas are the fraud hotspots for both identity fraud and account takeover - while, more surprisingly, Guildford (GU) and Reading (RG) both appear in the top ten fraud hotspots for both types of fraud."

The ID Fraud Prevention website has guides on ID fraud prevention, but interestingly you have give them your name, company and email address in order to access the guides - even when you're interested in protection for yourself as an individual so that the name of the company you work for should be irrelevant. Unless I'm missing something?

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Thursday, 6 August 2009

12 minutes to clone UK identity card

A disturbing article in the Daily Mail reports that it took computer expert Adam Laurie just 12 minutes to clone and fake a UK identity card borrowed from a foreign student (foreign nationals living in the UK have to have ID cards). (More on Adam Laurie and biometric passports, Bluetooth.)

He just used a standard Nokia mobile phone and read the information on the RFID chip embedded in the borrowed ID card, and copied it to a blank plastic smart card (the Oyster card is an example of a smart card). Tada, clone!

That's right, details on an ID card can be stolen and duplicated. Bye bye privacy and security, hello identity theft.

Another expert, computer security consultant Jeroen van Beek, then led a team which, based on the work of computer scientist Peter Gutmann, changed and "relocked" the data on the datagroup files in the clone's chip so that it would be accepted as genuine. Tada, fake card!

The "look and feel" of an identity card can be duplicated to pass a visual inspection (or blank cards can be stolen). The fake card might not pass a check against the National Identity Register database, but at £2 a pop to check against it not everyone will bother (and no doubt organised crime / terrorists will be able to inject false details into that database in due course - too many people already have access to the National Identity Register's "precursor").

But it did pass a check using the Golden Reader Tool, software produced by the UN International Civil Aviation Organisation to read and validate electronic IDs and passports according to the standards they set. (The Mail had to download the software instead of trying the falsified card in a UK card reader, as no official electronic card readers are available yet in the UK except at borders.)

Security has got to be paramount with something like this, and the Daily Mail experiment proves that UK identity cards are far from secure; it's much too easy to fake or reprogram them, clearly. Indeed ID cards may even make life much easier for organised criminals and terrorists, as people may well believe government assurances on security and too readily accept faked cards as genuine.

Given that the final ID card for UK nationals (see UK ID card design recently unveiled) is likely to be similar to the one cloned and faked by the Mail's experts, and certainly said to use the same technology, all this is very worrying indeed.

It's even more worrying that UK Home Office officials' reaction to this seems to have been the equivalent of sticking their fingers in their ears and going "La la la".

See further the detailed Daily Mail article, which is a must read. (See also Why RFID chips (passports / ID cards) are stupid.)

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.