Bucknell Magazine: A Case of Taken Identity
Why mistrust is a good thing in the digital age.
By Benjamin Gleisser. Illustrations by Iker Ayestaran
You’re sitting in your favorite coffee shop, relaxing with a tasty mocha java and reading the newspaper, when your cell phone begins to chime. The number on the call display doesn’t look familiar. Curiosity gets the better of you and you thumb the talk button. It’s a wrong number, but the voice on the other end sounds so charmingly befuddled, you talk with him for a few minutes, just long enough for a second caller to ring your phone. Because you’re already on the line, that call goes into voicemail. Unbeknownst to you, the second caller then enters a default code, which lets him or her access all your stored voice and image messages.
Bad news: Your cell phone has just been hacked. Why you? Well, the hackers had probably cracked their way into the database of a website company that stores your information. This enabled them to steal your password to that website (which may also be your ATM PIN number and the password to your PayPal account if, like thousands of other people, you use one password for everything because it’s easier to remember). The hackers also nab your credit card number, street address, e-mail address, phone numbers (work, cell and land line, depending on what data you gave that website) and other personal information — maybe even a bra or waist size.
And, by the way, what other kinds of identity information do you have saved on your cell phone? That’s even easier to steal from you.
How safe are social networks?
When it comes to cell phones and websites, not even Lady Gaga is immune to hackers. Last July, the singer reported that her website had been compromised, and the names and e-mail addresses of some fans in her database had been stolen. A Gaga spokesperson assured the media that “no passwords [or] financial information were taken,” while the sobbing singer said she believed people were “trying to destroy” her.
However, it’s not Lady Gaga those hackers were out to destroy. Hackers, many with links to organized crime, have broken into website databases in companies like Sony and Honda Canada to steal users’ personal information. They then utilize that information to become those people — in effect, assuming their identities to max out their credit cards, empty bank accounts and, in some cases, impersonate those people at online dating services to swindle unknowing individuals out of thousands of dollars.
Eric Smith, Bucknell’s assistant director of information security and networking, believes it’s time to wake up and smell the firewall.
“I don’t want to create a lot of doom and gloom, but the sad reality is that if someone wants to get you bad enough, they will,” says Smith. “A lot of high-profile people are getting hacked. I don’t know if you can do anything to be completely safe, except unplug yourself from the Internet.”
This is virtually impossible today, considering how many people “live” on the Internet and use Facebook like a diary, telling hundreds of contacts (called “friends” on the site) personal details about themselves. People use sites liked LinkedIn to keep in touch with friends and clients and to cultivate new business relationships.
How safe is it to post personal information on social networks? Even if you’re corresponding with someone one-on-one, others might be monitoring your digital conversation, Smith says.
“I did an experiment with Facebook,” says Smith. “I talked about golden retrievers with a friend of mine for about a week, and then I started getting ads sent to me on Facebook for pet care supplies and pet food. They look at what you talk about; after all, advertisers want to put pet food information before the eyes of people who talk about pet food.”
Annoying pop-up ads, like mosquitoes at a summer picnic, are a fact of life in the digital age. They’re relatively harmless — unless they’re attached to spyware programs that collect pieces of information about users without their knowledge. Spyware can turn what people freely post on social network sites into fodder for identity thieves.
Eric Santanen, associate professor and co-director of the School of Management, says there’s a direct connection between privacy and identity theft.
“The danger is people post so much detail about their personal lives,” he says. “Nobody seems to be asking themselves, ‘Is this stuff I want a total stranger to know about me?’ The more you know about people — their wife’s name, their pet’s name, their birthday — the more guessable their passwords become so their identities can be stolen.”
Santanen warns social network users to keep this in mind: Information posted on Facebook and MySpace can never be deleted. “You can close your account, but you can never remove your account. They retain the data and they always will,” he says. “[Facebook founder] Mark Zuckerberg said in a speech in 2010 that ‘personal privacy is dead.’ I find that to be a tremendously dangerous statement and an even more dangerous reality.”
And it’s not just data that’s being stolen. In June, the ABC news program 20/20 ran the story of a man in Ghana who pilfered the picture of Lt. Jeffrey Miller off Miller’s MySpace page, then posted the picture on Match.com and called himself Austin Miller, a soldier in Afghanistan. “Austin Miller” then befriended a New York woman and, over a six-month period, bilked her out of $25,000.
While social networks do have their downside, there are also plenty of positive points about the sites. For example, a Facebook page in the Middle East has both Israeli and Palestinian youths communicating with each other. And thousands of people have reconnected with friends they haven’t seen in decades.
Identity theft by the numbers
The joint FBI/National White Collar Crime Center’s Internet Crime Complaint Center logged more than 300,000 complaints about various scams in 2010, and identity theft was the third most common complaint, according to the FBI website. And identity thieves don’t fall into one category, says Supervisory Special Agent Amanda Strickland, who works in the FBI’s Cyber Division.
“They’re members of organized crime, pranksters and cyber-terrorists,” says Strickland. “It can be a whole organization or just one individual. Drug traffickers are getting into it, and we’ve seen methamphetamine gangs doing ID theft.”
MarketWatch, a website hosted by The Wall Street Journal, quotes Javelin Strategy & Research’s 2011 Identity Fraud Survey. The study suggests that though identity theft fraud fell by 28 percent in 2010, about 8.1 million U.S. adults were still victims of identity theft, and businesses and consumers lost $37 billion due to card-related identity fraud. Furthermore, the cost of clearing up identity theft and covering some of the charges skyrocketed to $631 per incident in 2010, a 63-percent increase over $387 per incident in 2009. Those costs include paying off debts incurred by scammers, as well as fees incurred by attorneys and courts.
