Information Note Number: IN04-002
Best Practices for Preventing Online Identity Theft
19 August 2004

Purpose
With the increased prevalence of identity theft incidences being perpetrated online, this Public Safety and Emergency Preparedness Canada (PSEPC) Information Note is being issued to provide best practices for preventing identity theft.

Audience
This paper is primarily intended for owners and operators of Canadian critical infrastructure who should be aware of any potential threats to the security of their mission critical information.

Background
On 3 April 2003, AusCERT, the Australian Computer Emergency Response Team, issued an alert warning against numerous websites that are designed to glean personal and financial information from unwitting customers. The alert warned of "attackers constructing mimic sites to lure customers of online banking and other forms of electronic payments into accessing fake sites rather than the original." These sites were designed to fraudulently divest users of their personal (age, gender, marital status, Social Insurance Numbers - presumably for data mining purposes), financial (credit card, account and banking login numbers), and sensitive (personal and corporate passwords) information.¹

These actions are often referred to as, but not limited to, "spoofing" and "phishing." Spoofing refers to the technique used to gain unauthorized access to computers by sending messages to a computer with an IP address indicating that the message is coming from a trusted host when, in fact, the website has been duplicated for fraudulent purposes. Phishing refers to the act of sending e-mails to users falsely claiming to be trusted enterprises in an attempt to gather personal, financial and sensitive information. Often, the e-mails contain a subject and message intended to alarm the recipient into taking action. Users are then sent to spoofed websites.

In the intervening year since the AusCERT alert, a number of highly publicized incidents have occurred.

• On 9 July 2003, the Massachusetts State Lottery Commission website was spoofed. The fake website asked visitors to provide their credit card and Social Security Numbers, along with other personal information, and to pay a US$100 processing fee².
  
  
• In mid-July 2003, a mass e-mail circulated advising recipients that an order made on www.bestbuy.com used their credit card information, and asked the recipient to follow a link to the company's fraud department web page. The link actually directed users to a different website masqueraded as the Best Buy website, which requested their personal information.³
  
  
• In late-July 2003, a website spoofed PayPal (an online payment site) by attempting to deceive PayPal customers into divulging sensitive account and billing information. The site instructed PayPal customers to go, via an e-mail message that appeared to come from the company, to the site: www.paypal-billingnetwork.net.⁴
  
  
• In June 2004, fraud operators launched a phishing attack against RBC Financial Group by sending customers what appeared to be a legitimate e-mail request from RBC asking for names, account numbers and personal identifiers to verify customers' standing due to "increased fraudulent activity." If a person clicked on the e-mail, went to a spoof site and entered personal information, hackers could obtain the information in order to access those accounts.⁵
  

According to the 2003 Computer Crime Survey conducted by the Computer Security Institute in conjunction with the FBI, nearly 13 percent of respondents had been the victim of identity theft in the past year in the U.S. In total, losses from identity theft in the U.S. in the past year are estimated to be approximately US$50 billion. At a summit of private and public sector U.S. banking and financial sector officials on 15 December 2003, it was assessed that fraudulent activity directed at the financial sector via the Internet will likely increase in 2004.⁶

Most recently, on 6 July 2004, PSEPC issued an Advisory (AV04-028) regarding a Trojan horse hidden inside so-called "pop-up" advertisements that appear on screen without warning. Clicking on the "close" button to get rid of the advertisement triggered the virus to attempt to secretly install itself on the computer. The bug was programmed to wait until the user began logging on to their Internet bank account where it tried to steal personal details, such as passwords, before the information reached the bank. This Trojan horse was aimed at customers of nearly 50 banks around the world.⁷

Best Practices
Since the malicious actors who create spoofed websites or craft false e-mail solicitations go to great lengths to mimic the corporate personas of those they are copying, such impersonation activities have proven successful at capturing personal and financial information from unsuspecting consumers for the purposes of identity theft and subsequent financial fraud. All of the elements of the trusted corporate profiles are duplicated in the e-mails and spoofed sites including login pages, company logos, site banners and purchasing information.

PSEPC suggests a number of best practices, which can help businesses and consumers protect themselves from identity theft while they are using the Internet.

• inform customers exactly what information the company will, and will not, ask for on websites or via e-mail. If personal, financial or sensitive information must be exchanged, businesses must clearly indicate under what conditions that exchange will occur. For example, a retailer will only ask for a credit card number when completing a sale on its properly secured site. The same retailer will never ask for a credit card number via e-mail. PSEPC recommends that businesses make their customers aware of their business practices with respect to the exchange of potentially sensitive information several times a year.
  
  
• provide customers with information on inquiring about or reporting suspicious e-mails and websites.
  
  
• ensure that they are listed as the registrant and responsible entity for their corporate website, rather than the web designer.
  
  
• clearly advertise their valid website addresses on all corporate stationery, letterhead and advertising to ensure consumers are conscious of the proper corporate universal resource locator (URL).
  
