Security

Identity theft: Businesses are at risk

Identity theft: It's becoming increasingly hard to spot. Criminals are finding evermore creative ways to steal your good name. Here's one clue to watch out for.

Identity theft goes way back. Shakespeare mentions it in Othello:

"But he that filches from me my good name Robs me of that which not enriches him And makes me poor indeed.

The bard never ceases to amaze me. With your permission, I'd like to use a more recent definition from our friends at Wikipedia:

"Identity theft is a form of fraud or cheating of another person's identity in which someone pretends to be someone else by assuming that person's identity, typically in order to access resources or obtain credit and other benefits in that person's name."

Okay, got it covered past and present. Things are good.

But are they?

Last week, I received a phone call from Dean (car mechanic, extraordinaire). He was working on my tired Chevy. It was bleeding something dark and sticky. "Hey, Dean, whatcha find?"

"Don't know."

Dean is not one to mince words. So I instantly imagined the worst. "It's that bad?"

"Sure is," he confirmed. "Jim (another long-time customer) just called, mad as hell. Asked me what the (strong expletive) bill was for. And, when did I move the shop."

Why is he telling me this? Then the light went on. Dean thinks something's screwy with the invoicing system. Guess who installed it? And, he's got my car. With my ride and street cred at stake, I told Dean I'd be right over.

After talking to Dean more, I got the picture. Jim was a victim of a spear-phishing attack (Epsilon breach). The attacker used detailed information about Dean's auto-repair business to try and sucker Jim into sending money to Dean, but at a different address.

Not a good thing for either Dean or Jim. Right away, we got Jim back on the phone, and I explained what happened.

Wrong addresses are a clue

Changing addresses is a key component of identity theft. If at all possible, the crook will try to change addresses specific to the attack. Doing so, removes the possibility of figuring out what's going on. In the case of Jim's phantom bill, if he didn't know Dean's correct address, he would have sent the money directly to the criminal and Dean would not have a clue.

Consumers also beware

Being able to alter addresses is even more serious if payment-card fraud is the crime du jour. It's a home run if the bad guy can change the address listed on the account. Why? The victim will not receive a monthly bill, nor realize anything is wrong until the collection agency is knocking on the front door.

Business identity theft

Where better to look for business identity theft information than the Better Business Bureau (BBB). Steve Cox, BBB spokesperson provides the following insight:

"Business identity theft is a very real concern in today's marketplace. From a criminal's perspective, it is significantly more cost-effective to steal business identities than consumer identities.

Businesses can be especially easy targets because they may not be as adept or well-equipped to protect sensitive information as larger companies that can afford to hire dedicated staff to ensure oversight and security."

The Better Business Bureau website provides the following examples of ID theft:

  • Phishing E-mails: Phishing e-mails are an example of business ID theft designed to defraud consumers. Phishing e-mails are used to coerce financial information from the recipient or to install malware and viruses on recipients' computers.
  • Defrauding the Business: A crafty ID thief can do a lot of damage with a company's Employer Identification Number, including gaining access to bank and credit card accounts or opening up new lines of credit under the business's name.
  • Defrauding Consumers: Scammers use and leverage the company's identity and reputation to create a trustworthy façade behind which they operate their scam. Business owners are usually alerted to the identity theft by angry consumers who were ripped off by the scammers. (This is what happened to Dean.)

The BBB goes on to recommend the following steps if a business identity has been stolen:

  • Alert the Authorities: Business owners need to immediately contact their local police department if they believe the company's identity has been compromised. If scammers are using the company's name on phishing e-mails or with phony Web sites, business owners can also contact the FBI's Internet Crime Complaint Center.
  • Alert Bank and Credit Card Companies: If scammers are accessing the business's credit or bank accounts, it's important for a small business owner to notify financial institutions involved in order to limit any further unauthorized transactions.
  • Alert the Public: If the company's identity has been stolen and is being used to rip off customers, warning the public is a top priority to prevent additional people from becoming victims.
  • Review Credit Report: If the business is a sole proprietorship, then the same consumer protections apply as if an individual's ID were stolen-such as access to free credit reports and the ability to place a fraud alert on the report. The Consumer Federation of America just issued a best practices document for comparing identity theft services. It might be worthwhile to check out.
Need to explain

I usually don't use verbatim text from websites, but the information from the Better Business Bureau is golden, and not just for business records. Their suggestions apply aptly to the treatment of any sensitive personal and/or business information.

