This chapter is from the book
This chapter is from the book
This chapter is from the book
Identity Theft
Identity theft is a growing problem and a very troubling one. The concept is rather simple, though the process can be complex, and the consequences for the victim can be quite severe. The idea is simply for one person to take on the identity of another. This is usually attempted to make purchases; but identity theft can be done for other reasons, such as obtaining credit cards in the victim’s name, or even driver’s licenses. If the perpetrator obtains a credit card in someone else’s name, then he can purchase products and the victim of this fraud is left with debts she was not aware of and did not authorize.
In the case of getting a driver’s license in the victim’s name, this fraud might be attempted to shield the perpetrator from the consequences of his or her own poor driving record. For example, a person might get your driving information to create a license with his or her own picture. Perhaps the criminal in this case has a very bad driving record and even warrants out for immediate arrest. Should the person be stopped by law enforcement officers, he or she can then show the fake license. When the police officer checks the license, it is legitimate and has no outstanding warrants. However, the ticket the criminal receives will be going on your driving record, because it is your information on the driver’s license. It is also unlikely that the perpetrator of that fraud will actually pay the ticket, so at some point you—whose identity was stolen—will receive notification that your license has been revoked for failure to pay a ticket. Unless you can then prove, with witnesses, that you were not at the location the ticket was given at the time it was given, you may have no recourse but to pay the ticket, in order to reestablish your driving privileges.
The U.S. Department of Justice defines identity theft in this manner:6
- “Identity theft and identity fraud are terms used to refer to all types of crime in which someone wrongfully obtains and uses another person’s personal data in some way that involves fraud or deception, typically for economic gain.”
The advent of the Internet has made the process of stealing a person’s identity even easier than it used to be. Many states now have court records and motor vehicle records online. In some states, a person’s social security number is used for the driver’s license number. So if a criminal gets a person’s social security number, he or she can look up that person’s driving record, perhaps get a duplicate of the person’s license, find out about any court records concerning that person, and on some websites, even run the person’s credit history. Later in this book, we will examine using the Internet as an investigative tool. Like any tool, it can be used for benign or malevolent purposes. The same tools you can use to do a background check on a prospective employee can be used to find out enough information to forge someone else’s identity.
Phishing
One of the more common ways to accomplish identity theft is via a technique called phishing, which is the process of trying to induce the target to provide you with personal information. For example the attacker might send out an email purporting to be from a bank, and telling recipients that there is a problem with their bank account. The email then directs them to click on a link to the bank website where they can login and verify their account. However, the link really goes to a fake website set up by the attacker. When the target goes to that website and enters his information, he will have just given his username and password to the attacker.
Many end users today are aware of these sorts of tactics and avoid clicking on email links. But unfortunately, not everyone is so prudent, and this attack still is effective. It is also the case that the attackers have come up with new ways of phishing. One of these methods is called cross-site scripting. If a website allows users to post content that other users can see (such as a product review) the attacker then posts, but instead of posting a review or other legitimate content, they post a script (i.e., JavaScript or something similar). Now when other users visit that web page, instead of loading a review or comment, it will load the attacker’s script. That script may do any number of things, but it is common for the script to redirect the end user to a phishing website. If the attacker is clever, the phishing website looks identical to the real one, and end users are not aware they have been redirected. Cross-site scripting can be prevented by web developers filtering all user input.