Two months ago, I received a text from my credit card provider asking if I had just purchased gasoline in Moline, Illinois. This would have been logistically impossible as I was in New York at the time. No, I replied. And that marked the end of that credit card number.
This is not the first time it has happened to me, and perhaps this has happened to you too. It seems to be a routine event—someone somehow obtains your card number and becomes “you” for criminal purposes. In all cases, the credit card provider picked up the tab, and you, the cardholder, waited a day or two for the new card to arrive, and then spent a few hours smoothing out the wrinkles—changing the card number for the services you automatically purchase each month.
It’s not a big deal; it’s really minor league stuff compared to the heavy hitters in the identity theft game. Huge amounts of money are at stake for lenders and, in some cases, even the consumer. While most credit card charges are waived, it is less clear how lenders will respond when cyber thieves directly break into your bank accounts and transfer huge sums. They can apply as you for a mortgage on a mansion and rent out the house or sell it quickly for cash. They can even use your health insurance policy to pay for expensive surgery or sell this information to others for the same purpose.
To commit such crimes, cyber thieves need to amass as much personal data as possible. Frequently, this information comes directly from publicly available data and social media postings. In future, much of it will arrive via the Internet of Things—the IoT.
Web-connected devices such as smart thermostats, appliances like refrigerators and TVs, Internet-connected security systems, wearable fitness devices and even wireless heart monitors and insulin dispensers widen the data pool for cyber thieves, according to a recent FBI alert. To understand how, I phoned Steven Sanders, global account director at IDT 911, a provider of identity theft protection and recovery services.
“What happens is the thieves exploit the Universal Plug and Play Protocol to gain access to one of your devices,” Steven explained. “Once they get in, they can access other devices through unsecure Wi-Fi connections or a physical connection to another device, such as a wearable device that’s plugged into a laptop to charge. Each device may store different personal information. Once it is all aggregated, it could be enough to steal an identity.”
A wearable fitness device, for instance, often contains physical location data like the person’s address, as well as the wearer’s birth date, since this information is used to determine calorie burn. While the IoT is predicated on making our lives, homes and businesses more efficient, security is often a secondary consideration. “Providers are focused on getting the product to market fast,” Steven explained. “It’s more of a ‘build it first; secure it later’ strategy.”
Building the Profile
The IoT is just one new way to gather enough data to step into our shoes. Another is the receipt of “free stuff” online. A case in point involves a well-known music superstar who recently released an album of songs gratis, as long as listeners downloaded the songs on their smartphones using a particular mobile app.
Clicking on the link to the app, the user was asked for permission for the app provider to “enter” the device for the purpose of gathering email addresses and social media user names stored on the smartphone. The app also requested a working login to the person’s Facebook and/or Twitter accounts.
Not so free after all, it turns out. Nevertheless, a fan of the performer eager to hear the new songs won’t even blink before granting access. In the meantime, personally identifying information in the form of email and social media accounts has been turned over to the provider. If the company’s site is hacked, that vital information is susceptible to identity theft.
The more descriptive the target’s profile, the wider the range of illegal schemes that can be committed. I discussed this subject at lunch recently with Kim Lucarelli, director of personal risk at Oswald Companies. “Cyber thieves troll the Internet looking for all sorts of identifying facts about a target, and once they’ve amassed enough to develop a plausible profile, they pounce,” Kim said. Oswald Companies is a Cleveland-based insurance broker serving a high-net-wealth clientele.