What Happens When Your Identity is Stolen?

It’s downright depressing. Just when you’re having the most fun and getting the best values from life online, shopping and using your hard earned credit, the crooks show up and trying to spoil the party by stealing your identity! We all know the drill when our accounts or records are compromised: change your passwords, reissue your IDs, check your credit reports. But who knows what really happens behind the scenes when identity theft occurs? I do and if you’d like to know more, read on!

The term identity theft covers a variety of crimes from fraudulently using credit cards, to getting free medical care, to having your bank account drained. The most common form of ID theft is someone using your credit card number to buy stuff or to impersonate you to obtain services for free. Among the most popular services are Uber rides and premium access to adult porn sites.

The scale of personal information theft is mind boggling. Here are some examples:

• The Internal Revenue Service reported back in February of 2016 that the data breach uncovered the previous year was much larger than the over 100,000 American taxpayers first reported. That in fact some 700,000+ taxpayers had their personal information hacked. They claim the Russians were to blame, but really, who cares. The bottom line is that identities were stolen that will be used to file fraudulent tax returns and get undeserved refunds charged to unsuspecting Americans for years to come.
• In November of 2016, AdultFriendFinder, an X-rated website, was hacked. Approximately 412 million users had personal information stolen. Stolen data included e-mail addresses, passwords, IP addresses and more.
• In September of this year, Yahoo announced that a minimum of 500 million accounts were hacked over a year ago. E-mail addresses, passwords, full user names, dates of birth, telephone numbers, security questions and answers were stolen. It’s hard to top that, but in December the company announced another earlier breach in which one billion, yes, with a B, Yahoo accounts had their personal information stolen.

And the beat goes on! Pay taxes? Use the internet? Chances are your identity has been compromised and is for sale right now on the Dark Net.

But how does this Dark Net work? In a nutshell, way back when the military created the internet
it was unindexed. That is, that there wasn’t a search engine like Google or even Netscape to find stuff. You had to know where anything was to find it. This worked fine for the military at the time but as the internet grew from government sites to message boards and chat rooms to todays behemoth, many old data bases and sites were never indexed. These leftovers form the basics of the dark or unindexed net. And it’s big. The indexed web we use is about 10% of the overall internet. The remaining 90% is dark or unindexed. A popular browser used to get around the dark web is TOR. TOR is a free communication software for the unindexed or Dark Web. The name comes from “The Onion Router (TOR)” because it moves information without leaving traces, encrypting data that is nested like the layers of an onion. In addition to encryption, it uses about 8,000 computer relays to hide a user’s location making it more difficult to track. TOR has a legitimate use in protecting privacy especially that of political dissidents plotting in repressive regimes. Oh, yes and that of crooks too!

The breach typically occurs when a Zeus virus or other malware is slipped into a database. This can be done via a link from an email or by an unwise click from someone within a network, say someone who works at the IRS or Target, etc. The malware gathers up personal identification and financial data depending on the type of cyber criminal. Some are foreign governments who either use hacked information internally or sell it to other intelligence services. In the case of commercial data breaches such as Target/TJ max and others, financial or account information is made available on the Dark Web for crooks to buy. Typically the data is bundled and sold at automated sites similar to Silk Road, the famous drug site, using bitcoin currency which is also difficult to trace.

Stolen data is relatively cheap to buy. For example, your email logon information sells for about a dollar each, e-commerce account info (eg: Amazon, PayPal) sells for anywhere from $2 to $80 depending on balances available. Surprisingly, dating site identities sell for $4 to $10 each. The dating site premium is due to the profitability of romance scams. The adage, “Love Is Blind,” really takes on a new significance when you can’t see if the person on the other end is really the person you think he or she is.

Although less common but potentially more serious, people who use stolen personal data to steal an identity and then open new accounts can do the most damage. They are fewer in number than those who use stolen card info to buy things online. While the latter can be located anywhere in the world, the former type of identity thieves need to be located in the USA. They use open source information to establish identities and get loans and drain accounts. Stolen personal data is used to gain entry to social networking sites. These sites, like Facebook and LinkedIn, offer insights into personal data such as birthdays, where you went to school, kids and pets names and other info that can aid in the breaking of passwords or answering secret challenge questions. With this information new accounts can be set up and existing accounts pirated; credit reports can be ordered from open source sites and account numbers reconstituted. For example one provider may truncate the beginning of an account number while another may truncate the last digits. Following this approach, getting entire account and social security numbers isn’t very difficult.

In the final analysis, it may well be impossible to prevent identity theft in the future as so much personal information is already out there from past data breaches and open sources like Facebook and public records. Cloud servers used for backup of our data may be located outside the US and with varying levels of encryption or security. As of today, there is no transparency in how sensitive information is transmitted and stored.

In addition to the safeguards I suggested in my article last month, you might consider employing credit card agility (turning over cards before they expire to get new numbers more frequently), freezing credit reports (before not after fraud occurs) to keep new accounts from being issued and signing up cards and financial accounts for double authentication may help. Also on the bright side, the elves at FICO are developing a cyber risk transparency tool called the FICO Enterprise Security Score to allow consumers to know if the companies they are doing business with have good or poor security protocols.

I’d like to acknowledge and thank Brendan McHugh, Deputy District Attorney for San Diego County and Director of the Computer and Technology High Tech Response Team for his generous time and technical advice on this topic.

Good luck!

Have any experience with online identity theft? Share with us below!