Monday, May 10, 2010

My paper

This semester I had to write a forensic accounting report on identity theft. A couple people have asked me to post it up here so they could read it, so here you go.

--- --- ---

Identity Theft

“But he that filches from me my good name
Robs me of that which not enriches him
And makes me poor indeed.”
-William Shakespeare, Othello Act 3 scene 3 (Page)

Identity theft – in this day of technology, the term is used frequently. But what is identity theft, exactly? Identity theft is the term used to describe the occurrence when “someone uses [one’s] personally identifying information, like [his] name, Social Security number, or credit card number, without [the victim’s] permission, to commit fraud or other crimes.” ( People rely on technology for daily activities – school, purchases, social networking, among a multitude of other activities. We distribute our information with ease online, via purchases of goods and registration for services. However, it may come as a surprise to some that most identity theft is not started online. There are five primary methods used by identity thieves to acquire information: carding, dumpster diving, credit card skimming, shoulder surfing, and Internet scams. Notice that only one method directly involves the Internet. We live in an age of information – not all of that information is online. Each of the methods will be discussed in their cause, effect, and prevention.

Carding is first in the list, so it is the first topic covered. Carding (not to be confused with textile-related carding) is a method which involves the identity thief acquiring the victim’s credit card information, and verifying the validity of that information before using the information as intended. This method of identity theft is interesting in that it only requires the theft of the numbers, and not necessarily the actual card. One example is when the victim is out to eat at a restaurant. The receipt is put on the table, and victim places his credit card with the receipt and the waiter/waitress takes the card to process the receipt. What was happening at this particular restaurant was that the waiters/waitresses would take the cards into the back room and take pictures of the front and back of the victims’ credit card.

But what would the identity thieves do with that information once they acquire it? First, the thieves would verify the card information is valid. In the instance above, the thieves already knew the information was valid – however, that benefit may not come to all identity thieves automatically. Typically the thief charges a small transaction to the card, like a song from iTunes – something which can be easily accessed by the thief. If the transaction goes through, the thief will begin to rack up exorbitant charges on the card for any sort of expense. This is how the victims of the identity theft in the last paragraph discovered the scheme – small purchases they didn’t make for minutes on Skype, for example.

What are steps one can take to avoid being a victim of carding? One can be careful who has access to their credit card information as well as where the information is made visible, and one can keep a close eye on credit card statements. Today, most people can keep track of their credit card charges very closely via bank websites. This way, the victim of carding will be able to tell when the identity thief is verifying the card information. If the victim can spot the identity theft, he can then take the proper steps to prevent the thief from using that credit card to make the large illegitimate purchases.

Second in the list is dumpster diving. This may not come to mind when most people think of identity theft, but it is a feasible way to acquire personally identifiable information. Pre-approved credit cards are the worst offender in this respect. Regarding them as spam, the victim tends to simply discard the pre-approved cards in the trash. The identity thief will then sift through the victim’s garbage to look for this information. Pre-approved card forms, credit card carbons, any documentation with personally identifiable information – these are what the identity thief looks for. The beneficial thing about dumpster diving, to an identity thief, is that the theft of the documentation isn’t readily noticed by the victim like the theft of their driver’s license or credit card would be.

The information the identity theft could obtain using this method has the potential for being far greater than the information acquired by carding. While carding would (typically) only provide the information for the specific account, dumpster diving could produce social security numbers, driver’s license numbers, and many other pieces of information that would be valuable to the identity thief.

How does one prevent identity thieves from getting information by dumpster diving? The best way to prevent victimization via dumpster diving is to invest in a paper shredder. The dumpster diver hopes to find intact paperwork that contains personally identifying information. Before one throws out documents that contain personal information, shred the documents so that the identity thief would not be able to (easily) find any personally identifiable information on the documents. A cross-cut shredder is more efficient than a standard shredder, as the blades slice in two directions instead of just one, thereby making the job near-impossible for even the most dedicated identity theft.

Credit card skimming is a method that involves acquiring the information off of the black stripe on the back of a credit card by employing a “skimmer.” The skimmer reads the information contents of the magnetic strip, and stores it for the identity thief to view. The magnetic strip contains the credit card number, with which the identity thief can execute the crime.

