3. Robbing Banks

Identity fraud is a term that encompasses a wide variety of crimes perpetrated against the person. At first we will focus on the theft of personal data and subsequent financial loss, since these are the primary concerns for the ordinary online user. Later, we will look at strategies and computer software/hardware that is available to provide layers of defense that may protect us from certain types of attack.

Most banks with an online facility use a fully or partially transmitted PIN or password. This is your basic ordinary level security that has been the backbone of Internet security since its creation. That means that the user is requested to input either a full PIN, or individual digits from it; for example, you might be asked to enter the first, third and fifth digits from your six digit PIN.

Some banks are now engaging methods that create one time passwords (or PINs), and there is an increasing trend towards adoption of such techniques. That's particularly the case since the US Federal Financial Institutions Examination Council (FFIEC) set down 'guidelines' to financial institutions regarding minimum standards of security.

Goin' Phishing

There are a couple of hacker terms that you should know: "owning the desktop" and "root". These refer to the ability of a hacker to 'listen' to activity on another user's desktop PC. This is achieved by placing programs on your PC that can intercept data as you browse, or information that you type in. With this capability, the hacker can break your login details within two or three successful login attempts.

Using this information, a hacker targeting you then can call you pretending to be a representative of your bank. Having 'listened' and determined your login, and seen screenshots of your private account pages, he can discuss and 'confirm' information required for telephone banking.

The hacker can now act against your accounts by calling the bank and setting up transfers in your name. At this point they have combined the desktop attack with what is called "social engineering" (the direct phone call to you) to great effect. Our hacker now has a strategic hold on your bank account data and hasn't even broken a sweat.

But it's not just banks that are at risk. Think of those prominent sites that allow you to store your credit card details for convenience. If you use these and log in through a conventional login page, as above, the capture of those details will lead a hacker to your credit card, and allow unauthorized purchases to be made on your account.

This leads us nicely to another type of social engineering that has held media attention for some time: phishing. This term refers to hackers who send out waves of emails to thousands of online users purporting to be from banks, eBay, PayPal and other finance-related sites. Victims are redirected to very genuine looking but fake sites, and too many unsuspecting souls actually log in, disclosing their usernames, PINs and passwords to unsavory characters.

To get a handle on the full extent of phishing, look at this page from Fraud Watch. Keep in mind that each instance listed potentially represents a wave of many thousands of emails.