Most people recognize there are risks to online privacy but may not be fully aware of the various ways that personal information about them can be stolen through the Web. People can be lured to malicious Web sites designed to deceive them into revealing their personal information or unknowingly download malicious software to their computer. Even worse, legitimate sites can be compromised to host attacks called drive-by downloads. This chapter describes the online risks to identity theft and the technological means for protecting individuals from losing their personal information while surfing the Web.
TopIntroduction
In the physical world, an individual’s identity is verified by legal documents including passports, driver’s licenses, birth certificates, and identification cards. Identity can also be authenticated by biological features (such as fingerprints or DNA) or demonstration of secret knowledge (passwords). Naturally, online identities can not rely on physical evidence. Instead, online identities are authenticated by personal information such as names, national identification or Social Security numbers, addresses, driver’s license numbers, telephone numbers, account numbers, credit card numbers, and passwords or PIN numbers (Berghel, 2000).
Generally, identity theft is the gain of an individual's personal information for fraudulent purposes. In the U.S., the Identity Theft and Assumption Deterrence Act of 1998 was the first federal law to explicitly make identity theft a federal crime. An individual commits identity theft when the person:“knowingly transfers or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law”
where the “means of identification” was amended by the Identity Theft and Assumption Deterrence Act of 2003 to be “any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual” including: names, social security number, date of birth, driver's license, national identification number, alien registration number, passport number, employer or taxpayer identification number, unique biometric data, electronic identification number or routing code, or “telecommunication identifying information or access device.”
The law recognized that individuals affected by identity theft are victims, where previously only credit organizations suffering financial losses were seen as victims. The law made it easier to prosecute perpetrators with penalties up to 15 years imprisonment and fines up to $250,000. As a federal crime, identity theft is investigated by the Secret Service, the Federal Bureau of Investigation, and other law enforcement agencies. The Federal Trade Commission was enlisted as a clearinghouse for complaints and assistance for victims.
Millions of consumers in the U.S. are affected each year, costing consumers and businesses tens of billions of dollars, according to the Federal Trade Commission. On average, a victim resolves a fraud at a personal cost of $500-1,400 and over 30 hours of time. Identity theft can be even more costly to businesses. In addition to fraudulent charges, businesses could be subject to legal complications for lack of compliance with laws and regulations. The Gramm-Leach-Bliley Act requires all financial organizations to have appropriate security standards to protect customer information. The Fair and Accurate Credit Transaction Act (FACTA) of 2003 is an amendment of the Fair Credit Reporting Act placing responsibility on corporations to protect personal customer and employee information at a risk of state fines up to $1,000 per violation and a federal fine up to $2,500 per violation.
There have been many low-tech ways for criminals to steal personal information, for example, dumpster diving, mail theft, court records, computer (particularly laptop) theft, cell phone theft, and social engineering. Social engineering scams take advantage of human nature to deceive victims. A caller might claim to be an employee at your credit card company checking on your account for suspicious transactions; in the process, you need to verify your personal details.
However, the World Wide Web offers another convenient avenue to steal personal data in a number of ways. First, web servers holding personal account data are attractive targets to attackers and can be attacked like any other computer system. In particular, web servers with back end databases may be vulnerable to SQL injection attacks. Second, the web has enabled phishing attacks luring consumers into disclosing their personal information on spoofed web sites. Third, the web is being used as a vector to distribute various forms of malicious software (malware), including viruses, spyware, bots, and Trojan horses.