Gallery

Who's the biggest threat to your identity? You.

Posted on 18 Apr 2007 at 11:05

People are divulging more and more personal data online. Davey Winder finds ID thieves can compile an alarming dossier of data on their victims.

The crime statistics are worrying enough: ID fraud costs the UK £1.7 billion per year and is the nation's fastest growing crime, while the ScanSafe Annual Global Threat Report revealed there was a 310% rise in the number of web virus attacks that sought to steal money from bank accounts during 2006.

Yet the stark reality of ID theft is even more alarming. Take a (not so) anonymous colleague of ours here at Dennis Publishing, who was approached out of the blue by a "data miner" with a huge dossier of information about him including his home address, journey to work, job, salary and intimate personal details of his life. All of it dredged from the internet without much effort.

The amount of personal information we voluntarily place online without any apparent thought for the security consequences is shocking. This was highlighted by Infosecurity Europe research last year, when commuters at London's Victoria station were asked to part with personal information for the chance to win a chocolate egg. Every single respondent gave their address and postcode, 90% home telephone number, 82% date of birth, 80% mother's maiden name, and 86% their pet's name. On social networking sites, people don't even need the chocolate incentive to part with sensitive details.

Companies can use this data to conduct checks on potential employees, criminals can use it for ID fraud, the mentally unbalanced as the basis of a stalking campaign. Without a doubt, the biggest threat to your identity is you. We'll reveal how this data can be mined, and what you can do to protect yourself from digital identity danger.

Social networking spies

The advent of sites such as MySpace, LinkedIn, Friends Reunited, Bebo and millions of deeply personal blogs has seen people inadvertently putting huge amounts of personal data online that can be collated into disturbingly detailed profiles. Spend half a day following your own trail on these sites and you'll soon realise that it's ridiculously easy for anyone to garner your date of birth, interests, names of friends and family, occupation, education, home and business address, names and ages of your children...

"As we grow up, we're told not to trust strangers, but Web 2.0 is all about meeting strangers, building relationships and sharing experiences," says Greg Day, security analyst at McAfee and member of the Cyber Security Industry Alliance (CSIA). "Many of us are over-willing to post information about ourselves, and the technology excites us into sharing this online." A dangerous thrill when you consider that in recent weeks the McAfee Avert Labs (www.mcafee.com/us/threat_center) has seen information, such as MySpace data, being openly sold on the dark underbelly of the web.

While this is disturbing, it's worth remembering that much of the information found on social networking sites is what's known as "second tier", meaning it can be used to gain confidence, but not to validate identity on its own. Gather enough pieces together, though, and "a competent social engineer could easily validate the information and use it to gain more valuable information," warns Steven Cox, principal security consultant with Computer Associates.

Wandering around multiple online communities gathering information might be the modus operandi for the cyber-stalker or occasional background checker, but it would be highly unproductive for the professional identity criminal. So what techniques do they use to harvest data? As chair of the security and privacy group within Intellect, the UK trade association for hi-tech industry, Rob Navarro knows better than most that many of these techniques will focus on data linking. "This involves discovering pseudo identifiers, combinations such as date of birth, gender and postcode, and then using these to link publicly available data," he explains, adding "profiling allows for tailoring of services that would otherwise be untargeted and annoying."