Identity theft has been around as long as there has been identity. Long before the age of computers, and before the common and omnipresent connectivity of modern day life, information was much scarcer. Identify thieves had to work a lot harder to uncover their victim’s details; however, once they found what they wanted it was often much easier than it is today to get away with the crime.
Today, all of this has changed. Everything from your checking account to that party you went to last Friday night is located somewhere on the web. If you spend any significant amount of time online, just about anyone who knows how to use Google can probably find out where you live and what you do for a living in a matter of minutes. And for a motivated hacker, this is more than enough of a lead.
All it takes is a person or persons with enough patience and know-how to pierce anyone’s privacy — and, if they choose, to wreak havoc on your finances and destroy your reputation.
Identity Theft: Tools
There are a number of tools available which can be used in various ways by hackers. Though technical knowledge is important to effectively protect yourself, it is useful to get acquainted with them.
Key Loggers
A key logger is a program that records what you’re typing and shows it to the hacker. Key loggers are usually used to discover passwords to financial accounts, but they can also be used to monitor a target’s online communications.
Brute Force Password Hacking
Hacking passwords is a science. Hackers can guess your passwords through a series of educated guesses or through algorithms. Not only this, most people reuse their passwords, and most of these passwords are relatively easy to guess.
Let’s say for example that you were born in 1991 and you have a pet dog named Scooby, so you decide to make your password Scooby1991. Let’s say that you also have a Facebook account that lists your birthday and features tagged photos of you and Scooby. Any intelligent hacker with an inclination is going to figure you out.
Backdoor Access
If a hacker wants to get into your computer to steal passwords or files or to
remotely monitor your activity, they can install a
“backdoor” entryway. Backdoor programs exploit weaknesses in your
network security and allow the hacker to come and go as they please,
without your knowledge or permission. Many backdoor entryways are created when unsuspecting computer users download
“Trojan Horses,” which are programs designed to look like useful software that actually establish backdoor entries behind the scenes. Trojans are just one of multiple ways a hacker can get into your system, though.
Identity Theft: Methods
Today’s identity thieves are armed with many forms of software and computerized tools, but these tools are absolutely useless unless they are installed on your computer. Accordingly, determined hackers have been known to go to great lengths to get their malware on their victims’ computers.
Physical Implantation
Though not the most creative method, physical implantation is tried and true and extremely effective. If a hacker really wants to establish a backdoor entry or key logger on your computer, they can try and gain physical access to you device and install the file while you are away.
Attacking Your Wireless Network
Hackers can physically come near your house, in range of your wireless network and attempt to identify it. If you have a Wireless Protected Setup (WPS), breaking in is surprisingly easy. Once inside your network, hackers can pretty much do whatever they want. This includes stealing your sensitive information right then and there, establishing a backdoor entryway, or simply implanting any other type of virus they’d like.
Fooling you onto their Network
Hackers often fool their targets into logging onto wireless networks in public places. For example, a hacker could wait for their target at a coffee shop, set up a network called
“Coffee House Wi-Fi,” and thereby fool the target into logging on. Once the connection is made, the hacker may be able to monitor what you are doing online, view your computer’s files, or implant a virus.
Malicious Email
Most of the modern day users, spending most of their time online know better than to open phishy sounding email from a mysterious stranger with an offer that’s just
too good to be true – but hackers know this, and have creative ways of working around it. A very fine example is illustrated in
Adam L. Penenberg’s article.
Malicious Hardware
One of the most creative and seemingly innocuous approaches to identity theft infiltration is through malicious hardware, such as an infected flash drive. This method is mostly used when identity thieves have a specific target in mind.
Stealing Cookies
On the Internet, a cookie is a temporary file automatically created by your browser to speed up your surfing ability. If you have ever logged onto a website multiple times in one sitting and found that you only had to supply your log-in credentials once, you have experienced a cookie. However, like passwords cookies can also be stolen. In fact, hackers have developed numerous programs to steal their victims’ cookies once they have worked their way onto the same network. One of the most well-known cookie stealing tools is called
Firesheep, which was developed by an independent software developer to show just how vulnerable Firefox users were to cookie theft. Once a hacker has stolen your cookies, they can use them just as you would, to log onto websites that you frequently use. Depending on what these websites are, cookie theft can be disastrous.
