Two months ago, I received a text from my credit card provider asking if I had just purchased gasoline in Moline, Illinois. This would have been logistically impossible as I was in New York at the time. No, I replied. And that marked the end of that credit card number.
This is not the first time it has happened to me, and perhaps this has happened to you too. It seems to be a routine event—someone somehow obtains your card number and becomes “you” for criminal purposes. In all cases, the credit card provider picked up the tab, and you, the cardholder, waited a day or two for the new card to arrive, and then spent a few hours smoothing out the wrinkles—changing the card number for the services you automatically purchase each month.
It’s not a big deal; it’s really minor league stuff compared to the heavy hitters in the identity theft game. Huge amounts of money are at stake for lenders and, in some cases, even the consumer. While most credit card charges are waived, it is less clear how lenders will respond when cyber thieves directly break into your bank accounts and transfer huge sums. They can apply as you for a mortgage on a mansion and rent out the house or sell it quickly for cash. They can even use your health insurance policy to pay for expensive surgery or sell this information to others for the same purpose.
To commit such crimes, cyber thieves need to amass as much personal data as possible. Frequently, this information comes directly from publicly available data and social media postings. In future, much of it will arrive via the Internet of Things—the IoT.
Web-connected devices such as smart thermostats, appliances like refrigerators and TVs, Internet-connected security systems, wearable fitness devices and even wireless heart monitors and insulin dispensers widen the data pool for cyber thieves, according to a recent FBI alert. To understand how, I phoned Steven Sanders, global account director at IDT 911, a provider of identity theft protection and recovery services.
“What happens is the thieves exploit the Universal Plug and Play Protocol to gain access to one of your devices,” Steven explained. “Once they get in, they can access other devices through unsecure Wi-Fi connections or a physical connection to another device, such as a wearable device that’s plugged into a laptop to charge. Each device may store different personal information. Once it is all aggregated, it could be enough to steal an identity.”
A wearable fitness device, for instance, often contains physical location data like the person’s address, as well as the wearer’s birth date, since this information is used to determine calorie burn. While the IoT is predicated on making our lives, homes and businesses more efficient, security is often a secondary consideration. “Providers are focused on getting the product to market fast,” Steven explained. “It’s more of a ‘build it first; secure it later’ strategy.”
Building the Profile
The IoT is just one new way to gather enough data to step into our shoes. Another is the receipt of “free stuff” online. A case in point involves a well-known music superstar who recently released an album of songs gratis, as long as listeners downloaded the songs on their smartphones using a particular mobile app.
Clicking on the link to the app, the user was asked for permission for the app provider to “enter” the device for the purpose of gathering email addresses and social media user names stored on the smartphone. The app also requested a working login to the person’s Facebook and/or Twitter accounts.
Not so free after all, it turns out. Nevertheless, a fan of the performer eager to hear the new songs won’t even blink before granting access. In the meantime, personally identifying information in the form of email and social media accounts has been turned over to the provider. If the company’s site is hacked, that vital information is susceptible to identity theft.
The more descriptive the target’s profile, the wider the range of illegal schemes that can be committed. I discussed this subject at lunch recently with Kim Lucarelli, director of personal risk at Oswald Companies. “Cyber thieves troll the Internet looking for all sorts of identifying facts about a target, and once they’ve amassed enough to develop a plausible profile, they pounce,” Kim said. Oswald Companies is a Cleveland-based insurance broker serving a high-net-wealth clientele.
Kim cited a recent example that actually occurred to one of her wealthy clients, who is a major philanthropist.
“Thieves know that high-net-wealth people sit on boards,” she said. “My client’s name was on the board of a foundation dedicated to funding medical research into autism. He’s also a well-known CEO. Knowing he was passionate on this subject, they mocked up the look of a non-profit charitable organization that helps autistic children, and emailed him at his business email address asking for a donation. He clicked on a button to send money via his credit card.”
While the thieves were looking to gain illicitly from the large financial donation, a secondary consideration was obtaining the client’s credit card number. “Once they have it, they can add other data elements to it to perpetrate a really substantial crime,” she said.
Bit by Bit, Piece by Piece
It’s easy to obtain publicly available information on a target’s date of birth, gender, home address and value, past addresses, marital status, education, family tree and social connections. For criminal purposes, each piece of knowledge assists the gathering of more important data—the stuff we are typically asked to log into a mobile banks app, such as Mom’s maiden name, when we graduated college, Dad’s last employer, the dog’s name, and so on.
“Cyber thieves are extremely patient,” Steven said. “They build a profile piece by piece. Maybe you post where you went to college—now the thief can figure out when you graduated. Maybe you post that your dad just retired from such-and-such company. Maybe your mom comments to you on Facebook saying she’s looking to hook up with old friends from college and you remind her to use her maiden name. Certainly, most everyone posts the name of their dogs. We’re all guilty of over-sharing.”
While everyone is subject to identity theft, wealthier individuals are the primary targets for obvious reasons. The solution is to have people like Kim and Steven counsel high-net-wealth families on their particular vulnerabilities.
Expect questions to be asked about the family’s social media accounts and habits, use of wearable technologies, presence of IoT devices in the home and elsewhere, philanthropic activities and travel plans, among others. They also can help clients draw up rules regarding forbidden behaviors online, especially by children, and make recommendations on how to identify trouble spots before they erupt into full-blown losses.
Steven offered me an exceptionally smart bit of advice: “Always think twice before you hit ‘send’ or click a button. Imagine the content falling into the wrong hands first.”
That’s one recommendation I will not forget soon. Truthfully, I hate applying for new credit cards.
– Check out this on ThinkAdvisor: How to Stop Cyber Bandits and Boost Your Business Security