Credit card skimmers have a very small form factor – some are even as small as a cigarette lighter. As such, they can often be indistinguishable if not looking closely. There have been reports of identity thieves posing as ATM technicians who replace legitimate ATMs with fraudulent systems that contain only a card skimmer and a display. (Walters) The card skimmer will save the information of the cards that victims used in an attempt to use the machine, and then the “technician” would take system away, putting the legitimate one back in place. The card skimmer would then have several numbers which the identity thief could research and use.

How can credit card skimming be avoided? One can keep an eye on his credit card – make sure he knows who is handling it, and how – the identity thief would not want the victim seeing him skim the card, so he would take it out of sight. Another method, as always with any form of identity theft, is to keep a close eye on receipts and match them to the relevant credit card statement. This will tip the victim off to fraudulent charges that occur from stolen information.

Shoulder surfing has been a tactic for identity theft and snooping in general for quite some time. It is, in layman’s terms, the act of “looking over someone’s shoulder.” This can be quite effective in the proper environment, such as an office or crowded area. For instance, when the victim is making a payment online, he may pull out his credit card to write down the number – the victim may not have his card number memorized. Or, the victim does have his card number memorized, and types it in on the computer. The shoulder surfer could walk by, take a peek, and memorize the numbers. The identity thief wouldn’t have to memorize all 16 numbers – the first eight are typically standardized by the card company (Visa, for example) but the second eight numbers are unique to the card. Sixteen numbers are very hard to memorize just by looking at them – focusing on the last eight, however, makes it easier for the identity thief to memorize the information.

The preventions of shoulder surfing can be difficult to implement in some instances – there are times when one needs to have his credit card out, or type it into an online form (where the number is in plain text so anyone can read it). However, one can cover himself by limiting who can view that information. When using the credit card, the potential victim can do his best to obscure the information on the card with his hand. When entering the PIN of the card for purchases, one can use one hand to type and the other to block the view of anyone who could be shoulder surfing. When processing online transactions that involve entering a credit card number into a form, it is a good idea to perform those transactions at a time and place where the instance of someone being able to shoulder surf would be limited (example – completing Internet purchasing at home, not at work).

Internet scams are what most people associate with identity theft. There are numerous ways in which identity theft can be committed via the Internet – since most of our daily activities tend to have the Internet involved in one way or the other via purchases or social networking, the Internet is a great place for identity thieves to gather information.

The prevalent method of Internet scam is what is known as “phishing.” Phishing is defined as “a scam where Internet fraudsters send spam or pop-up messages to lure personal and financial information from unsuspecting victims.” (OnGuard Online) This is done in three different ways – phone, e-mail, or pop-up messages. An example of phone phishing would be the instance earlier this month in Ellsworth, Maine. The Hancock County Police Department was receiving complaints that automated messages were being sent from Machias Savings Bank. The messages stated that the call recipient’s accounts had been compromised, and that the recipient needed to enter his credit card number to safely reactivate the account. (Trotter) The police advised local residents to disregard those calls as bogus – if one’s bank account was compromised, there would be no logical reason for the victim to provide his credit card number, or any other information over the phone (and many banks, if not all of them, would not ask for such information over the phone as a matter of policy).

E-mail phishing is another prevalent method of phishing. This form of phishing involves the same tactic as phone phishing – a legitimate-looking e-mail is sent to the potential victim, stating that for some seemingly reasonable reason, their account must be verified. This involves the victim sending in information, whether it is a user name, password, address, or any other identifying information. The potential victim of phishing would receive an e-mail that looked official, which would have the victim follow a link to a website where he would supply important account information. The webpage would look, feel, and operate like the real site, but it would direct all information to the identity thieves in charge of the site. This can be illustrated by an incident that occurred in Miamisburg, OH. Graduates of Miamisburg High School were receiving e-mails stating that in order to stay in the alumni group of the school, the graduates would have to go to the group’s website and pay a $20 fee. The real alumni group of Miamisburg, OH does not charge a fee of any kind – once one graduates, he is in the group. (Dayton Daily News)

Pop-up phishing (or advertisement phishing) is not seen as often, but it still used on the Internet. Websites can be set up and used for a certain purpose, but while on that site the potential victim sees a pop-up message appear on the screen. As an example, the pop-up could say something to the effect of “the ISP provider needs to verify this user’s account information in order to continue.” At which point, the pop-up would somehow have the victim enter the information. This method is not seen as much as its counterpart, advertisement phishing. An example of phishing ads are the banner ads that claim the potential victim has just won a new video game console, but must fill out a form to receive the prize. The information is then received by the identity thieves, and used for their purposes.

