Fear and loathing online

23 Jun 2008

ID theft video

How the nightmare of identity theft is coming true in the digital age

Identity theft is one of the fastest-growing crime waves known to mankind and one of the newest forms of crime to hit these shores. Victims of this insidious type of wrongdoing may not know they have been targeted until they are denied a loan or discover their credit card is maxed.

In some cases they may find themselves subscribed to illicit websites that could harm their reputation, or find that an online version of themselves has been used to bully or harass others.

An entire picture of someone’s life may now be assembled from  unlocked Bebo or Facebook profiles, from online CVs on jobs websites, by paying €10 for a copy of a birth certificate from a General Registry Office, through intercepting postal correspondence for bank statements or simply by going through the contents of their bin for old Visa receipts.

Irish citizens may be shocked to learn that only slivers of legislation – defining how their PPS number is used – are protecting them from the widespread identity fraud sweeping economies like North America and the UK, where with a little information and ID, bank accounts can be established.

They may also be shocked to discover that due to inconsistencies in both Irish governmental and bank infrastructure, once they become a victim, they could remain victims for a very long time.

The loss of data by bodies that should know better became abundantly clear earlier this year when the Irish Blood Transfusion Board had a laptop containing 175,000 blood-donor records stolen in New York. Luckily, the laptop was encrypted. However, only weeks later it emerged that laptops belonging to Bank of Ireland containing 31,000 customer records were also stolen in the past year.

While Bank of Ireland says customers who find themselves victims of fraud will be reimbursed, the burden of proof will be on the victim and a fraud can occur at any time over the next decade.

Another issue is who can you trust with your personal information? Last year, it emerged that a civil servant in the Department of Family and Social Affairs acted as a mole for his criminal brother and passed on information including PPS numbers and financial information. This resulted in a burglary and a separate attempt to extort money from three businesspeople.

In the case of EuroMillions lottery winner, Dolores O’Mahony, it emerged that a number of social welfare officers and revenue commissioners decided to snoop through her files. Someone went and sold that information to a tabloid newspaper.

Digital Footprints

Detective inspector Paul Gillen, head of the Garda Computer Crime Investigation Unit, which is part of the Bureau of Fraud Investigation, agrees the onus is on citizens to be vigilant about the physical and digital trail they can leave behind.

“In the past 10 years, the whole community of Ireland has been digitised in terms of computers, mobile phones and debit and credit cards. Information has become a valuable resource – it’s worth money. Your personal details are worth money. People need to take care of their personal information, which could be misused, or they may find themselves at a loss.”

Gillen says identity fraud is not as common in Ireland as in bigger countries, such as the US. “Because we’re a small country you have a lesser degree of anonymity and when you open a bank account in a local branch, staff may know you.”

But he says if information thieves really want to know about you, it only takes a little effort. “If you really target someone you can gather a lot of information. Just do a search on someone and you’ll know if they’re speaking at a conference, where they work, what hotel they might be staying in.”

At present, the Revenue Commissioners argue the case that bank accounts which yield an interest rate of over €635 should be accompanied by the holder’s PPS number. This could be a disaster in terms of fighting identity fraud, says deputy Data Protection Commissioner, Gary Davis.

“The main reason ID theft has been contained in this country is because we don’t operate like the US where a unique identifier like a social security number is used. There’s a vigilant fight underway with organisations that request PPS numbers when they don’t have a legal basis for doing so.

“The main protection against identity theft in this country is the fact that people have to go to some length to establish their identity with address information. The reason we haven’t experienced the same level of ID theft is the fine line that exists with PPS numbers.

“We’re in ongoing engagements with the Revenue Commissioners and the Irish Bankers Federation to make sure it doesn’t happen here and turn into a free-for-all. If banks do have to use PPS numbers, it will have to be written into financial regulations that numbers are used for tax purposes only and not as a unique identifier or to be open to abuse,” Davis warns.

The threat to identity is not only about information criminals can access through stealth or by corrupt insiders, but also the trail individuals themselves leave behind on the internet.

A survey of 300 Irish users of social networking sites by consultancy Amas earlier this year found that 10 gave their email addresses, two Bebo users posted their full addresses, 62 Facebook users gave their full dates of birth and nine MySpace users revealed their salary details. Some 100pc of Facebook users gave their full names, compared with 80pc of Bebo users and 13pc of MySpace users.

“There is an obligation out there that the people who collect data treat it confidentially and make sure staff don’t access it frivolously,” says Fiachra O’Marcaigh of Amas.

“However, the other danger is the information you are putting out there yourself. While social networks are being used by young people, and that is every parent’s concern, the bigger issue is that every single one of us leaves a digital footprint on everything from the credit card to the supermarket loyalty card or electronic toll card.

“Social networking and ID theft are frontline issues, but behind that is a broader and deeper and more widespread question relating to the huge amount of information being recorded about all of us,” O’Marcaigh cautions.

Don’t be evil?

One of the largest repositories of data out there belongs to Google. With services including Gmail, iGoogle, Picasa and Google Docs, it stands as one of the biggest custodians of personal information. Should we trust Google?