I'd like to make another point. Favoring business identity theft over attacking consumers is one more example of criminals going after "low-hanging fruit." The BBB points out higher credit limits afforded businesses as being the reason why. Larger pots mean the bad guys are less likely to be noticed, unless they get greedy.

Final thoughts

The identity theft of Dean's business information was narrowly thwarted, thanks to a tight-fisted Minnesotan. Hopefully, we all will follow his example.

And, thanks for all your concern. My car is feeling much better.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

26 comments
JCitizen
JCitizen

telling me my warranty was coming up. False of course, but if I hadn't been aware of the Epsilon breach, I might have suckered in. Then again, I might not have, as hotmail blocks the page of scripts and controls if the sender is unknown. So that was the big tip off right there; even before I read the page. This is still considered a serious breach of privacy to me though, as I have not received such sophisticated attempts before. The attacker has enough knowledge to do damage to even the most web-wise users.

bboyd
bboyd

A separate secure OS and limited use PC. I already use on for my online banking.

JCitizen
JCitizen

The theft of customer lists would be my nightmare as a business man. I have an old client that is just starting up into manufacturing, and I fear for him, as he is particularly computer illiterate. Maybe he'll stick to his old business model to avert disaster, but his competitors are all on line and doing brisk business. He will have to also, if he truly wants to compete.

AnsuGisalas
AnsuGisalas

That'd help, wouldn't it? If the invoice needs to match a hash of certain data to be entered into the banking system, there's not much ID thieves can do, anymore. This would require a very detailed business register with a unique identifier, full address and account info and safe-guarded (but expeditious) address-change procedures. But it likely requires a federal initiative (or a multilateral coalition of banks) to get it moving...

HAL 9000
HAL 9000

Other than the Client List most of what is required to do things like this is freely advertised by the business in an attempt to attract customers. It makes things very hard particularly if you have a lot of customers who you do not see regularity who are then easy pickings. Of course like everything if the customer was to check out the Bill and ask questions for anything out f the ordinary things like this couldn't get through. Of course I've seen cases where a little was charged to customers on a regular basis and it wasn't caught till someone started to ask questions about Foreign Currency Transactions. Nothing big but sub $20.00 US charges once a month or so generally don't get looked at till things have been going on for months at a time. The big ones are picked up very quickly but those small ones just get paid and not though about again by most people. ;) Col

seanferd
seanferd

as to how Dean's business was at risk for identity theft? Was it that the detailed information on Dean's business used in the phish was private? I mean, not cool for Dean, and probably bad for Jim, if you gentlemen hadn't caught on, but was it modern identity theft or was it misrepresentation? (I'm still not sure my question is clear, but hopefully it is good enough to start from.) Off topic: Michael, you might be interested. I haven't dropped thirty Euros for the original paper, but here is the abstract. Abstract: In this article, an innovative method is proposed for the realisation of zero knowledge subscriber identification schemes that is suitable for multimedia content distribution applications. The fundamental principle underlying the proposed method is the concept of using one-way Boolean functions as transformations for the zero knowledge identification. This enables the increase of the speed of completion of the identification process by two to three orders of magnitude, compared to the corresponding speed when using modular arithmetic with large numbers. A method for the establishment of one way Boolean functions for zero knowledge identification has been developed. Two examples for the application of the proposed method are presented.

Michael Kassner
Michael Kassner

Find out why crooks are more apt to attack businesses versus consumers.

Michael Kassner
Michael Kassner

Now, I use my iPhone or a locked down USB OS. I could not argue down the fact that a computer even if that is all it is used for cannot be compromised.

HAL 9000
HAL 9000

The use a Windows Desktop/NB for daily use and a Linux NetBook for Banking. Only way to be sure that there is no cross infection to their On Line Banking and money. ;) Col

Michael Kassner
Michael Kassner

Are used by Dean and the scam invoice was one as well.

Michael Kassner
Michael Kassner

In Dean's case, it was a hard copy bill. Most small businesses mail invoices or have the customer pay when they pick up the finished work.