Fake File Names
Deception, deception, deception. Identity Theft is all about deception? Another way hackers pull their deception off is by naming files things that they are not. Let’s say you’re trying your hand at online dating, and you receive a “private email” from a potential match. In this email, you get an attached file entitled sexypic.jpg.exe. Is it a flirtatious .jpg, or is it a potentially dangerous .exe? In this case, the answer is the latter; but, for many users, all that matters is that it says sexy.
Still, even the most novice of computer users know that any file containing .exe is one to be suspicious of. Hackers have therefore developed a very clever workaround that they’ve been using for years. It’s called the Right to Left Override trick, and it works by utilizing the Unicode character U+202E.
Say a hacker writes a virus and names it aReallysgpj.exe. If you received this file as an attachment in an email, you would probably delete it immediately. But what if the file was called aReallysexe.jpg instead? Chances are high that anyone with a sense of curiosity would open it.
How do hackers pull this off? Simply by inserting Unicode character U+202E after aReallysgpj in the original file name: aReallygpj [U+202E].exe
This magically flips gpj.exe into exe.jpg, giving you aReallysexe.jpg, without changing the executable format of the file. What’s interesting is that this only works because exe is a palindrome.
Redirecting your Hosts
When your computer looks up a website, a lot of complicated processes take place. Knowing this full well, people who write operating systems have created a number of methods to simplify things. One of them is called the Hosts file, which is a file that exists in the background of your computer.
Kind of like cookies, the Hosts file works to speed up internet usage by storing commonly visited
domain names and their
IP addresses on your computer. Also like cookies, the Hosts file is great, up until the point it gets into the hands of a hacker.
Say an identity thief got onto your network or computer and wanted to steal your identity. If they wanted to, they could go into your Hosts file and compromise your domain name to IP address match ups. By doing this, they would make it so that the next time you went online and typed, for example, yourfavoritewebsite.com, you’d be led to a falsified version of the site, designed by the hacker to steal your financial information.
Poisoning the Waterhole
Identity thieves have also been known to use the waterhole technique to attack virtual meeting places, such as social media. The specific tool that is used to do so will vary from case to case, but in all cases the social engineering tactic is the same. People flock to social media sites in huge masses and because of this individual users fall into a false sense of security. From 20,000 profiles all “liking” the same thing, the odds of being the chosen target are slim; but, to hacker looking for an easy target, hitting 20,000 fish in a barrel all at once can mean payday.
Identity Theft: Prevention
A determined identity thief seeking a means of infiltration is limited only by his imagination. Hackers mostly rely on establishing a pretense and fooling their targets into giving away their personal information. More often, hackers target corporations over individuals, because the larger size allows for more modes of entry and a greater degree of anonymity.
No one is completely immune to identity theft, though, familiarity with the tools and means of modern day identity theft outlined above is a great start and in addition to well-designed antivirus software there are many common sense measures that all basic computer users should put into place.
- Keep your software up to date. When prompted to install an update for software or operating system you use, do so. Nearly every software update published by companies like Apple and Microsoft contains some degree of security fixes.
- Choose a passphrase, not a password. If you choose a simple password for accounts that contains your sensitive information, it isn’t the service provider’s fault that your account was hacked into. Instead of a 6 to 8-character password, choose passphrase that is easy to remember but impossible to guess. Think of a sentence or a phrase and toss in a few numbers and symbols.
- Don’t click on stuff. We are tempted every single day to click on links and attachments we receive via email or see in our social networking account. Be very aware that many of these will be malicious and cause your mobile device or computer to be taken over by a hacker. Once they do so, they’ll be sure to replicate the attack towards all of your contacts and friends.
- As in day-to-day life, anything you’re unfamiliar with should be put under the strictest review before you open it with your computer. Unfamiliar file extensions and phishy emails from strangers are best ignored.
- Remember that Public Wi-Fi usage is Public.
- And whatever you do, don’t create an excel sheet of all your passwords ever. That’s just asking for identity theft, from just about anyone who can open a file and read.
