Cybersecurity Awareness Month: Identity Thieves Modus Operandi – Part 2

Friday, October 19th, 2018

In our previous article, we mentioned that identity theft isn’t always “high-tech”. It can happen to anyone, even if they don’t have a computer, use social media or own a cell phone. However, in this article, we’ll focus on “high-tech” methods of identity theft.

The identity thief’s goal is to obtain your personal information, such as your ID Number, bank or credit card account numbers, credit report information or the existence and size of your savings and investment portfolios. Once they have any of these, they can contact your financial institution pretending to be you or someone with authorized access to your account. The thief may, for example, claim that they have forgotten their chequebook and needs information about their account.

Credit or debit card theft – Many people believe credit card fraud and identity theft are the same. In reality, they are different crimes. The main difference between credit card fraud and identity theft is that credit card fraud typically involves a single credit account, but if your identity is stolen, the potential for damaging your credit history can be much greater, because someone can open numerous lines of credit in your name. Credit card fraud typically occurs when someone steals your credit card information and uses it to make unauthorized purchases. This can be done by stealing your purse or wallet or, if the criminal works at a retail store or in a restaurant, he or she may simply copy your credit card information during a transaction.

Pretexting – If you receive a phone call from someone from a reputable research firm asking you to participate in a survey, asking seemingly harmless questions like the name of your cell phone provider, bank, or even your preferred shopping centre, this is probably a pretexting scam. Pretexting is the practice of getting your personal information, such as telephone records, bank or credit card numbers, or any other information, under false pretences. A pretexter pretends they are someone else to obtain your personal information claiming they are from a survey firm and want to they ask you a few questions. Sometimes they will claim to be representatives from other types of organizations – not just survey firms –  but banks, SARS, insurance companies and ISPs.

Skimming – Identity thieves place small machines or skimmers, in the card slots of ATMs to steal credit and debit card numbers and pin codes from unsuspecting victims. This has also been reported to occur at some petrol stations where you can pay at the pump. It is not easy to look at a card reader and see that it has been altered in some way before you insert your debit or credit card, as some of the skimmers are so advanced that they are virtually undetectable. In some cases, a skimmer may remain in place for months at a time, unnoticed by employees of the “host” store and it could take months before victims realize that an identity thief has stolen their card number and PIN. Most victims only find out after the thief starts making illegitimate purchases or withdrawals from their accounts, often to the tune of thousands of rands.

Man-in-the-middle attacks – Smartphones and tablets have become a major point of access to the internet. There are many Wi-Fi networks that people can connect to from almost anywhere, for example, public libraries, airports, shopping malls and government or municipal facilities. Unfortunately, this also opens a “port of entry” for hackers which has led to the increase of “Man-In-The-Middle” attacks. A Man-In-The-Middle attack, also known under the acronym MITM, happens when a communication between two parties is intercepted by an outside entity. The perpetrator either eavesdrops on the communication or impersonates one of the two parties, making it appear as a regular exchange of data. A MITM attack targets users of enterprise email accounts, financial applications, and e-commerce websites in order to steal account details, credentials, bank account or credit card numbers and to monitor password changes.

Phishing – The Internet scam known as “phishing” (the “ph” substitution distinguishes the activity from the real “fishing” but the activity is intrinsically the same) is a spam email message that contains a link to what appears to be from a legitimate business, such as your bank, but it is actually a fake website. The email often states that you must update your account information through a bogus link to a phisher’s website and the user, unknowingly, gives out personal information to the fake website.

Pharming – A relatively new Internet scam is “pharming”. Using a virus or malware, the victim’s Internet browser is hijacked without their knowledge. If the address of a legitimate website is typed into the address bar of a browser the virus redirects the victim’s browser to a fake site.  All identifying information, such as bank passwords and credit card numbers, is collected by the scammers who steal the user’s identity.

Vishing – This is similar to “phishing”. However “vishing” scams attempt to trick targets into divulging personal information such as credit card, bank account and social security numbers using new telephone technology. Typically, “vishing” targets will receive a phone call from what appears to be a legitimate business, such as their bank or credit card issuer, and the victim is informed that their account has been compromised. The “visher” usually requests that the caller enter their account or credit card number or even their social security number to secure their account, thereby compromising the victim’s identity.

