Understanding how simple fraud techniques work

phenomlab

Identity theft and fraud have been commonplace for a number of years, but have taken on various different forms. Several years ago, the basis of identity theft required the perpetrator to gain as much physical information as possible concerning the intended target. With the onset of personally identifiable information attributing individuals being siphoned out of businesses, and GDPR regulation landing in 2018, I thought it would be a good idea to get an article out that identifies the most common types of identity fraud, and how easily information can be obtained - not necessarily through social engineering, but from your own rubbish.

What is needed to commit identity fraud ?

Such information would typically be anything that could be classed as “personally identifying” – mail for example. A utility bill could be presented as proof of identity in order to obtain services or other financial gain by impersonating that individual. Most mail we receive through the postal system these days is often junk, but the odd element will contain a wealth of information that is a gold mine to an identity thief looking to commit fraud.

Before the onset of the internet as we know it today, an identity thief had to work for this information in ways that are seldom deployed in today’s threat landscape (but still used nonetheless). Such activity meant sorting through rubbish (or trash – dependant on your locale), with the sole aim of finding material that could be used to perform impersonation. This activity has actually become simpler and cleaner over the years, mainly thanks to new recycling laws that separate the real rubbish from what an identity thief is looking for. In actual fact, all any potential thief has to do is steal the recycling bag itself – thus not only improving productivity, but also increasing the chances of extraction dramatically. Nobody is going to be that concerned about their rubbish going missing – they threw it out, so asking for it back would raise the inevitable question as to why you disposed of it in the first place if you wanted to keep it.

Anything with your name and address on it is an excellent start, but it isn’t enough. For this to be beneficial, an identity thief would need your date of birth. You’d think that this would be difficult to obtain. In actual fact, it isn’t. Using a variety of techniques, an identity thief can extract this information from other sources such as electoral systems, census records, and most family tree research systems. The information will be buried yet available somewhere, and it just needs to be exposed. How much time an identity thief needs to invest in this activity varies dependant on the prize – nobody wants to be knee deep in rotting produce unless there is a significant reward at the end of it.

Why is a date of birth so important ?

Your date of birth is often required when completing loan applications (for example), and without this, an identity thief cannot procure services or gain access to a financial source easily. It’s like the missing piece of a puzzle. Without that piece, you have most of the picture, but not all of it. Any missing components required for identity theft to be possible can also be extracted from sources much closer to you than you’d think. Using a variety of techniques – most of them social – any thief can extract the required information without too much effort. The most common approach is to leverage social media.

The identity thief pretends that they know the individual to one of your friends or associates, and is then able to engage them in conversation. The incredible fact about social media is that people tend to post a variety of information that they probably wouldn’t if they were to think twice about it, and this vulnerability is surprisingly simple to exploit. Facebook, for example, allows you to see the profiles of any other connection your new “friend” has, and vice versa. Too much information in these profiles that is on public display is the low hanging fruit that is required for identity theft to become a realistic prospect.

As this technique relies solely on trust, and the source of the information provides the missing pieces of their own free will and volition, no crime is actually committed. Trust is the key element for this method of extraction to succeed – and in most cases, it does.

My post box is susceptible ? Why ?

Another simple mechanism of obtaining information is intercepting post intended for the target. This sounds like a difficult task, and for housing estates, you’d probably have to kidnap the postman in order to gain access to the mail (just kidding). However, there have been some occasions where mail has been inadvertently given to someone else impersonating the occupier of the intended address. This practice was rife at one point, and now most postal services will not hand over mail unless they can post it through the letterbox, or leave it at a designated collection point.

And here is the real vulnerability. In apartment blocks, flats, or shared complexes, mail is typically left in mailboxes that require a key to access. The idea being that the intended recipient holds the key, and collects their mail from the mailbox. In most cases, it is a fairly simple process to either extract mail from this box via the letter opening (it sounds crazy, but you can actually get your fingers into the slot and if someone left a parcel, a letter could be sitting on top, and be within easy reach), or use brute force to break the lock and gain access this way. In the UK, personal post boxes aren’t commonplace if you live in a house, as the doors often have letter boxes designed to deliver directly into the property - enhancing security. This isn’t necessarily the same for multi-dwelling apartments, but in most cases, each door has it’s own letterbox. I recently had a new door fitted to the front of my house, and it had no place for a letterbox. Based on this, I decided to purchase a wall mounted post box. Despite being made of metal and looking sturdy, it was simple to gain direct entry to without the keys through the opening at the top. This was designed to accept parcels and standard letters, but in most cases (for me anyway), was wide enough for a hand to reach inside and intercept mail. Not sure what I’m getting at ? Have a look at the below

The picture above is my (hairy) hand and arm inserted into my own post box - it’s a little difficult to see the full effect, but it does give you a clear indicator of how simple this method of retrieving mail actually is. Various fraud and identity theft instances have been reported over the years, and the extraction point is often identified as the mailbox. As outrageous as it sounds, an identity thief could (and this has actually happened in the past):

• Apply for a loan in your name
• Intercept your post for the application form
• Sign this as you, and return the form
• Wait for the loan to be approved
• Collect the requested loan amount from the account they setup in your name
• Not repay the loan, leaving you responsible for the total amount as far as the lender is concerned.

Once an identity thief has access to your personal information. they can then use this to create new identities to sell onto others. And it is not just the living that have been subjected to this type of fraud. The deceased are often the target of identity theft, as there is generally nobody to question or challenge this, unless a relative receives a demand for payment of an outstanding debt that has been accrued since they passed away. As simple as it sounds, a thief just needs to review the obituaries in the local newspaper to identify a potential target. This will contain the name, age, and in several cases, the date born – or a simple mechanism of retrieving this information.

Given the relatively simple steps above, you are able to see how identity theft works. Not so complex after all, is it ? So how can we prevent it, or at the very best, lessen it’s impact ?

• Arrange for your bank statements and utility bills to be sent to you electronically, and not by post
• Regularly check your bank accounts for unauthorised or unexpected activity.
• Perform frequent credit checks to ensure that you are not being denied credit or being blacklisted – either of these is a sign of recent identity fraud.
• Do not place sensitive documents in your recycling unless they have been shredded – preferably by a cross-cut device to prevent reassembly. A bag of ribbons is unappealing to an identity thief
• Secure your letter or post box in such a way that makes tampering very difficult, it not nearly impossible. My advice here is to abide by the law, and not make the device a booby trap if opened.
• Do not become complacent – exercise caution when disposing of or storing sensitive documents
• For the truly paranoid, there’s a galvanized incinerator. It sounds technical, but is really just a bin with a chimney, designed for burning paper and garden waste. You may need to check with your local authority before using one of these - there may be conditions governing their use in restricted areas as the smoke emitted can be quite unforgiving to drying laundry in neighbouring gardens / yards, or hazardous to breathe in dependant on proximity and the material being burnt.

Deploying these simple techniques can reduce your chances being exposed to risk of identity theft, and you’ll be surprised at just how effective they can be.

Remember - each of these techniques relies on the sole point of vulnerability - human nature. Don’t expose your identity unnecessarily.