Thursday, October 19, 2006

Bob Average, PowerSeller39 and Identity Theft

Today, I'll be telling you a story about Bob. If you don't want to read about Bob, skip to the "Tips for the Paranoid" section.

Bob used to be an average guy, working at an average job. He had an average girlfriend, and earned an average wage. He broke the law, on average, about as many times as any other guy on his block; when he did, it was only average, everyday stuff: jaywalking, speeding, and lying to his bank about his (sadly average) income.

Today, Bob Average became a wanted man.

DISCLAIMER: This whole story is hypothetical. It may have inconsistencies. I have done my best to keep everything within the role of the possible, but you may find a leap of logic here or there. What I'm trying to get across is a general idea, not a specific set of events. There are more variations on this scenario than I could hope to enumerate, be aware that this is a very specific example of a very general problem.

Also, be aware that this is COPYRIGHTED MATERIAL. You are welcome to link to, excerpt, criticise, or otherwise deal with this article in any manner permitted by fair use, but you may not re-distribute it, create derivative works from it, or otherwise profit from it without my written permission. Keep it here, where I can maintain, update and correct it, and keep all of the discussion (if it ever occurs) in one place. Thanks, and enjoy.

How does an average guy like Bob become wanted? It's surprisingly easy, and you can accomplish the same in only a few simple steps. Bob started out by buying a CD player off a guy on eBay. The vendor had a reasonable eSeller rating (or whatever they call it), and so Bob felt comfortable buying from him. What Bob DIDN'T feel comfortable doing was using his creditcard online, and so he elected to pay using direct deposit (ACH transfer, pay anyone, direct entry...) from his bank account. He signed on to his internet banking, made the transfer ($39, if you're interested) to PowerSeller39's account, and signed off again.

Bob felt quite comfortable doing this, because his computer is surprisingly secure, for an average computer user. This is because his brother, who lives just up the road, works as a security consultant, protecting end-user computers from viruses, trojans and root-kits. He knows exactly what he's doing, and Bob's computer is VERY safe.

Anyway, Bob sent off a quick email to PowerSeller39 telling him where to deliver the product, and sat back to await his new CD player.

Two days later, Bob's bank receives a phone call. The caller states that he's just moving house, and he'd like to change his address. He gives Bob's bank account number, but can't remember his phone-banking password. When the phone operator asks him his current mailing address, he rattles it off like he lives there. The phone operator isn't satisfied yet, however, and asks for his date of birth, and a recent transaction. These details match up as well, and the caller gives the new mailing address and asks for a new statement to be sent out. Three hours later, the same caller speaks with a different operator, and asks to open a new linked savings account, with card access. Two calls on the same day, doing three different things, trips the bank's security alert level, and the operator asks for the name of Bob's dog, and his mother's maiden name. The caller rattles these off, and the new card is dispatched. The operator is able to give the caller the new account number on the spot. Isn't it amazing how convenient it is to deal with the bank these days? The caller asks for a nice high daily limit on the account. The operator tells him it's a risk, but the caller says he isn't too concerned.

You've already guessed that the caller isn't Bob. But how does he know so much about Bob? How could he know his mother's maiden name? How did he know his account number, or which bank he uses?

Let's start with his banking details. Just how much does Bob reveal when he sends a deposit to PowerSeller39? Well, if PowerSeller39 is prepared to pay a small search fee, his bank will happily help him identify the source of the $39 payment. After all, PowerSeller39 is only trying to keep his customer happy; he's had several people win auctions, and he can't tell from the usual information which one has actually paid (and so should receive the goods). After a brief wait, PowerSeller scribbles down the account details. After picking up the email Bob sent him containing his mailing address, PowerSeller39 now has the following information about Bob:
eBay Username: BobAvg
Bank BSB: xxx-xxx
Account number: yyyyyyyyy
Full Account Name: Bob J Average
Email Address:
Full Mailing Address: 22 Average St, Averagetown CA
Recent Transaction: $39

PowerSeller39 makes a quick call to another bank, with a question. He's been given payment details for an online purchase, but thinks it might be a scam. He just wants to make sure that the BSB he's got matches a branch near the merchant's online address. After being transferred once or twice, he finds someone to look the information up for him, and is told that the BSB is, in fact, for Bank X, and is given the branch address. A quick visit to reveals a customer service phone number, which is added to the dosier.

PowerSeller39 next turns to Google in his information search. He quickly finds that there are quite a few people out there blogging out there under the name "Bob Average", but only six list their location as "CA, USA". Four of them list their middle names, but none of them start with 'J'. Of the remaining two, one is a sound engineer who blogs regularly about his latest piece of expensive hi-tech sound gear. That one definitely isn't buying a $39 CD player from eBay. PowerSeller39's confidence is boosted further when he sees that Bob's latest entry talks about the CD player he's just bought off eBay.

At this point, PowerSeller39 takes a break from his sleuthing to run down to the post office and send off the CD player he picked up from a local pawn shop for $25. After all, he has to protect his eBay Seller Rating.

Afterwards, reading through Bob's blog, PowerSeller39 writes down a list of interesting information about Bob. Bob has written about all sorts of things. His girlfriend, his pet dog, his car (a 1990 Toyota Camry), his family (he has a brother, Joe, and his parents' names are Kim and Max). He saves a couple of photos which Bob has posted over the last few months. The most interesting one proudly shows off Bob's girlfriend, his car, and his licence plate number. Bob's profile mentions his birth date (no year), and he mentions proudly that he was lucky enough to be given a nice set of whiskey glasses for his 21st last year.

