Growing crime outstrips security efforts, experts warn
Gillian Shaw
Sun
Identity theft is the world’s fastest-growing crime and the organized perpetrators behind it are outpacing security efforts to slow it down, security experts warn.
“The problem is not going to stop,” Timothy Mullen, special ops security at anchorIS.com, said in a presentation at the Westcoast Security Forum 2005 held in Vancouver recently.
“It is the fastest-growing crime in the world.
“Stupid people can commit the crime and get away with it. You don’t need to be a cat burglar.”
Mullen’s words were echoed by other experts who pointed out that the ease with which identity theft can be carried out and its lucrative returns have made it an attractive investment for organized criminals. They are taking over from the so-called “script kiddies”‘ and hackers who carry out attacks simply for the notoriety and ego boost it brings them.
“There are two types in tier one that really scare me,” John Hill, security evangelist with McAfee said. “No. 1 is organized crime.
“It’s the best start-up investment you could make.”
Hill said a country such as Russia has plenty of trained, out-of-work hackers who, with a $20,000 to $30,000 investment in computers and a place to work can create a business that generates huge returns.
“You can buy credit cards from them in bulk,” he said.”If they give you a card number that’s invalid because it has been cancelled, you can send the guy an e-mail and he’ll say ‘no problem,’ he’ll give you a good one.”
“It’s out there and the problem is we can’t trace this guy.”
While security specialists around the world are working overtime to mitigate the threats, the malicious hackers outnumber them.
Hill said another source of threats that is far scarier than the script kiddies is the “state-sponsored terrorist.”
Hill said in one case, a U.S. energy company had six gigabytes of data pulled off its systems and it was traced as far as a university in China where the trail disappeared. Hill said university networks are favoured points for hackers to launch attacks since by their very nature, they are fairly open and a user can disappear among the thousands of people on the system.
“The beautiful thing about a university is that you can get into a system that has tons of points to get in — you can walk into a dorm, go to the library, go into a faculty building and from there you can launch your attack.
“You are not hiding in a company with 200 employees, you are hiding in a university where there are thousands of people.”
While companies are stepping up their security measures and patching vulnerabilities in their software systems faster that every before, they are still lagging behind the bad guys.
Hill said it is expected that some time in the next two years the Internet will see a “zero day” worm — a malicious attack that is launched to exploit a vulnerability in software the same day the vulnerability is announced. So far, the shortest time has been the two days it took for the Zotob virus to emerge to exploit a Microsoft vulnerability.
Hill said fraud artists are using stolen credit card numbers to cash in with small transactions that are spaced widely enough so that they don’t trigger an alarm with the cardholder.
“It used to be someone would take a credit card and run it until it maxed out or was cancelled,” he said. “The new way is to do a $20, $30, $50 transaction and then they don’t do it again for three or four months.
“The user just thinks it’s a mistake, it gets corrected and you don’t think it’s a big issue.”
Multiply those small transactions by thousands of cards and the person using the stolen card numbers can make a hefty income.
Altering or creating an identity doesn’t necessarily require a high degree of technical sophistication. Timothy Mullen of anchorIS.com told conference delegates of how he was able to use an expired driver’s licence to fly across the U.S. and rent a car at his destination, simply by using CorelDraw to recreate a new temporary licence and switching the 2004 expiry to 2005.
Mullen, who is from the U.S., blamed lifetime social security numbers that identify people for making identity theft easy to carry out. He proposed a system that would have a mechanism for cancelling numbers in the case of security breaches.
“It’s the gift that keeps on giving,” Mullen said of the theft of social security numbers. “The guy who works in a pizza parlour now may be working in a weapons facility 10 years from now.
“The guy who steals the information is going to keep it in his database forever. This is organized now. It may not have current value but it certainly has future value.”
While use of an individual’s social security number is more widespread in the U.S. with commercial transactions than in Canada, in a later presentation, Steven Johnston, senior research and policy analyst with the Officer of the Privacy Commissioner of Canada, warned people against sharing their social insurance number with companies.
“How many people have been asked for their social insurance number for commercial activities, to rent a car, to rent a video,” he said. “The risk is the social insurance number will become the de facto global standard.”
In Canada, companies are not allowed to ask for a social insurance number as a condition of carrying out a transaction.
© The Vancouver Sun 2005
