|
Information Note Number: IN04-002
Best Practices for Preventing Online Identity Theft
19 August 2004
Purpose
With the increased prevalence of identity theft incidences being
perpetrated online, this Public Safety and Emergency Preparedness Canada
(PSEPC) Information Note is being issued to provide best practices for
preventing identity theft.
Audience
This paper is primarily intended for owners and operators of Canadian
critical infrastructure who should be aware of any potential threats to
the security of their mission critical information.
Background
On 3 April 2003, AusCERT, the Australian Computer Emergency Response Team,
issued an alert warning against numerous websites that are designed to
glean personal and financial information from unwitting customers. The
alert warned of "attackers constructing mimic sites to lure customers
of online banking and other forms of electronic payments into accessing
fake sites rather than the original." These sites were designed to
fraudulently divest users of their personal (age, gender, marital status,
Social Insurance Numbers - presumably for data mining purposes), financial
(credit card, account and banking login numbers), and sensitive (personal
and corporate passwords) information.1
These actions are often referred to as, but not limited to, "spoofing"
and "phishing." Spoofing refers to the technique used to gain
unauthorized access to computers by sending messages to a computer with
an IP address indicating that the message is coming from a trusted host
when, in fact, the website has been duplicated for fraudulent purposes.
Phishing refers to the act of sending e-mails to users falsely claiming
to be trusted enterprises in an attempt to gather personal, financial
and sensitive information. Often, the e-mails contain a subject and message
intended to alarm the recipient into taking action. Users are then sent
to spoofed websites.
In the intervening year since the AusCERT alert, a number of highly publicized
incidents have occurred.
- On 9 July 2003, the Massachusetts State Lottery Commission website
was spoofed. The fake website asked visitors to provide their credit
card and Social Security Numbers, along with other personal information,
and to pay a US$100 processing fee2.
- In mid-July 2003, a mass e-mail circulated advising recipients that
an order made on www.bestbuy.com used their credit card information,
and asked the recipient to follow a link to the company's fraud department
web page. The link actually directed users to a different website masqueraded
as the Best Buy website, which requested their personal information.3
- In late-July 2003, a website spoofed PayPal (an online payment site)
by attempting to deceive PayPal customers into divulging sensitive account
and billing information. The site instructed PayPal customers to go,
via an e-mail message that appeared to come from the company, to the
site: www.paypal-billingnetwork.net.4
- In June 2004, fraud operators launched a phishing attack against RBC
Financial Group by sending customers what appeared to be a legitimate
e-mail request from RBC asking for names, account numbers and personal
identifiers to verify customers' standing due to "increased fraudulent
activity." If a person clicked on the e-mail, went to a spoof site
and entered personal information, hackers could obtain the information
in order to access those accounts.5
According to the 2003 Computer Crime Survey conducted by the Computer
Security Institute in conjunction with the FBI, nearly 13 percent of respondents
had been the victim of identity theft in the past year in the U.S. In
total, losses from identity theft in the U.S. in the past year are estimated
to be approximately US$50 billion. At a summit of private and public sector
U.S. banking and financial sector officials on 15 December 2003, it was
assessed that fraudulent activity directed at the financial sector via
the Internet will likely increase in 2004.6
Most recently, on 6 July 2004, PSEPC issued an Advisory (AV04-028)
regarding a Trojan horse hidden inside so-called "pop-up" advertisements
that appear on screen without warning. Clicking on the "close"
button to get rid of the advertisement triggered the virus to attempt
to secretly install itself on the computer. The bug was programmed to
wait until the user began logging on to their Internet bank account where
it tried to steal personal details, such as passwords, before the information
reached the bank. This Trojan horse was aimed at customers of nearly 50
banks around the world.7
Best Practices
Since the malicious actors who create spoofed websites or craft false
e-mail solicitations go to great lengths to mimic the corporate personas
of those they are copying, such impersonation activities have proven successful
at capturing personal and financial information from unsuspecting consumers
for the purposes of identity theft and subsequent financial fraud. All
of the elements of the trusted corporate profiles are duplicated in the
e-mails and spoofed sites including login pages, company logos, site banners
and purchasing information.
