Season 1 Episode 6: Identity Theft
Bastien: People don’t really know just how easy it is to have their identity stolen. When we perform ethical hacks we use super low tech solutions to find out information about people. This even includes going through garbage bags, looking in people’s mailboxes, and looking on social media. All we need to steal someone’s identity is their address, date of birth, name, and clues to questions like their mother’s maiden name, who their electrical provider is, or what they last spent on their statement. Most of these questions that organisations like banks and government’s ask are very easy to find. So just have a think next time you throw away that electricity bill and perhaps shred it.
It’s not just about personal precautions, corporations should take their employee’s data very seriously. It’s so easy to find out information about employee’s, such as their first and last name, address, and tax file number. All these things can be used to steal a person’s identity, which can then be used to target the organisation. Something as simple as using the account person’s identity to move funds from a corporation’s bank account is going to look far less suspicious than a random person’s identity being stolen.
It really puts the organisations and individuals at risk and corporations just aren’t taking it seriously enough. In fact, when I go in and ask corporation’s about their risk registers they often say that their staff information is pretty low because people already know they work there. But it’s not low, that information and data can be used to massively harm the organisation and the people who work for that organization.
Joining us we have Fegus Brooks, former Head of cybersecurity for AON Insurance, and Professor David Lacey, Managing Director of IDCARE.
David: IDCARE is a national identity and cyber care service available to the community. It’s a charity that provides free and anonymous advice for people that have concerns about their personal information. Whether that originates from a hacking of a computer or a telephone scam or losing your wallet, it’s there to provide that personalised support service for people experiencing those events.
Bastien: When we’re paid to do an ethical hack, the first thing we do is look for individuals in an organisation that have access to some of the targets that we’re trying to get, whether that be data or banks or information. We do that by literally picking up the phone or jumping onto social media to find out as much information as we can about people, essentially trying to steal their information to use it against them. What are some examples happening in the real world?
David: The most common method that people are having their identity or personal information compromised in Australia is actually via the telephone. It’s more of an analogue way of doing things, but most people that engage our services have volunteered their information to scammers thinking that it’s a legitimate organisation. They experience unauthorised access to their online accounts or applications in their name.
Bastien: Some of the information can be benign and you might think it’s completely innocent. For example, we’ve used telephone attacks just to find out whether people are at work or not. If they’re not at work then we know we can access their computer with less suspicion.
David: There are even certain apps as well that allow perpetrators to gain an insight as to whether or not someone’s on holiday or away from their home or work. This can flesh out a unique window for a perpetrator to exploit. A lot of people are good natured and trusting, and probably in retrospect when they’re confronted with these crimes I wish they hadn’t volunteered their information so willingly.
Bastien: Definitely in Australia we see people that are willing to help, which is a good thing, but obviously in the cybersecurity space it’s not so good. We see lots of people handing over information that allow us to build up a bit of a database that can then help us create fake identities. When we’re doing it from an ethical hacking point of view, we’re looking to build up enough information to potentially open up a bank account or to get bills redirected.
One of the reasons criminal organisations do this is because they need a middle person to move money about. So a criminal organisation has found a vulnerability that will allow them to transfer maybe a hundred thousand dollars out of one bank account. Then they need a fake identity to move that into a bank account, and then a means to actually transfer that money into cryptocurrency or some other form where they can actually get it out as a criminal organisation.
David: There are a lot of moving parts to that transnational crime jigsaw puzzle that you’ve just painted. Identity is key to a big part of that. Having someone’s personal information and building someone’s personal information will help enable any number of those key requirements that organised crime has, whether it be establishing a transaction account with a bank or moving money through a remitting service or getting access to government services. The key connection across all of that is getting and building access to people’s personal information and with that, getting access to credentials.
Bastien: Once you’ve built up a bit of a database of people, what football team they follow, the name of their pets, their name of their children and spouse, and birthdays, it becomes very easy to guess a large portion of the population’s usernames and passwords. This gives you access into many different systems.