Pharming is a method of Internet scam that is more technology-oriented than the previous methods. Pharming involves the redirection of traffic from a legitimate site to a fake site, where information can be obtained from victims. This is typically done via installation of spyware or some other form of malware, which edits the hosts file. The hosts file is used by web browsers (on Windows computers) to associate IP addresses with web addresses (, for instance). When the malware edits the hosts file, it will change the IP address from that of the legitimate website to that of the pharming website. The IP address of is For sake of example, let’s say that the IP address of the pharming site is The malware would change the hosts file to say that the IP address of is – which would take all traffic destined for the real to the fraudulent website.

How does one prevent against these methods of identity theft? Carefulness is the key in this situation. Verify who is asking for the information – is the e-mail address from the place it claims to be from? Is the website address the same as what the bank has provided in its documentation? The identity thief who uses these methods thrives on the victim's ignorance. By verifying the web location and interested persons, it is easier to distinguish whether or not it is legitimate. If one is not sure, the best bet would be to call the bank (if the phishing is in relation to the bank), or check the documentation provided. Another method of prevention would involve what is known as a “phishing filter.” Anti-virus companies typically provide an “Internet protection” function in their software, which can often include a phishing filter. This filter is updated regularly as new phishing sites are discovered, and that list is used to block known phishing websites. By keeping a phishing filter updated and active on a computer system, the chances of stumbling across a false site are minimized.

Identity theft cases in the real world are plenteous. Whether the cause is from physical access to the information or via the Internet, identity theft is a very real threat. The Federal Trade Commission estimates that 9 million Americans have their identity stolen each year. ( As a whole, how can one protect himself from identity theft? As a general rule, caution is the key. Personally identifiable information should be treated as valuable as an asset – like a car or cash. Typically, one wouldn't be careless with his vehicle or cash in the sense of allowing people easy access to it. The same should hold true for personally identifiable information. By exercising caution when sharing personally identifiable information, one can help lessen the risk of an identity thief directly acquiring their information. The best place to start when securing personal information is to verify how accessible one’s physical documentation is. Social security cards, bank statements, registration information – all this information is precious to the identity thief. Place the paperwork in a secure location, like a lockbox or locking file cabinet. Any way to put a barrier between one’s documentation and unwanted eyes is strongly encouraged.

Keep an eye on accounts and request annual credit reports. This can help stave off the brunt of identity theft. By monitoring one’s bank accounts, one can notice when fraudulent charges are made, and can begin the necessary procedures to stop the identity theft. An annual credit report will show additional information, such as the companies that requested information on one’s account. For example, if the credit report showed that Joe’s Car Dealership had requested a credit report on the victim’s account, yet this person had not done any business with Joe’s Car Dealership, one would be tipped off that identity theft may be occurring.

Carefully maintaining the paperwork for all accounts is another solid habit that will help in the case of identity theft. Too much documentation never hurts – it can be a hassle at times, but it will make the fraudulent charges easier to pick out, as the victim can compare that charge against his documentation, and be able to spot fraudulent charges amongst real ones. Keeping track of receipts and other paperwork related to the transaction can help minimize the chance of losing that paperwork – and if misplaced, that paperwork could fall into the hands of an identity thief.

In this age of abundant information identity theft is a constant danger. By being careful of how one uses his information, closely monitoring transactions, and keeping complete records can help to minimize the risk of identity theft, and limit its overall damage.

Works Cited

Dayton Daily News. Article 11. 31 March 2010. 22 April 2010 . About Identity Theft - Deter. Detect. Defend. About ID Theft. 21 April 2010. 22 April 2010 .

—. About Identity Theft - Deter. Detect. Defend. Avoid ID theft. 21 April 2010. 22 April 2010 .

OnGuard Online. Phishing. February 2008. 22 April 2010 .
Page, The Quotations. Quote Details: William Shakespeare - A good name in man... 2007. 22 April 2010 .

Trotter, Bill. Article 9. 2 April 2010. 22 April 2010 .

Walters, Chris. Here's What A Card Skimmer Looks Like on an ATM. 19 April 2009. 22 April 2010 .