SMiShing (SMS phishing) – This form of “phishing” specifically targets smartphones. Smishing uses the scammers’ old favorite—phishing, to send out an email to entice their intended victims to click a link that downloads malicious software or virus on the smartphone. As its name implies, smishing comes from “SMS phishing”. A smishing attack goes after the smartphone via text message and usually occurs when a message is received from an unknown number that offers some sort of incentive. It might be telling you about a free offer, a coupon, that there’s something wrong with your account, or even more likely, it might claim that “your friend” has sent you a “greeting card” or message. Unlike viruses of the “old days” that sought to lock up your computer or disable your files, smishing attacks remain hidden and continue to feed information back to the smisher. Information like contacts list, email address books, and passwords are sent to the scammers.

Spear-phishing – Our last method is spear phishing. With this method, the scammer is targeting you specifically instead of just sending out random “shot in the dark” emails that someone might fall for. Spear-phishing is very successful, especially within environments like the university, because scammers pay attention to your internet activity and send you requests that look like the real thing, claiming to be from entities within your own environment. Scammers can pull off spear phishing attempts based on the information you share about yourself, as well as other bad habits such as using the same password for multiple websites. As soon as you post updates to social media, especially about accounts, people you interact with, purchases you’ve made, etc. you’re handing over vital information a scammer can use to target you.

How to protect yourself from identity theft:

  • Don’t give out your personal information on the phone, email or snail mail unless you’ve initiated the contact or unless you are sure it’s safe. And don’t feel guilty about saying No.
  • Never use your pet’s name, children’s name or a nickname as a password.
  • Ask your financial companies about their policies for preventing identity theft.
  • Be VERY careful about answering surveys — and certainly don’t give out any personal information to anyone who calls on the phone or asks via email. If you do answer survey questions, use common sense and don’t give out any information that could be sold or used by identity thieves. In other words “control” the information that you give out.
  • Tell your colleagues, family and friends about the dangers of identity theft. Awareness and sensitisation empower even the most “non-technical” person.

In the next article, we will be providing a bit of information about social engineeringKeep safe out there.

Cybersecurity Awareness Month: Identity thieves’ modus operandi – Part 1

Friday, October 12th, 2018

Identity Theft takes place whenever a criminal gets hold of a piece of your information and uses that information for their own personal gain.

While a lost or stolen wallet, purse or cell phone may simply mean the loss of your cash and credit cards, it may also be the beginning of an identity theft case. The return of the item does not guarantee cards were not copied or that your personal information was not used to commit identity theft.

In the previous article we pointed out 5 low-tech areas in your world where identity theft could take place.

  • Old-fashioned letters (including junk-mail)
  • The trash can
  • Flash disks
  • Your driver’s license or ID Document
  • Household paperwork.

Identity theft isn’t always “high-tech”. It can happen to anyone, even if they don’t have a computer or cell phone or don’t use social media.

Dumpster diving – literally digging through your trash – remains a popular method for stealing large amounts of your personal information. South Africans receive over 1.2 million tons of junk mail every year and much of this mail, such as pre-approved credit cards, credit card bills, and bank statements, includes your personal information. Dumpster-diving identity thieves root through your trash because they know the documents you discard as garbage contain personal identity information they can use in a variety of illegal manners, such as employment-related, loan, bank, benefits and tax fraud.

Mail theft – Mail theft is the number 1 white collar crime in the USA today. Mail theft is defined as anyone taking mail, be it a letter or a package, for any purpose. This includes stealing from post office workers, private mailboxes, collection boxes and even from mail trucks. One of the main motivators in mail theft is to steal a person’s identity and gain access to private information, including bank accounts and credit cards.

Social engineering – Social engineering is the art of manipulating people to give up confidential information. The types of information these criminals are seeking can vary, but when individuals are targeted, the criminals are usually trying to trick you into giving them your passwords or bank information. Criminals use social engineering tactics because it is usually easier to exploit your natural inclination to trust than it is to find ways to hack your software. For example, it is much easier to fool someone into giving you their password than it is for you to try hacking their password. That is why phishing is so successful, often victims willingly give their personal information to the scammers, as they feel they can trust the person asking for the information.