David: We had a client in country NSW who experienced what we call a mobile phone porting event. Their mobile phone went to an SOS signal, which meant that it had lost its service with the carrier that they were with. The criminal had impersonated them with another carrier and convinced them that they were the actual individual that they were impersonating. They ported their phone number to another device in order to intercept passwords or second factor authentication codes.
That method alone has grown exponentially in the last two years. They want to gain access to the second factor authentication codes for access to banks or government services, even to telco accounts. In performing that act they actually started with the theft of that individual’s mail. As it was described to us in working with that client, what they didn’t have amongst all the information that they managed to collect through the mailbox was their date of birth. But they knew they were a member of a particular gym, so the crooks rang that gym and impersonated the individual and managed to convince them by saying “I’m not sure you have the right date of birth, what’s the date of birth you have in your system?” The gym volunteered that date of birth, and that was a key requirement for the criminals in order to port that mobile phone service and get access to those passwords and codes.
Bastien: We actually use two factor authentication breaches. So you as an individual log on to your online banking facilities, say you want to transfer some money to a new account. Most banks now require second factor authentication. So if you’ve ported the number then you have the code and you can move money around anywhere you want.
David: Two factor authentications are also used for a lot of popular email accounts and government services. Almost all of the misuse crime that we see when an identity has been compromised is very much skewed towards a financial benefit that the criminals are after. Ironically, most of the criminal activity that we see are based offshore. That adds another level of complexity particularly for law enforcement. What can you do about a perpetrator who’s committing these crimes from offshore?
One of the key themes that we’ve seen over the last twenty years is organised crime offshore has actually made this a volume crime. Once upon a time it was opportunistic, like a criminal in Australia pinching a wallet and doing damage with that identity. Now what we’ve seen is that it’s shifted front and centre as a key part of organised crime. That organised crime is not necessarily just focused on identity or cyber crime, they’ve got other criminal interests. But it’s such a critical enabler now as well as being mainstream, it’s a real challenge on how we respond to it.
Bastien: We know a breach costs a business in Australia on average $260,000. What are the steps that an organisation or a person would take? And are businesses putting in place systems to actually deal with identity fraud? For example, if money’s taken and suddenly you owe this large sum of money through a phone fraud attack and you suddenly owe Telstra $120,000, do Telstra work proactively or is it a huge challenge for the individual?
David: To be honest it varies dramatically, there’s no one consistent response to any number of these different scenarios. The risk is fairly consistent – somebody is going to impersonate a customer to get access to products or services, and that’s the same within government and business. We spend a lot of time actively testing responses of organisations, but from the perspective of the consumer. If somebody sets up a personal loan in my name with a particular financial institution, IDCARE would know precisely what the response journey is going to be like in that scenario with that institution.
We have a library of over a thousand of these response plans that we test quarterly. We look at things like whether it’s obvious on their website what a customer in this situation needs to do. Are there multiple and alternative channels of communication I can engage with? Is the advice consistent? Am I transferred multiple times, and am I on hold for over forty minutes? All of that adds to the harm to the consumer. We have the same within the case management centre, if you’re not harmed by the crime you certainly will be by the response. Some are getting better and we’re seeing a lot of positive change and shifts happening with the financial institutions, but there are other industries and government agencies as well that have a bit of maturing to do. That’s a key part of what we’re trying to do there.
Bastien: It can be pretty scary for the individual if they have the loan in their name and obviously haven’t made payments because they never applied for the loan in the first place. The organisations have automated systems that eventually refer you to a credit agency that can affect your credit rating. If it gets that far, how easy is it for them to claw back and get their credit rating reversed, and obviously get the loan out of their name? What is the time period we’re looking at?
