Learning how simple identity fraud techniques work

Mark Cutting Analysis, Risk, Security 4 Comments

I’ve been asked by one of my followers to write a couple of articles based around identity theft from a variety of sources – some (as detailed in this article) common, and others “not-so-common” but incredibly effective nonetheless. In these articles, I will describe the best possible ways to secure your identity using both technology, and seemingly basic (yet overlooked) but effective ways of keeping control of your identity on a daily basis. Any questions, feel free to shout out !

Identity theft and fraud have been commonplace for a number of years, but have taken on various different forms. Several years ago, the basis of identity theft required the perpetrator to gain as much physical information as possible concerning the intended target. With the onset of personally identifiable information attributing individuals being siphoned out of businesses, and GDPR regulation landing in 2018 (this alone will change the data landscape forever), I thought it would be a good idea to get an article out that identifies the most common types of identity fraud, and how easily information can be obtained – not necessarily through social engineering, but from your own rubbish.

What is needed to commit identity fraud ?

Such information would typically be anything that could be classed as “personally identifying” – mail for example. A utility bill could be presented as proof of identity in order to obtain services or other financial gain by impersonating that individual. Most mail we receive through the postal system these days is often junk, but the odd element will contain a wealth of information that is a gold mine to an identity thief looking to commit fraud.

Before the onset of the internet as we know it today, an identity thief had to work for this information in ways that are seldom deployed in today’s threat landscape (but still used nonetheless). Such activity meant sorting through rubbish (or trash – dependant on your locale), with the sole aim of finding material that could be used to perform impersonation. This activity has actually become simpler and cleaner over the years, mainly thanks to new recycling laws that separate the real rubbish from what an identity thief is looking for. In actual fact, all any potential thief has to do is steal the recycling bag itself – thus not only improving productivity, but also increasing the chances of extraction dramatically. Nobody is going to be that concerned about their rubbish going missing – they threw it out, so asking for it back would raise the inevitable question as to why you disposed of it in the first place if you wanted to keep it.

Anything with your name and address on it is an excellent start, but it isn’t enough. For this to be beneficial, an identity thief would need your date of birth. You’d think that this would be difficult to obtain. In actual fact, it isn’t. Using a variety of techniques, an identity thief can extract this information from other sources such as electoral systems, census records, and most family tree research systems. The information will be buried yet available somewhere, and it just needs to be exposed. How much time an identity thief needs to invest in this activity varies dependant on the prize – nobody wants to be knee deep in rotting produce unless there is a significant reward at the end of it.

Why is a date of birth so important ?

Your date of birth is often required when completing loan applications (for example), and without this, an identity thief cannot procure services or gain access to a financial source easily. It’s like the missing piece of a puzzle. Without that piece, you have most of the picture, but not all of it. Any missing components required for identity theft to be possible can also be extracted from sources much closer to you than you’d think. Using a variety of techniques – most of them social – any thief can extract the required information without too much effort. The most common approach is to leverage social media.

The identity thief pretends that they know the individual to one of your friends or associates, and is then able to engage them in conversation. The incredible fact about social media is that people tend to post a variety of information that they probably wouldn’t if they were to think twice about it, and this vulnerability is surprisingly simple to exploit. Facebook, for example, allows you to see the profiles of any other connection your new “friend” has, and vice versa. Too much information in these profiles that is on public display is the low hanging fruit that is required for identity theft to become a realistic prospect.

As this technique relies solely on trust, and the source of the information provides the missing pieces of their own free will and volition, no crime is actually committed. Trust is the key element for this method of extraction to succeed – and in most cases, it does.

My post box is susceptible ? Why ?

Another simple mechanism of obtaining information is intercepting post intended for the target. This sounds like a difficult task, and for housing estates, you’d probably have to kidnap the postman in order to gain access to the mail (just kidding). However, there have been some occasions where mail has been inadvertently given to someone else impersonating the occupier of the intended address. This practice was rife at one point, and now most postal services will not hand over mail unless they can post it through the letterbox, or leave it at a designated collection point.