PSEPC suggests a number of best practices, which can help businesses
and consumers protect themselves from identity theft while they are using
the Internet.
Businesses
As businesses move portions of their services online, they may become vulnerable
to attacks associated with the new medium. Responsible online retailers
have responded by providing concerted programs to educate customers about
fraudulent activities on the Internet. As a fundamental part of this education,
businesses should:
- inform customers exactly what information the company will, and will
not, ask for on websites or via e-mail. If personal, financial or sensitive
information must be exchanged, businesses must clearly indicate under
what conditions that exchange will occur. For example, a retailer will
only ask for a credit card number when completing a sale on its properly
secured site. The same retailer will never ask for a credit card number
via e-mail. PSEPC recommends that businesses make their customers aware
of their business practices with respect to the exchange of potentially
sensitive information several times a year.
- provide customers with information on inquiring about or reporting
suspicious e-mails and websites.
- ensure that they are listed as the registrant and responsible entity
for their corporate website, rather than the web designer.
- clearly advertise their valid website addresses on all corporate stationery,
letterhead and advertising to ensure consumers are conscious of the
proper corporate universal resource locator (URL).
- protect customer security by registering variations of their corporate
website domain URLs. For example, www.googel.com will still take users
to the proper web address, www.google.com.
Consumers
PSEPC recommends that Internet users exercise vigilance with online activity
and perform due diligence on all parties involved in online transactions.
As well, consumers should:
- install and frequently update a proven antivirus software product.
- ensure that browsers and operating systems (i.e. MS Windows) are up
to date and that security patches are applied.
- be suspicious of any e-mails with requests for personal, financial
or sensitive information. Reputable websites will not normally ask users
to disclose this kind of information via e-mail.
- not fill out forms in e-mail messages that ask for personal, financial
or sensitive information.
- use caution with links supplied in e-mails. Do not click on links
in e-mails if you suspect that the message might not be authentic (i.e.
if you don't recognize the sender or understand the subject or message).
- always verify they have the correct website address for sites that
require users to authenticate by providing information such as a password.
Users should change passwords regularly, use hard-to-guess passwords
(e.g. using a combination of letters, numbers, and characters including
both uppercase and lowercase format), and never share passwords with
anyone.
- use caution when locating a site through an Internet search engine,
since it is not always possible to distinguish a fake site from a legitimate
one. Consider creating a bookmark or favourite entry for important websites
to ensure the valid site is visited every time. As well, look for a
company's privacy policy or a link to its privacy statement when visiting
its website. Pay attention to what information the company gathers,
how it's used, and with whom it's shared.
- always ensure that a secure website is used when submitting
credit card or other sensitive information via your web browser (this
is usually displayed in the status bar).
- contact the organization via telephone if there is any doubt as to
the veracity of an e-mail or website. Do not use the phone number provided
by the suspicious e-mail or website.
- always report phishing e-mails to the organization first. Users can
report incidents to local law enforcement agencies to officially open
an investigation.
Conclusion
While identity theft is not a new activity, the Internet has provided
those intent on engaging in identity theft with an efficient means of
capturing privately held personal, financial and sensitive information.
It is important that businesses and users adopt a responsible posture
while using the Internet. According to the U.S. Federal Trade Commission
(FTC), identity theft was the top fraud-related complaint reported by
consumers last year, comprising 42 percent of more than 200,000 consumer
fraud complaints the FTC received. As well, two major Canadian credit
bureaus indicate that they receive approximately 1,400-1,800 Canadian
identity theft complaints per month. The majority of complaints are from
the province of Ontario8. An official at the
Identity Theft Resource Center (a U.S. non-profit organization) was recently
quoted as saying "if you get just get [sic] a 0.5% return on 100,000
e-mails, that's a major ID breach".9
Resources
The Government of Canada Public Safety portal Identity Theft
web page can be accessed at http://www.safecanada.ca/link_e.asp?category=5&topic=115&
ACTIVE=NO.