  
• protect customer security by registering variations of their corporate website domain URLs. For example, www.googel.com will still take users to the proper web address, www.google.com.

Consumers
PSEPC recommends that Internet users exercise vigilance with online activity and perform due diligence on all parties involved in online transactions. As well, consumers should:

• install and frequently update a proven antivirus software product.
• ensure that browsers and operating systems (i.e. MS Windows) are up to date and that security patches are applied.
  
  
• be suspicious of any e-mails with requests for personal, financial or sensitive information. Reputable websites will not normally ask users to disclose this kind of information via e-mail.
  
  
• not fill out forms in e-mail messages that ask for personal, financial or sensitive information.
  
  
• use caution with links supplied in e-mails. Do not click on links in e-mails if you suspect that the message might not be authentic (i.e. if you don't recognize the sender or understand the subject or message).
  
  
• always verify they have the correct website address for sites that require users to authenticate by providing information such as a password. Users should change passwords regularly, use hard-to-guess passwords (e.g. using a combination of letters, numbers, and characters including both uppercase and lowercase format), and never share passwords with anyone.
  
  
• use caution when locating a site through an Internet search engine, since it is not always possible to distinguish a fake site from a legitimate one. Consider creating a bookmark or favourite entry for important websites to ensure the valid site is visited every time. As well, look for a company's privacy policy or a link to its privacy statement when visiting its website. Pay attention to what information the company gathers, how it's used, and with whom it's shared.
  
  
• always ensure that a secure website is used when submitting credit card or other sensitive information via your web browser (this is usually displayed in the status bar).
  
  
• contact the organization via telephone if there is any doubt as to the veracity of an e-mail or website. Do not use the phone number provided by the suspicious e-mail or website.
  
  
• always report phishing e-mails to the organization first. Users can report incidents to local law enforcement agencies to officially open an investigation.
  

Conclusion
While identity theft is not a new activity, the Internet has provided those intent on engaging in identity theft with an efficient means of capturing privately held personal, financial and sensitive information. It is important that businesses and users adopt a responsible posture while using the Internet. According to the U.S. Federal Trade Commission (FTC), identity theft was the top fraud-related complaint reported by consumers last year, comprising 42 percent of more than 200,000 consumer fraud complaints the FTC received. As well, two major Canadian credit bureaus indicate that they receive approximately 1,400-1,800 Canadian identity theft complaints per month. The majority of complaints are from the province of Ontario⁸. An official at the Identity Theft Resource Center (a U.S. non-profit organization) was recently quoted as saying "if you get just get [sic] a 0.5% return on 100,000 e-mails, that's a major ID breach".⁹

Resources
The Government of Canada Public Safety portal Identity Theft web page can be accessed at http://www.safecanada.ca/link_e.asp?category=5&topic=115&
ACTIVE=NO.

The RCMP has a number of best practices related to identity theft available at
http://www.rcmp.ca/scams/identity_e.htm.

The former department of the Solicitor General of Canada (now Public Safety and Emergency Preparedness Canada) and the U.S. Department of Justice released a joint Public Advisory on Identity Theft, which is available at
http://www.psepc.gc.ca/publications/policing/Identity_Theft_
Consumers_e.asp

The Canadian Bankers Association (CBA) best practices regarding the use of online resources for conducting personal financial transactions can be found at http://www.cba.ca/en/viewdocument.asp?fl=3&sl=65&tl=136&docid=
499&pg=1

The FBI/GSA/CIO 2003 Computer Crime Survey is available at
http://i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2003.pdf

In May 2004, the U.S. Financial and Banking Information Infrastructure Committee and Financial Services Sector Coordinating Council published Lessons Learned by Consumers, Financial Sector Firms, and Government Agencies during the Recent Rise of Phishing Attacks. The paper is available on the U.S. Department of the Treasury website at
http://www.treas.gov/offices/domestic-finance/financial-institution/
cip/pdf/fbiic-fsscc-report-2004.pdf

¹AusCERT Alert AL-2003.04: "Increase in fraudulent activity targeting users of online banking and electronic payment sites." 21 August 2003
²McCarthy, Brendan. "Fake lottery site cons players." The Boston Globe, 9 July 2003.
³Lemos, Robert. "E-mail scam makes Best Buy scramble." CNET News.com, 19 June 2003.
⁴Roberts, Paul. "New site spoofs PayPal to get billing information." Macworld, 9 July 2003.
⁵Roma Luciw, "RBC on 'phishing' hook." GLOBEANDMAIL.COM, 9 June 2004
⁶Richardson, Robert. "2003 CSI/FBI Computer Crime and Security Survey." Computer Security Institute
⁷Public Safety and Emergency Preparedness Canada: Advisory Number: AV04-028 "Hackers grab bank details with fake ad." 6 July 2004.
⁸Department of Solicitor General Canada and United States Department of Justice. "Public Advisory: Special Report for Consumers on IDENTITY THEFT." 21 May 2003
⁹Swartz, Jon. "Spammers' fake sites dupe consumers." USA TODAY, 6 July 2003.