“Privacy for us is about giving the user transparency and choice. What is important to understand is that much the same sensibilities exist in the online world as the offline world in terms of how, where and in what way we use and share our own personal information,” says Iarla Flynn, European policy manager for Google.

Taking the example of photo-sharing service Picasa, Flynn explains the user is always in control and has the option to keep pictures private or share with trusted friends. The choice of making this information available to a broader audience rests with the individual.

“Our policy is to provide useful, secure services with the necessary privacy and safety measures built in. We cannot tell people what to do, but obviously we encourage people to think about how they are sharing information online. We want our users to make informed decisions,” he adds.

To this end, users can minimise the amount of information that could potentially fall into the hands of an identity thief. Online chat can be kept off the record, searches can be carried out without signing into your Google account.

“Despite these options, the EU has clashed with Google in the past over how much and for how long our personal data can be stored in the ether. The internet was created as a single global communications architecture. Sometimes it doesn’t fit neatly into national or EU laws.

“This is a key policy area for Google and we are working with government and other stakeholders to develop policies which will allow the internet to continue to function as an engine of innovation,” Flynn adds.

To a certain extent, you may be able to choose what information you supply to a search engine or social networking site but recruitment websites Monster.com and Jobs.ie were the most recent Irish examples of attempted ID theft, when thousands of members’ CVs were illegally downloaded.

James Galvin, chief technology officer of Irish firm Glandore Systems which provides software for the recruitment industry, says this is increasingly becoming a rich source of identity theft. “A CV contains a name, address, employer, previous employer, educational background and in some cases, date of birth, hobbies, affiliations and references. All this builds a treasure trove of information which could lead to fraud or identity theft.

“This is the fastest-growing crime in the US. On their CV, people outline so much of their life in a one-page document – they are vulnerable to identity theft if the document falls into the wrong hands,” he explains.

While Jobs.ie alerted members within 24 hours that their CVs had been subject to a security breach, this is not always the case, and there is no legislation to make breach disclosure mandatory.

“Nobody can know their data is safe if breach disclosure is not mandatory. We have no idea how common these data breaches are. In my own experience, my brother received a phone call from Monster.com staff to say his account was hacked on two occasions in the past few months, leading to thousands of CVs being stolen, but on neither occasion was the breach disclosed.

“This leads me to wonder how many of the thousands of other companies are receiving similar phone calls,” says Galvin in disbelief. In other words, by the time someone has stolen your identity or applied for a credit card with your personal information, you won’t know until your loan application is rejected.

Burden of proof

Simon McGarr of McGarr Solicitors in Dublin says the legal position is that unless there is a consequence for an organisation’s failure to protect your data, ie you can prove you have been the victim of identity theft as a result of that data breach, you do not have cause of action.

“This is a lacuna in the data protection law. The question is what are the sanctions for this kind of behaviour and the answer is there are none, unlike other jurisdictions where there are at the very least data breach disclosure laws.”

There is a very strong argument as we move towards a world of digital-based storage – even more so than the one we have at present – that victims of a data breach should be alerted as quickly as possible, says McGarr.

“The difficulty for you is your information is floating out there and you do not know where or when there is going to be a cost to you for that loss. At the moment, you must live in fear something might happen to you in the future.”

Owen O’Connor, a security expert with the Information Systems Security Association (ISSA), says this is precisely the danger the 31,000 Bank of Ireland customers currently face. “These people could become victims of ID fraud at any point in the near- or long-term future. The bank says it will compensate any customer affected but what are the parameters on that? The burden of proof is on the customer to prove that if they were defrauded the fraud was due to the laptop theft. How are they going to do that?”

O’Connor also says while Ireland has so far weathered the ID theft storm better than most countries, it is not very well equipped to handle specific ID fraud situations.

His view is fuelled by personal experience. “I was living in the US and became a victim of identity fraud. Immediately my bank put a hold on my credit report and blocked my identity. I was able to sign up for an identity monitoring service that monitored my credit report every few hours. I had plenty of options.

“In Ireland, I have very few options. I can get the bank to freeze my accounts alright but the only way I could get the Irish Credit Bureau to monitor my credit would be to have it send me a monthly report that comes in the post after a week. There’s no concept of a credit freeze in this country.”

The fact of the matter is, says Brian Honan of online security consultancy BH Consulting, each time you entrust your personal data to an organisation you are exposing yourself to a certain amount of incremental risk of identity theft.

“It is important people give their details to reputable companies which have comprehensive privacy policies and can provide assurances that all reasonable measures will be taken to protect that data.”

While the internet has increased the chance of identity theft by criminal gangs operating globally, Honan says studies have shown most identity theft is committed by someone known to the victim rather than a complete stranger.

There are also more obvious ways you can give a helping hand to the identity thief: “People dumping PCs into recycling centres without securely deleting their information from the hard disk are leaving themselves at risk of identity theft. It has been known for people to approach the recycling centres looking to get their hands on discarded PCs.”

“Also, very often discarded PCs are sent to developing nations to be reused there and can lead to personal data falling into the wrong hands.”

Even more ‘old school’ is the practice of rummaging around in green bins for discarded receipts and bills says McGarr. “One of the best investments you can make to prevent identity theft is a good shredder,” he adds.

By Marie Boran and John Kennedy

ID theft video