Why has identity theft become such an alluring crime?
“For the same reason given by Willie Sutton when asked why he robbed banks: ‘Because that’s where the money is,’” says attorney John Squires ’84, co-chair, IP Group, Chadbourne & Parke LLP. “In all seriousness, digital cash and credit make economic transactions more frictionless and, as a result, hacking and identify theft appear to be victimless crimes.”
To combat the surge of identity concerns in Canada, the Office of Privacy Commissioner of Canada was created in 1983 to protect privacy rights and personal information, investigate complaints from the public, and promote the awareness of privacy issues.
“Our private-sector law applies to U.S. companies if they have a real and substantial connection to Canada — which is increasingly important, considering that Internet activities are mostly borderless,” says Privacy Commissioner Jennifer Stoddart.
The office recently investigated Google and found that it lacked proper controls to protect personal information. That led to a commitment by the company to implement measures to reduce the risk of future privacy concerns. The office had previously received the same commitment to privacy concerns from Facebook.
In May, Stoddart called for the power to impose “attention-getting fines” on corporations that fail to protect personal information — in essence, holding companies liable if their data collection system gets hacked and customer information is stolen.
Squires says he believes that companies can be held liable for security breaches, “but only if the company is [found to be] grossly negligent” in its practices.
That might include Staples Business Depot, a company Stoddart blasted in a 2011 report for having weak privacy protection practices, such as storing print and copy orders for one year. The report also cites a troubling statistic: Only 44 data-breach incidents were reported in Canada in 2010, down from 58 in 2009 and 65 in 2008. It’s not that cyber security methods are improving, the report seems to suggest — instead, companies are reluctant to confess to being hacked.
That “see-no-evil, speak-no-evil” way of thinking is not uncommon in the IT world, Santanen says, pointing to a 2011 survey of information security professionals published in Industry Week. The study found that businesses cut security spending when budgets get tight. An astonishing 30 percent of security professionals believe their companies don’t adequately enforce security policies, and 44 percent don’t consider their security systems effective. And 95 percent of respondents expect the number of data breaches at their company to increase this year.
“We’re beginning to see credit card companies policing and penalizing vendors,” Santanen says. “VISA fined TJX, the parent company of TJMaxx, for storing information, because it doesn’t want merchants keeping credit card data after they receive authorization from the credit card agency. Companies that hold data become treasure troves for hackers.
“As more and more websites become compromised, you’ll see more calls for legislation,” Santanen adds. “There are already grumblings going on in the U.S. legislature.”
At the state level, California and Wisconsin have created an Office of Privacy Protection to help their residents avoid falling prey to cyber-crime.
Identity theft on campus
Identity thieves don’t just target wealthy individuals. Students with three-figure bank accounts are fair game, too. In fact, Bucknell University averages three reported identity thefts per year, says Detective Sergeant Jeffrey Ettingerof the Bucknell Department of Public Safety.
Ettinger urges students, staff or faculty members who feel they have been victims — or who could become victims — of identity theft to report the incident to the Department of Public Safety for investigation and/or assistance. The victim will receive two packets of information. The first piece, the Identity Crime Incident Detail Form, records how the victim discovered that she or he fell prey to identity theft. The second piece details a 10-step process that shows the victim how to report the offense to various agencies.
“We’ll assist anyone who feels that they’ve been a victim of identity theft,” Ettinger says. “If necessary, we’ll work in conjunction with the University’s Information and Technology Department to investigate the computer identity theft crime.”
When it comes to identity theft, Ettinger adds, the best defense is vigilance. “As we all know, identity theft can occur in any of the following ways — someone peeking over your shoulder while you’re using an ATM; the theft of a wallet, purse or mail; someone using a change-of-address form to divert your mail; dumpster diving to find data you’ve thrown away; and fraudulently obtaining your credit report by phishing and/or pharming [a false e-mail that appears to have been sent from a recognizable source in the hope that the receiver will respond with personal information, like a bank account number].”
The future of computer safety
The Internet was created in the 1960s so a few government-sponsored agencies could share information with each other. This network expanded over time to include a large number of universities and other entities that were freely exchanging information. By the 1990s, that small system became the World Wide Web, with hundreds of millions of users.
“The problem everyone realized later was the notion that security and privacy were never taken into account back then,” Santanen says. “Security wasn’t in the original design, so now we’re trying to retrofit something new onto an older system.”
That may change as the Internet gets set to expand again, the Canadian Broadcasting Corporation (CBC) reports. As more people and devices have gone online in recent years, network engineers have come to realize that virtual reality is running out of room. So, work has begun to upgrade the Internet to a system with significantly more virtual real estate: about 340 undecillion (10 to the power of 38) addresses. Besides giving us more online space, the system will be faster, more efficient and much more secure.
The future also is cloudy. Cloud computing — storing mail, documents, images, video and audio on the web in the massive servers of Google or Apple, rather than on personal computers — is being heavily marketed to consumers and businesses. And with the right password, one can bring your info down from the “cloud” to be used.
Of course, security is a great concern to those looking at clouds. Sony and Nintendo, which were recently hacked, use cloud-based platforms.
Can we ever be safe from identity theft? Will better security measures thwart cyber crime, or just impel the bad guys to redouble their efforts to beat the system?
The FBI’s Agent Strickland realizes no system will ever be 100-percent perfect. “There will always be some bugs, and there will always be some risk in using the Internet,” she says. “The best thing people can be is a little more cautious when they use it.”
David Weinberger ’72, a senior researcher at Harvard’s Berkman Center for Internet & Society, agrees that we must take the bad with the good: “To have all the safeguards you’d need to in place for perfect protection, you’d make the Internet so expensive, it would effectively kill everything useful about the Internet.”