In-Depth

Social Engineering Bypasses Information Security Controls

Identity theft draws media attention; phishing attacks skyrocket

• By Mathew Schwartz
• 03/09/2005

Identity theft is on the rise. Two incidents in recent weeks have driven increased interest in how companies store, protect, and sell personal information about consumers.

For example, ChoicePoint, a broker of personal information, was targeted by scam artists. Using about 50 fake businesses as fronts, the scammers were able to open authorized ChoicePoint accounts and purchase about 145,000 reports on consumers.

More recently, Bank of America said backup tapes related to its SmartPay credit card went missing. Reportedly 1.2 million credit cards, some belonging to government users, are affected. Some investigators say baggage handlers for commercial airlines may be to blame, but the tapes remain at large.

The upshot of the thefts: a pending Senate investigation, cries from consumer watchdogs for increased regulation, and the possibility of legislation to do that from Congress, if not a number of state governments. The attacks are also notable because attackers used largely non-technological means to circumvent information security controls.

The old security adage, of course, is when breaking into a house, don’t pick the front-door lock when the back door is already open. Similarly, identity thieves are gravitating toward the path of least resistance, and lately that seems to be social engineering.

“Given a revenue model at some of the information sellers that favors low upfront costs, economies of scale, and inattention to applicant background, hackers and crackers are dusting off their social skills,” notes Forrester Research analyst Lou Agosta.

While Forrester hasn’t studied ChoicePoint’s security mechanisms, the analyst firm says “it is likely that the purpose of the business process that authenticated the scam accounts was to facilitate booking the revenue being offered for access to the data warehouse of information.” In other words, says Agosta, “it was designed to make it easy to take the revenue, not to prevent obstacles such as delays and background checks on the applicants.”

Few economic incentives exist for information brokers to safeguard the personal information they sell. For example, today ChoicePoint only legally has to comply with California’s SB 1386 law, which requires disclosure of the security incident and notification of anyone affected. Beyond that, ChoicePoint says it will pay for a year’s subscription to the major credit-reporting agencies for affected consumers. As pundits note, this doesn’t help consumers whose identities have been stolen and who must now put in their own time and effort to combat identity thieves.

Identity Theft Increases Overall

Despite the uproar and apparent lack of in-place security controls at ChoicePoint, this identity theft incident isn’t rare, except perhaps in its scale.

According to the Federal Trade Commission, “Consumer Sentinel,” its database for tracking consumer fraud and identity theft, logged 635,000 complaints of identity theft and fraud in 2004. About a third of those complaints related to identity theft. The other two-thirds involved fraud, with Internet-related losses comprising half of all fraud.

All told, “consumers reported losses from fraud of more than $547 million,” says the FTC. About half of reported fraud losses related to Internet auctions.

Internet-related identity theft is also on the rise. Internet- and e-mail-related identity theft are also on the rise, having increased—as a percentage of all identity theft—from 1.4 percent in 2002 to 1.6 percent in 2003 and 1.8 percent last year.

Of course so-called phishing attacks—e-mails disguised to resemble those from well-known banks and auction companies, among others—are helping attackers wrest personally identifying information from end users. According to the Anti-Phishing Working Group (APWG), spoofed sites are predominantly financial services, followed distantly by ISPs and retail sites.

Phishing attacks increased 42 percent just from December 2004 to January 2005. Yet “the number of phishing Web sites supporting these attacks rose even more dramatically,” says APWG. “In January, there were 2,560 unique sites reported, a jump of 47 percent over December, and more than double the number reported just three months ago in October.”

New Phishing Attack Trends

In January, a new type of phishing attack also surfaced. It uses “cross-site scripting to redirect URLs from popular Web sites in order to better present themselves, and as a means to prevent blocking,” notes APWG. One example, it says, uses the Lycos search engine. Attackers take the URL Lycos generates for the Web site used by attackers—simply the search engine’s directory listing for that site—then forwards this Lycos link instead of a direct link. The end result: if a user clicks on the link, is they go to the Lycos directory, which immediately then redirects them to the attack site. “We suspect that this type of attacks may be one of the reasons why the number of sites that have no hostname is down from 63 percent in December 2004 to 53 percent in January 2005.”

Attackers are also getting savvier about sneaking malicious code—especially keystroke loggers—through corporate firewalls. “Password stealing Trojans are not just coming through e-mail. We have seen multiple attacks through Microsoft Messenger where Trojan Horses and password-stealing keyloggers are run,” says APWG. Beyond attacks via instant messaging, unpatched versions of Internet Explorer remain a problem. Various worms—including Bankos Trojan, Banks-De, Bropia Worm, Buchon.c, and Goldun—exploit the vulnerabilities to ultimately steal passwords.

Given the magnitude of the theft of information from ChoicePoint, and the overall growth of other kinds of identity theft, the bottom line for companies is, information security is more important than ever for protecting information. That’s true no matter whether it’s against worms cruising for sensitive information, or scam artists skipping through an authentication process.