David: That speaks to the 20-30 non-consecutive hours responding. To the point about empowering people with knowledge, we all have certain rights when it comes to credit. We all have under the Privacy Act an opportunity to get access to our credit report every year for free. A lot of Australians don’t know that. If we think that our identity has been compromised we have a right to put a ban on our credit file. So that if somebody goes to impersonate you with a bank, the bank will theoretically go to check your credit report and won’t be able to see it because of the ban you put on. That’s also a right we have to apply for free.
Bastien: Do you have any stories of something going very wrong for an individual, a case study of how badly things can get?
David: The one that comes to mind that transcends small business and individuals is a car sales yard in Brisbane that had experienced an attempted ransomware attack. The attacker had sought to convince the business that they would encrypt their files (that’s a little bit different to what we typically see, which is an email with a malicious link that encrypts the files and pops up with a ransom message). In this one the attacker engaged them and said they were about to do it, but the business ignored it. Somebody then had actioned another email that was related to the attacker, and that encrypted the business. They paid the ransom but only a portion of the files were decrypted. The attacker came back and said that they harvested credentials of people that are wanting to test drive their cars. That included scanned copies of drivers licenses, which is a very key and high risk credential from an identity theft perspective.
So another suggestion of paying more ransom was put on the table by the attacker, and the business made the decision that the files that had yet to be decrypted weren’t of use to them and ignored the demands. Then we saw a whole bunch of people who had gone through that dealership calling our services, unbeknownst to them, expressing that they’d experienced loans taken out in their name and all sorts of things. We triangulated those clients with this particular breach. That small business was confronted with the reality that they hadn’t just experienced a ransomware attack, they’d experienced a significant vulnerability to their customers. They reported it to the police and were directed to an online reporting network, but they didn’t hear anything from there. They went to another government agency and then got referred to IDCARE and we worked with them around how to respond to that identity risk to both the business and their staff as well as their customers – and that took weeks.
Fergus: When it comes to families and things like cyber bullying and identity theft, what sort of approach do you think parents should be taking in terms of helping their children to understand what’s going on? Especially taking in account that there is a generational gap.
David: It’s something that absolutely has to start in the home. It’s not a conversation that we should say is the school’s role only. Pleasingly we’re seeing cybersecurity seep into schools, even in primary schools which is great. I think that’s where it absolutely needs to start. I’ve got four children and they’re all under thirteen, and they’ve all got tablets and browse YouTube and other channels. That’s a conversation we have at home frequently around what are the things that they really need to be paying attention to. Not just around cybersecurity threats but around their own behavioural risk in terms of what they might post online or what might come back to bite them when they’re applying for their first job.
It’s a conversation that is very much one that parents or guardians need to embrace, which is difficult. I remember a world without the internet, and for some of our generation and our parents too, it’s an uncomfortable space because it’s filled with mystery and uncertainty – but we need to break through that. There’s a bunch of resources out there that can really help, the eSafety Commission has done some great stuff online that’s pushing facts and information that can help parents and guardians have those conversations.
Bastien: If you’re an individual and you’ve splashed your information out everywhere, and there’s that saying that once it’s online the information can never truly be deleted, what can someone do? Things like their date of birth, football teams, their home address. What are some steps they could take to wind that back?
David: There’s a need to frequently attempt to purge as much as you can the information that you have about yourself that you’ve got control of that may create risk for you. A lot of people think that their names and date of birth aren’t really a high risk type of information, and they’re not. There’s not a lot a crook can do with just a name and date of birth. But once you reach sixteen or fifteen, and you’ve posted your learner’s permit online to show that you can drive a car now, that’s when things can get really risky. We often advocate that on email don’t store the stuff that’s coming through or that you’re sending that’s potentially high risk, like tax file numbers and passport information. Be vigilant about removing that information not just about yourself but others too. Take stock of that and what you’re putting out in that online context.
Bastien: Are there any services that someone could utilise to actually find out what information there is about them online?