Okay, smarty. That explains everything but his mother's maiden name. How could he know that?

Well, Bob's blog mentions that he heads off to Normalville, TX at least once a year to visit his grandparents. PowerSeller39 has a quick look through some on-line texan country marriage records, figuring that Bob's parents probably got married near where THEIR parents lived. He quickly discovers that in 1971, Kim Usual married Max Average. PowerSeller got lucky with this one; it can sometimes take HOURS to find maiden names through marriage records. County birth records confirm Bob's date of birth.

With all these details, PowerSeller39 makes his calls to the bank.

But why, do you ask, did he go to the effort of changing Bob's address? Why get a new account and card? Well, you see, Bob isn't PowerSeller39's ONLY victim. PowerSeller39 has short-term access to dozens of people's accounts; instead of opening new accounts on these, he resets their web-banking passwords. Sure, the account's owners will notice in a few days that they can't log in, and call the bank to find out why. How often do you log in to internet banking, though? Often enough to catch PowerSeller39 within a day or two? Chances are, plenty of people won't catch the breach in time. Remember, PowerSeller39 can collect many sets of details over time, and make all the calls on the one day. He transfers a great deal of money from his numerous victims (some of which he's gotten with the above method, others through phishing, and yet others by simply stealing wallets) into Bob's new account. When Bob's new card arrives a few days later (most likely to a house whose owners have gone on holiday), PowerSeller39 picks it up, activates it, and pulls lots of cash from it. He's probably set up several of these 'mule' accounts to move cash into, and then pull it out of ATMs. All PowerSeller39 has to hope is that Bob won't notice a new account being opened under his name.

Of course, when the police begin investigating all of the theft complaints, they will notice that all of this stolen money was transferred to Bob's account. If Bob's really unlucky, PowerSeller39 will be in the local area, so the ATM withdrawal locations won't prove that it wasn't Bob. Hopefully the ATM photos will help, but PowerSeller39 went around late at night wearing a mask. Hopefully Bob has a very different body shape to PowerSeller39. Phone records are of little help, because our perpetrator used public phone booths.

Two or three days later, PowerSeller39 sends Bob an email asking if he got the CD player, and why he hasn't left feedback. Bob is busy explaining to the police that he hadn't opened any new accounts recently, and he definitely hadn't transfered money from other people's accounts into his, nor had he made those ATM withdrawals. In spite of this, he does manage to fit in a few minutes to leave positive feedback for PowerSeller39. The CD player had, after all, arrived quickly and easily, and PowerSeller39 had been easy to deal with.

So, moral of the story. What did Bob do wrong? Well, probably nothing. He did have a blog with some personal information. He left some links which could be followed between his financial dealings and his personal life. But really, he didn't do anything wrong. He was victimised by somebody who was prepared to do a lot of research. If somebody like this is really out to get you, there probably isn't a lot you can do about it. That said, here are some tips for the paranoid (I follow every one of these tips myself).

1. Have a separate account for transferring money to strangers. Never send payments to strangers from an account which you operate regularly. Even better, get yourself a stored value card with access to your national ACH/DE/whatever scheme. Many countries now have low-value SVCs with this feature, and you often won't even need to identify yourself.

2. Check with your financial institution about how they identify you over the phone. If you aren't satisfied, move your accounts somewhere else. Look for a bank which allows you to write your own security questions. If you are stuck using your mother's maiden name and your favourite pet, lie. Make up stuff that you can remember, but that nobody else will be able to research.

3. Avoid links between your online 'financial' self and your online 'personal' self. Think like an attacker. Don't let somebody you deal with on eBay find out your real name. If your bank allows you to choose the "Originating Account Name" when you do a transfer, make use of this feature and send your eBay ID. Make sure you don't choose an eBay name which could be linked to your blog.

4. Keep your anti-virus/anti-malware/anti-rootkit/anti-STD/whatever protection up to date. Run scans regularly. Bob in our story wasn't hit by a password-stealing trojan, but there are plenty of them out there.

5. Practice Safe Hex. Don't download things from untrusted sites. Don't trust sites which display lots of porn ads. Never click "yes" OR "no" on a browser popup if you can avoid it (close the window with the 'X' where possible). Never install browser plugins suggested by a site (download the plugin directly from the manufacturer, if you must download it at all; don't just click "Yes, install this plugin automatically for me"). There are plenty of sites out there that will give you more tips along these lines.

6. Don't use Internet Explorer. It's got huge market share, and is the current "low-hanging fruit" for hackers. Think carefully about using Firefox, because it's number two. Even if you do use one of the above, keep all of your patches up to date.

7. Back to your bank; if it offers email notifications of things like payments to new accounts, change of details, etc., sign up for this service. Get these notifications sent straight to your email-enabled mobile phone, if possible.

8. Get yourself a low-limit (or even better, debit) Visa or Mastercard for use on the internet. Even if you do get hit, it won't be for much. Credit cards have much better consumer protection that debit cards, anyway, so use them whenever possible, even when a direct deposit or similar is also an option. If you have a major credit card, you will often get additional benefits like extended warranties on electronic goods. Familiarise yourself with your card issuer's chargeback procedures, and check your account regularly for any unauthorised transactions.

9. Think about the points I've made in here, and come up with ideas of your own about what you can do to protect yourself. Then post your ideas as comments here, and we can generate some discussion.

Yours Curiously,



Post a Comment

<< Home