And here is the real vulnerability. In apartment blocks, flats, or shared complexes, mail is typically left in mailboxes that require a key to access. The idea being that the intended recipient holds the key, and collects their mail from the mailbox. In most cases, it is a fairly simple process to either extract mail from this box via the letter opening (it sounds crazy, but you can actually get your fingers into the slot and if someone left a parcel, a letter could be sitting on top, and be within easy reach), or use brute force to break the lock and gain access this way. In the UK, personal post boxes aren’t commonplace if you live in a house, as the doors often have letter boxes designed to deliver directly into the property – enhancing security. This isn’t necessarily the same for multi-dwelling apartments, but in most cases, each door has it’s own letterbox. I recently had a new door fitted to the front of my house, and it had no place for a letterbox. Based on this, I decided to purchase a wall mounted post box. Despite being made of metal and looking sturdy, it was simple to gain direct entry to without the keys through the opening at the top. This was designed to accept parcels and standard letters, but in most cases (for me anyway), was wide enough for a hand to reach inside and intercept mail. Not sure what I’m getting at ? Have a look at the below

The picture above is my hand inserted into my own post box – it’s a little difficult to see the full effect, but it does give you a clear indicator of how simple this method of retrieving mail actually is. Various fraud and identity theft instances have been reported over the years, and the extraction point is often identified as the mailbox. As outrageous as it sounds, an identity thief could (and this has actually happened in the past):

  • Apply for a loan in your name
  • Intercept your post for the application form
  • Sign this as you, and return the form
  • Wait for the loan to be approved
  • Collect the requested loan amount from the account they setup in your name
  • Not repay the loan, leaving you responsible for the total amount as far as the lender is concerned.

Once an identity thief has access to your personal information. they can then use this to create new identities to sell onto others. And it is not just the living that have been subjected to this type of fraud. The deceased are often the target of identity theft, as there is generally nobody to question or challenge this, unless a relative receives a demand for payment of an outstanding debt that has been accrued since they passed away. As simple as it sounds, a thief just needs to review the obituaries in the local newspaper to identify a potential target. This will contain the name, age, and in several cases, the date born – or a simple mechanism of retrieving this information.

Given the relatively simple steps above, you are able to see how identity theft works. Not so complex after all, is it ? So how can we prevent it, or at the very best, lessen it’s impact ?

  • Arrange for your bank statements and utility bills to be sent to you electronically, and not by post
  • Regularly check your bank accounts for unauthorised or unexpected activity.
  • Perform frequent credit checks to ensure that you are not being denied credit or being blacklisted – either of these is a sign of recent identity fraud.
  • Do not place sensitive documents in your recycling unless they have been shredded – preferably by a cross-cut device to prevent reassembly. A bag of ribbons is unappealing to an identity thief
  • Secure your letter or post box in such a way that makes tampering very difficult, it not nearly impossible. My advice here is to abide by the law, and not make the device a booby trap if opened.
  • Do not become complacent – exercise caution when disposing of or storing sensitive documents
  • For the truly paranoid, there’s a galavinsed incinerator. It sounds technical, but is really just a bin with a chimney, designed for burning paper and garden waste. You may need to check with your local authority before using one of these – there may be conditions governing their use in restricted areas as the smoke emitted can be quite unforgiving to drying laundry in neighbouring gardens / yards, or hazardous to breathe in dependant on proximity and the material being burnt.

Deploying these simple techniques can reduce your chances being exposed to risk of identity theft, and you’ll be surprised at just how effective they can be.

Remember – each of these techniques relies on the sole point of vulnerability – human nature. Don’t expose your identity unnecessarily.

About the Author
Mark Cutting

Mark Cutting

Facebook Twitter Google+

Mark Cutting is the founder of Phenomlab.com and Inocul8r.net. He is a network, security and infrastructure expert with more than 27 years service in the Information Technology sector. Mark has a significant eye for detail, coupled with an extensive skill set. Having worked in numerous industries including trading, finance, hedge funds, marketing, manufacturing and distribution, he has been exposed to a wide variety of environments and technologies alike.

Leave a Reply

2 Comment threads
2 Thread replies
Most reacted comment
Hottest comment thread
4 Comment authors
Mark CuttingAziz RahmanMark CuttingMark Honeycutt Recent comment authors
newest oldest most voted
Notify of
Mark Honeycutt

Good article Mark. This is the type of info we used to be warned about a long time ago, but it’s been lost to the digital age, and most people, especially those new to it all, don’t have a clue how this is done. I’ll take it a step further and say that I think it’s important to show these things to learners because it’s easy to find out what the risks of something are, but it’s hard to get specific, real-world examples of how it’s done.

It’s amazing what kind of information you can get on someone without actually breaking a law. The NSA wrote a long report a couple of years ago about Google “hacking.” Totally legal stuff that just searches for info that shouldn’t be out there but were picked up by “The Spyder”

Aziz Rahman

You’ve got me a little concerned now about how much I’ve inadvertently revealed through social media – and that isn’t a bad thing. Very good article – I’ll have to read the rest of the series.