The RCMP has a number of best practices related to identity theft available
at
http://www.rcmp.ca/scams/identity_e.htm.
The former department of the Solicitor General of Canada (now Public
Safety and Emergency Preparedness Canada) and the U.S. Department of Justice
released a joint Public Advisory on Identity Theft, which is available
at
http://www.psepc.gc.ca/publications/policing/Identity_Theft_
Consumers_e.asp
The Canadian Bankers Association (CBA) best practices regarding the use
of online resources for conducting personal financial transactions can
be found at http://www.cba.ca/en/viewdocument.asp?fl=3&sl=65&tl=136&docid=
499&pg=1![This link will open in a new window.](/web/20071120083501im_/http://ww3.ps-sp.gc.ca/images/newwindow.gif)
The FBI/GSA/CIO 2003 Computer Crime Survey is available at
http://i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2003.pdf
In May 2004, the U.S. Financial and Banking Information Infrastructure
Committee and Financial Services Sector Coordinating Council published
Lessons Learned by Consumers, Financial Sector Firms, and Government
Agencies during the Recent Rise of Phishing Attacks. The paper is
available on the U.S. Department of the Treasury website at
http://www.treas.gov/offices/domestic-finance/financial-institution/
cip/pdf/fbiic-fsscc-report-2004.pdf
1AusCERT
Alert AL-2003.04: "Increase
in fraudulent activity targeting users of online banking and electronic
payment sites."
21 August 2003
2McCarthy, Brendan. "Fake lottery site
cons players." The Boston Globe, 9 July 2003.
3Lemos, Robert. "E-mail
scam makes Best Buy scramble."
CNET News.com, 19 June 2003.
4Roberts, Paul. "New
site spoofs PayPal to get billing information."
Macworld, 9 July 2003.
5Roma Luciw, "RBC
on 'phishing' hook."
GLOBEANDMAIL.COM, 9 June 2004
6Richardson, Robert. "2003
CSI/FBI Computer Crime and Security Survey."
Computer Security
Institute
7Public Safety and Emergency Preparedness Canada:
Advisory Number: AV04-028 "Hackers
grab bank details with fake ad." 6 July 2004.
8Department of Solicitor General Canada and
United States Department of Justice. "Public
Advisory: Special Report for Consumers on IDENTITY THEFT." 21
May 2003
9Swartz, Jon. "Spammers'
fake sites dupe consumers."
USA TODAY, 6 July 2003.
![---](/web/20071120083501im_/http://ww3.ps-sp.gc.ca/images/bdiv.gif)
Note to Readers
Public Safety and Emergency Preparedness Canada (PSEPC) collects information
related to cyber and physical threats to, and incidents involving, Canadian
critical infrastructure. This allows us to monitor and analyse threats and
to issue alerts, advisories and other information products. To report threats
or incidents, please contact the PSEPC Government Operations Centre (GOC)
at (613) 991-7000 or opscen@psepc.gc.ca
by e-mail.
Unauthorized use of computer systems and mischief in relation to data are
serious Criminal Code offences in Canada. Any suspected criminal activity
should be reported to local law enforcement organizations. The RCMP National
Operations Centre (NOC) provides a 24/7 service to receive such reports
or to redirect callers to local law enforcement organizations. The NOC can
be reached at (613) 993-4460. National security concerns should be reported
to the Canadian
Security Intelligence Service (CSIS) at
(613) 993-9620.
Links to sites not under the control of the Government of Canada (GoC) are
provided solely for the convenience of users. The GoC is not responsible
for the accuracy, currency or the reliability of the content. The GoC does
not offer any guarantee in that regard and is not responsible for the information
found through these links, nor does it endorse the sites and their content. |