Making Identity Theft Easier

Four examples:

1. A few days ago, I walked through Heidelberg and a small transporter with a sign behind its front windshield drove past me. The sign said: "On duty for Deutsche Post AG" (that's the German equivalent to DHL). On the side of the car, you could still read the name of the radiator installation company the car used to belong to.

2. A few weeks ago I got an e-mail from a completely unknown company that knew about a request I had made to a bank regarding a money transfer. They asked me to take a short poll. I was uncertain, especially since all proof of their legitimacy was on their own web site, but since the site address didn't obviously include a key that would let them associate the visit with me, I went there and had a peek at the form. Among other things, they asked for my name and address, which was information my bank should already have.

3. A few years ago, an old man got into a bus in Heidelberg and asked everyone to show him their tickets. When he walked up to me, I asked him for some sort of identification. After all, there's my picture, name and address on my student ticket, and for all I knew he could have been a criminal doing this to collect addresses. He showed me a piece of laminated laser-printed paper that contained no picture and mentioned the Ludwigshafen regional traffic authority. Now, Ludwigshafen is right next to Mannheim (and the traffic authority actually has a collaboration agreement with the ones in the Rhein-Neckar-area), but it's technically in a different state.

4. When I was a kid, I used to watch the original "Mission Impossible" TV show, where they did cool maneuvers masquerading as radiator installation companies or whatever to get into the bad guys' hiding holes. They had magnetic signs on the sides of their trucks that they'd take off as soon as they weren't needed anymore so they could get away unrecognised. I always thought this was unrealistic, as obviously everyone would see that wasn't painted on or a sticker, but rather a magnetic plate.

Note that there's an odd one out? Yes. Three are completely legitimate operations, one is a scam, but they all could have been scams.

Anyone can buy a used truck from a radiator sales company and put a sign in the front claiming they came from DHL, and pick up packages that possibly contain valuable items. But DHL actually employs such subcontractors. Anyone could claim to be a subcontractor of my bank's and make up press releases about their collaboration and put them on their web site. Anyone could print out a sheet of paper saying they're with some regional traffic authority, laminate it and go check people's tickets to find the addresses of pretty women to stalk or whatever. Anyone could buy some stickers and put them on a silver car to make it look like a modern squad car, now that they're silver with stickers (instead of white with some parts painted green) for better resale value.

The reason phishing attempts work so well and statistics about the phishing-savvy of potential victims are so shockingly bad isn't that the participants were all stupid, but rather that the companies dealing in sensitive information fail to provide enough information to verify their communications. Some phishing mails have more credibility than the legitimate ones.

Here's a list of things you can do to give your customers the ability to verify correspondence and representatives:

• Send all correspondence from an e-mail address at your company's domain. Don't let the subcontractors send e-mails from their own servers. Also, don't let just anyone get an e-mail account at your company's server.
• Create a list of your contractors and their web sites on your server that your contractors can refer customers to. However, remember that a phisher can point at this list as well. So include information what they may ask your customers etc.
• Always give your customers a way to get to a subcontractor's page related to your company via a link on your site. That way, they can guarantee they're on the page that is approved by you, and not a phisher's page that uses PunyCode or DNS spoofing or HTTP user names to look like it's on your server.
• Try to avoid generic-looking things like laminated paper sheets as papers, and make sure people who don't just work regionally have papers that indicate this. Make sure important items aren't easy to imitate.
• Educate your customers about their data. Make sure they know what data they may give away and what data they shouldn't.
• Collaborate with your collaborators. If you already have someone's data, don't have the customers specify it again on a subcontractor's web site. If you can guarantee they won't ever have to enter their address again after they gave it to you, they won't give their address to phishers either.

Ruth Less writes: This reminds me, have you ever heard of RFID tags in Euro bank notes? http://www.wired.com/news/privacy/0,1848,59565,00.html Go, put one in the microwave and see whether the metal layer explodes!

Daniel writes: If the bank subcontractor does not put a unique key in the link they sent to you by email then how can they match you to your details? Ask for your bank account number? I would much rather give my name and address to a survey website than give them my bank account number. Of course I am more likely to give them a fake address than a real one if I don't think they need it :)

Jens Ayton writes: To be fair, anyone can paint a DHL logo on their van, too.

Uli Kusterer writes: Jens, though anyone can paint a DHL logo on their van, that leaves traces. You have a car that has to look DHLish and you have to remove the logo eventually, or run the risk of leaving evidence of your fraud. OTOH, if it simply requires a paper sheet in the front window, that's easily removed.

Uli Kusterer replies: ★ Daniel, if I could go through my bank's web site and maybe just have a section for "partners of ours that contacted you recently". So, I'd log in on my bank's web site, and that would forward me to the contractor. Additionally, they could give me a short, unique code to type in manually once I end up at their page, something unrelated to my bank account number, and then they'd automatically fill in my name etc., which my typing in the code would have verified was OK to do. The point is that I should have ways to verify the validity of contractors. Of course, you wouldn't necessarily agree with your bank about which of your data they may forward, so ideally all of this would happen on the bank's site, and only once you know what data they will forward, you would hit "submit" on the final page to transfer the data to the contractor.