Shoulder surfing – Shoulder surfing occurs when someone watches over your shoulder as you key it into a device such as an ATM or tablet, to steal valuable information, such as your password, ATM PIN, or credit card number. When the shoulder surfer uses your information for his financial gain, it becomes identity theft.

Theft of personal items – When a personal item like a handbag, a wallet or purse, a cell phone, or a laptop is stolen, all the information can potentially be used for identity theft. The value of the stolen items is often not much, and replacement is an inconvenience to many of us. However, your personal information can never be recovered, and is intrinsically more valuable than the stolen item.

What can you do to minimize “low-tech” identity theft?

  • Never give out personal or financial information over the phone or in an email.
  • Password-protect your cell phone.
  • Shred credit card receipts, junk mail and other such documents with sensitive personal or financial information.
  • Be aware of your surroundings at all time.
  • Tilt the screen of your cell phone screen away from the person next to you and don’t work in crowded airplanes, trains, airports, cafes, hotel lobbies and other public spaces.
  • Work with your back to a wall, preventing others from standing behind you and looking over your shoulder.

Next time we will look at the modus operandi of high-tech identity thieves.


Cybersecurity Awareness Month: Where do scammers get your information?

Friday, October 12th, 2018

In the last article, we provided you with a few tips on how to create strong passwords in order to make the hacker’s job harder at accessing your personal data. Using weak passwords is one way hackers and scammers get your information?”.

But where do scammers get your information?

The graphic below depicts the world where most of us find ourselves, and where scammers might obtain important snippets of our personal data that, in many cases, is there for the taking:

This is your world

Your personal information is in places beyond your control.

The cell phone has become an indispensable communications tool in the 21st century. According to the Pew Research Centre, South Africa is placed 24th on the world list with a smartphone usage of 37% of the total population. However, according to a recent global survey by McAfee and One Poll, 36% of those smartphone users have no form or password, pin or fingerprint protection on their devices. This means that if their phone falls into the wrong hands, they risk opening up all sorts of personal information such as bank details and online logins to whoever finds or steals the smartphone.

How much of your personal information have you placed out there on the internet?

  • Over 30% of South African Internet users share at least 3 pieces of personal information posted on their social media profiles that can make stealing their identity easy.
  • 60% of South African Internet users have revealed they had no idea what their privacy settings are and who could see their personal information on those sites.

Old-style junk mail, invoices, receipts and ordinary letters can still provide scammers with a wealth of information. Dumpster-diving can reveal documents with your ID Number, old bank statements with your account details, old credit cards, unwanted junk e-mail, payslips and tax forms. Even old prescriptions & medical aid claims can provide scammer with a wealth of information from your personal information.

The modern equivalent of a filing cabinet, a flash disk poses a huge risk to the security of your personal data. Flash disks are small and cheap and can often be forgotten plugged into computers, fall out of pockets and be stolen, providing scammers with all the data stored on that device.

Your bank, your employers and SARS all store and work with your personal information. You have placed a tremendous amount of trust in these organizations to keep your personal data safe. How many people at your bank, for instance, have access to your personal data, who can they potentially give that data to?

Your driver’s license has a lot of information on it, including fingerprints, date of birth and ID number. The new style “smart” licenses will hold even more information, and if the license gets into the wrong hands it can be used for identity theft. For instance, in order to open up a cell phone contract, you would need an ID document or driver’s license, bank account details and proof of address, almost all of which can be obtained by dumpster-diving or someone rifling through your paperwork.

Finally, your computer (at work or at home) or your laptop holds a huge amount of your personal information. If stolen, the hard-drives can easily be trawled for personal information. If there is no password or a weak password on the laptop it makes stealing this information much easier.

This is your world:

  • Since 2007, more money has been made from trafficking financial data acquired by identity theft, than money made from drug trafficking.
  • 8.8 million South Africans were victims of identity theft in 2015.
  • 1 in 3 South Africans do not have a password on their cellphones or computer.
  • 70% of South Africans change their passwords after being compromised. (So 30% of South Africans don’t do anything even after they have been compromised)
  • 1 in 3 South Africans admits sharing passwords with other people.

There are 4 areas where we all neglect the security of our personal information:

  1. IndifferenceLack of Feeling
  2. IgnoranceLack of Knowledge
  3. InabilityLack of Training or Education
  4. InactionLack of Respect

What can you do to improve your personal data security and to prevent identity theft?