B.Kaatz
B.Kaatz

The tools have been there for years, and those who understand the difference between what is sensitive information and what isn't have been using and improving these tools all the while. For anything that is of a sensitive nature, like billing, the idea of the business having a GPG/PGP key tied to the *known* email address they send invoices from, and then *sign* the invoice before you send it, should be a good safeguard from the casual phisher like above. Unfortunately, it seems that such tools are beyond the perceptions of your average end-user. If we can change *that* perception, then people can have an assurance that the email is being sent by who they are expecting, and the phishers will lose another attack vector.

green_man123
green_man123

Identity theft are not at risk they just follow the Graco Pack and Play theory, trying at every hole they can. May god keep us all safe!

Michael Kassner
Michael Kassner

I did not find out any more information about this particular scam. But, your comment got me thinking. What if the crook sent the same bill to 100 of Dean's customers, I wonder what percentage would actually know the correct billing address, specially if a return envelope was included.

Michael Kassner
Michael Kassner

Thanks for the link. I'm on a business trip to Sweden now. I'll check that out when my jet lag dissipates. As for Dean and identity theft, you are correct about mis-representation being the key factor. I guess my point was that ID theft CAN present itself in multiple ways and easier now than ever with digital access. Let's say that same scam invoice went out to several people (stealing a customer list is ID theft), including Jim's grandmother. She may not give it a second thought and pay it out of trust. Dean's reputation and livelihood could suffer until everyone involved became aware it wasn't his fault. Granted the information used/abused was out of the norm. The fact is Dean's business identity was being used to leverage a crime. The FTC is well aware of that ruse and warns loudly about it. I felt it was important enough to pass this different side of ID theft along to you the members.

JCitizen
JCitizen

Mail order the old way could be just as dangerous, I suppose.

AnsuGisalas
AnsuGisalas

But if the bank's system checks the invoice data against a business DB, that'd stop the fraud when people use home banking. Showing up with the cash at the false place of business is unfortunate, and could be dangerous, but then, there's gotta be alarm bells ringing for most people by then.

seanferd
seanferd

I guess my main thrust was, did the phishers have Dean's sensitive information which is not public. I was having a bit of brain failure trying to organize that question.

Michael Kassner
Michael Kassner

I came home to 0 deg C and snow flurries. Expect the same for the weekend. You live in a wonderful area. Halmstad is easy to get used to. Each year, I fall more in love with it.

AnsuGisalas
AnsuGisalas

This year we're easy to please. But I've been sick as a dog for the last few days, and haven't been able to enjoy it. Now they're promising over ten celsius, that's gonna be something.

Michael Kassner
Michael Kassner

I agree with your thoughts. I see where your thinking is as well. EU has different perception than US about .govs. I wanted to try and get a few off days this trip but not possible. It is one amazing area. Weather was not so nice. Next year.

AnsuGisalas
AnsuGisalas

For example, the banks keep whining about the costs of maintaining the cash card infrastructure, but they're not so much talking about what it cost to lug about huge amounts of cash, like before cash cards became prevalent. What I mean is, that there are savings to be had too, and transparency can do a lot for bookkeeping across the board. Perhaps enough for the government to foot part of the bill, if the gains are widespread enough. By the way, are you safely out of Scandinavia by now?

Michael Kassner
Michael Kassner

That would be interesting, but a cost to the banks. I suspect that might stop it right there.

AnsuGisalas
AnsuGisalas

See, the scam won't work if the bank won't accept an invoice from a business if the data doesn't match the database. Even if it's entered by hand through home banking, or read at the bank office. Getting the banks to create the system, and keeping registration lean enough for businesses to not suffer too much red tape, that's another matter. We don't have this over here though, but my bank tells me the registered owner of the bank account I'm paying to, if the account is in the same bank. It would be a small step to share the data between all the banks, as they already have to share other data.

Michael Kassner
Michael Kassner

I don't believe vetting invoice data against a business database is something that occurs with any regularity. At least that I know of. The idea is to use Dean's identity to get the victim to give up their financial information (credit/debit card information).

santeewelding
santeewelding

You get to do what you have done only once. You have used up your once. In the way TR runs its business -- well, what can I say, other than, welcome to the bandwagon. .

Editor's Picks