David: There are, and there’s more in the US than in Australia. Very shortly we’ll be releasing a capability that will allow people to not just see what’s available about themselves in the surface level web but also what data aggregators may have about you. We’ve been doing some trialling of that for the very reason that we want to empower. It’s the key to all this, because we can beat the drum and ask people to be cybersecure but if we don’t give them the tools and the knowledge to be cyber secure then we’re defeating our objective. Services are limited at the moment in Australia, but we’re spearheading a lot of efforts in that space so watch this space in the next few months.
Fergus: We’ve seen a prevalence over the last couple of years of personal digital assistants that you have in your home, and effectively listen the whole time waiting for a keyword. Once they have the keyword they will perform an action. Do these kinds of devices increase potential risk of identity theft?
Bastien: I think they definitely increase the attack vector. These services that are put in place by the likes of Amazon and Google have been very well thought through generally, obviously using encryption. But people connect them to insecure systems, and once something is connected then you can peel data off all sorts of things. It scares me the amount of times I’ve been to a board or executive member’s home and they’ve got the default username and password on their wifi and home router. Once an individual has accessed your home network and you happen to have an Amazon Alexa there, and it happens to have a default username and password, there are already firmware upgrades that you can do to hack the device which allow interception of streams of data. This could be voice data, video data, text data. It creates risks that the whole of humanity is facing as a challenge at the moment.
Are you seeing some breaches related to IoT that have led to identity fraud?
David: Yes we are, and the ones that come to mind more recently have been car information systems and baby monitors. People will have a conversation with someone and a third party will come in and tell them what they heard. As IoT continues to grow and opportunities present for product and service delivery, quite often the cybersecurity component to that is not necessarily front and centre. For example, in earlier versions of the iPhone if a particular setting was in place Siri could unlock the iPhone for you without having to know the PIN.
Bastien: We’ve even seen with iMessage that if you happen to have someone’s iCloud or Apple account you can spy on the individual’s SMS and WhatsApp messages. There’s also the case when there were parents sleeping in their room, their baby protected by the nest baby camera and all of a sudden they woke up to sexual expletives coming from the baby monitoring system. The attacker managed to turn the lights on in the room and then turn them back off again. They stated on the monitor that they were here to kidnap the baby and they were in the baby’s room. The parent’s bolted to the room and luckily the baby was fast asleep and okay. But it shows the level of control and what people can do with these IoT devices, and how scary it can be as a parent. I would find that absolutely mortifying.
Fergus: It all comes back to this one core premise which is that we are adopting technology before we are securing it. It’s that simple. The internet is a perfect example because we started using it and then we started putting firewalls in, only because we were acting in response to an active threat. We didn’t realise so much that we were opening our doors to the wild west when we connected ourselves up to the internet. Then we’ve seen some of the IoT devices used like IP cameras that people put in their homes to watch their kids and dogs. These were one of the first to be used as a hacking tool against people.
Anything that’s smart can be hacked, and what people don’t really understand is that we’re letting devices into our homes. The vast majority of television out there is smart, they have IP addresses, cameras and apps. I think everyone has the responsibility: if you can connect it, secure it.
David: As a consumer, how do you then retrofit security on that? That’s the point around the fact that we’re asking people to be cyber secure; are we really educating them or are we giving them the skills and tools to do that? In the car example, what was required there was an update of the vehicle’s information system. How does the consumer actually do that?
Bastien: Not only that, we spoke about the Tesla breach where one of the employers was directly accessing the codebase for the Tesla operating system. We’re working with some of the council’s in Australia talking about things like smart cities. One of the requests for our quotation that came out didn’t mention anything about security. We were one of the only companies that approached them to point out that before they think anything about smart lights and smart bins, they should really create a security framework. That is the first step before thinking about any implementation. But you will have council’s wanting to implement smart systems as the first step. If security isn’t at the core of that, then it’s going to be an afterthought and not up to the standard that we’re going to need to protect things like the baby monitor attack or Tesla code injection, whatever it may be that may lead to potential harm down the track.