When someone comes and knocks on your front door, do you just open the door and let them in? No, you check who it is and then you decide if you want to open your door to them or not. The power of access is in your hands because you control the door.

The same principle applies to your personal data. Be careful and vigilant and be the gatekeeper of your personal data! Control what data is given out and who receives it. You have the control!

Next time we will look at the modus operandi of identity thieves. 


Cybersecurity Awareness Month: Creating strong passwords

Friday, October 5th, 2018

Earlier this week we pointed out that most people underestimate the importance of having a secure password, and still make the mistake of using simple words and numbers as a password.

Keep in mind that your email and social network accounts contain very personal information about you. You must have a strong password to keep your personal life personal, and not become a victim of identity theft. (In 2015, 1 out of every 6 South Africans were victims of identity theft)

  • Using email or your profile on Facebook, Whatsapp or Google, hackers can and do, extract a huge amount of personal data of your personal “online” life.
  • If you use the same password for multiple online accounts, you run the risk, if this password is hacked, of all your online accounts being compromised.
  • Using a personal name for an online account, the name of the city that you live in, the names of your children or your date of birth, give hackers vital clues for attempting to access your personal data.
  • For an average expert hacker, it is always easy to find passwords that are made up of words from the English vocabulary or other languages, using a basic technique called “brute force” or “dictionary” attacks.

What makes a password safe?

  1. A password at least 8 characters long.
  2. The password does not contain information that is easy to find online, such as the date of birth, the telephone number, your spouse’s name, the name of a pet, or a child’s name.
  3. The password does not contain words found in the dictionary.
  4. The password contains special characters like @ # $% ^ &, and numbers.
  5. The password uses a combination of uppercase and lowercase letters.

A trick that the experts use to create secure passwords:

Think of a phrase and use the first letters of the words in the phrase.

  • For example: “In South Africa, a barbecue is called a Braai!”
  • Take the first letters of each word and the password that is created is ISAabicaB!
  • This will be very difficult to guess, but easy to remember.
  • At this point, you can decide to make your the Google password is ISAabicaB!-G,  and Facebook ISAabicaB!-F and your university account  ISAabicaB!-US and so on.
  • There is already a capital letter and a special character (!), so you just need to add a number to finish off a good password like 9-ISAabicaB!-US (9 could be the month you created the password in – for example)

You will have already made your password a lot more difficult to hack, and it can be a lot of fun to create. 

Next time, we will show you where hackers get your personal information. 


Cybersecurity Awareness Month: Common passwords

Wednesday, October 3rd, 2018

The past two years have been particularly devastating for data security worldwide, with a number of well-publicised hacks, data breaches and extortion attempts.

Annually SplashData publishes a list of the most common passwords. The list is created using data from more than five million passwords that were leaked by hackers in 2018 and with a quick glance at the list, one thing is clear – we do not learn from our mistakes.

People continue to use easy-to-guess passwords to protect their information. For example, “123456” and “password” retain their top two spots on the list—for the fifth consecutive year and variations of these two “worst passwords” make up six of the remaining passwords on the list.

SplashData estimates almost 10% of people have used at least one of the 25 worst passwords on this year’s list, and nearly 3% of people have used the worst password – 123456.

Here is the list of the top 10 passwords of 2018:

  1. 123456
  2. password
  3. 12345678
  4. qwerty
  5. 12345
  6. 123456789
  7. letmein
  8. 1234567
  9. football
  10. iloveyou

Another typical example is 1q2w3e4r5t.  Although it seems very cryptic, one look at a computer keyboard and it’s easy to guess.

Not so clever passsword

It is a sobering fact that most people still underestimate the importance of having a secure password, and still make mistake to use simple words or numbers as a password.

“Passwords are the only control you have to secure your data with most systems these days. If your password is easily guessed by someone, then the person essentially becomes you. Use the same password across services and devices, and they can take over your digital identity.” Shaun Murphy, CEO of SNDR.

In the next post of our Cyber Aware Month series, we look at how to create a strong password you can remember.



© 2013-2018 Disclaimer: The views and opinions expressed in this page are strictly those of the page author(s) and content contributor(s). The contents of this page have not been reviewed or approved by Stellenbosch University.