January 25, 2008

Facebook Stole My Identity

Millions of teenagers see it as a harmless internet meeting place.But as our disturbing investigation reveals,this social phenomenon has been hijacked by ruthless crooks stealing their identities in an epidemic of fraud ...

ONE MORNING last November, a letter drops on the doormat of Victoria Sennitts family home. Its addressed to the 24-year-old university graduate and is from a mobile-phone company welcoming her to a new contract and explaining the ins and outs of the deal she has just signed up to. All very friendly except for the fact that Victoria hasnt a clue what they are talking about.

For, as it would transpire, she has just had her identity stolen: 21st-century style. Forget rummaging through bins, intercepting post or cloning credit cards. All the modern-day crook needs is a computer and an internet connection. The rest could hardly be easier. Thanks to the ever-growing popularity of social-networking sites such as MySpace, Bebo and Facebook, the internet is simply awash with the personal details of millions of potential fraud victims.

When Victoria joined Facebook she no doubt assumed she was signing up to become part of a fun community where she could meet old friends and make new ones from the comfort of her home.

Yes, Victoria was just like the thousands of students in Ireland who make the switch from Bebo to Face-book when they start college. For Facebook is the social-networking site of choice for undergraduates here; the number of new users rose by hundreds during the first weeks of college last year.

There are an incredible 50 million Facebook users worldwide, and 130,000 Irish users. Of these, 117,000 are aged between 18 and 35.

To aid Victorias Facebook membership, she filled in her online profile with as much detail as possible adding her e-mail address, home address in London, phone numbers and even her date of birth.

The ironic thing is that in the real world I am careful with sensitive personal information, she says. I shred anything that might be of use to anyone; my correspondence, my old bank statements, bills and documents.

But for some reason when I signed up to Facebook it felt as if I was joining something self-contained, something that would be used by like-minded people. Only now do I realise how wrong I was.

The truth is that you dont know who anyone is on the internet and you dont know what their motives are for using it. I know it sounds stupid, but I feel very violated to know that a criminal was able to log on to my page and steal my personal details.

In a way, Victoria was lucky. With a few phone calls she managed to persuade the phone company that a fraudster, assuming her identity, had set up the contract.

Had she failed to notice the deception, though, no doubt her identity would have been exploited over and over again.

The worldwide bill for such fraud is soaring: between nine and ten million Americans have their personal details fraudulently stolen every year, for example. And all the evidence is that the criminals are growing ever more sophisticated.

Experts now warn that the fraud-sters focus has shifted to the internet, and especially to teenagers and young men and women. Not only are these people more likely to belong to social-networking sites, but they are by nature more free and easy with their personal information and less likely to keep close track of their financial affairs.

But it is not just these sites that are being mined for information. Planning information posted by local authorities, CVs on recruitment web-sites, websites reuniting old school-friends they are all meat and drink to the cyber criminals.

One convicted identity thief recently confided to criminologists: The internet is great it used to take two to three weeks to gather enough information to steal an identity. Now, online, I can do it in two to three hours.

Log on to Bebo or MySpace or Face-book, search randomly through a few of the posted profiles and you will quickly see the warning signs.

Within a matter of minutes I come across a girl who has a Bebo page listed under her Christian name alone. But a quick browse of the photos that the girl has uploaded of herself and theres her surname in one the captions simple as that.

A quick examination of the profile she has completed includes her place of birth and her zodiac sign. She has also included details of the area which she lives, her home town and the name of the cafe in which she works.

Its not entirely clear whether she 17 or 18 years old but an email address, made up of her name and what is doubtless the year of her birth, confirms her age.

Forget the risk to her personal safety (publishing a place of work clearly unadvisable), the information alone is an absolute dream for an identity thief.

Danny Harrison, a spokesman for CPP, a company that specialises dealing with the fallout of identity theft, explains what happens next.

What the criminals are looking for is a name, an address and a date birth, he says. Once they have that, using publicly available records, they can gather enough information to be able to apply for a bank account. They then need a forged utility bill piece of identification in that persons name.

This can be done using a scanner and computer, or it could be one the fake driving licences that are sophisticated theyll pass standard ultra-violet-light security checks.

Once the thief has a driving licence and utility bills they can apply open a bank account, explains Mr Harrison.

With a bank card, working very quickly, they might then travel mobile-phone shops and get phones which they will immediately sell on. They may also apply for loans. Once those have cleared, they will drain the accounts and keep moving. Some even manage to take out car leases.

Experts in this new area of illicit activity say that what is most worrying is how sophisticated it has become with criminals working highly structured gangs.

Tom Ilube, is the chief executive Garlik, an online data- protection company.

When we got into this area we commissioned research to find out what really was going on, he explains.

But rather than starting from the top down, we asked a team of criminologists to go direct to the fraud-sters. Over a couple of years they did just that, speaking to 100 individuals to understand their behaviour.

The first conclusion we were able draw from the research was that the whole area of identity theft is much more organised than it used to be.

Its no longer an ad-hoc thing; there are career criminals now, and an industry that has grown up with defined structure. In the old days, criminal would steal a credit card in pub and then pass it on for someone to exploit.

The criminologists told us that a similar pattern is emerging with the internet. There are people whose main activity is to sit down in front of their computer and harvest information which they will then sell on.

Symantec, a respected independent software company, has found that confidential data on tens of thousands of people was on sale for r1.50 per individual.

The information menu being offered by criminals included stolen credit-card details for r1.55 if bought in bulk while access to an online bank account cost r230.

The cyber criminals also offered passwords and details of home computer users for as little as r4.60; while a full identity theft, including social-welfare and credit details, cost less than r15 a person.

While the vast majority of the illegally traded material came from computer owners in the U.S. 86 per cent a worrying 7 per cent of the data on offer was from Britain.

Research by RTE1s The Afternoon Show has also highlighted the dangers closer to home: the programme warned of a website which offered users the opportunity to buy a whole new identity from Britain or Ireland for e19,500, including a new passport and birth certificate.

Although young adults are most at risk, even young children are being targeted. Not only are they likely to be unaware of the dangers of publishing personal details (a survey of 500 young internet users recently found that 30 per cent had given out their full name, 12 per cent their home address, 20 per cent their mobile number, and 10 per cent their home telephone number), but their parents may assume that because of their age they are of no interest to criminals.

In fact, there is evidence to suggest that the fraudsters will harvest information on minors and then sit on it until they pass their 18th birthday when a fresh credit rating can be exploited to the full.

Of course, it is easy to dismiss warnings as over the top. But the truth is that the modern slew of internet giants, the MySpaces and Facebooks, have already generated unexpected problems.

Whereas the first generation of internet success stories think Amazon or eBay were selling things, the current wave are all to do with getting people to share their personal information online.

And the fact of the matter is that they have proved hugely popular a staggering three-quarters of all Irish children belong to social networking sites and spend an average of 40 minutes a day surfing them.

A Garda spokesperson said that while internet fraud from this particular source is not causing huge concern at the moment, thieves are always trying to find new ways to exploit technology and this type of internet usage is rising rapidly.

In these early, heady days of this mass experiment in global social interaction, a number of unforeseen problems have emerged The main one, as the Garda spokesman pointed out, has been the opportunity which these sites offer to paedophiles searching for victims to befriend.

Only now is the scale of this truly emerging. MySpace, for instance, has just removed the profiles of 29,000 convicted sex offenders from its U.S. site alone.

Its a significant step towards the acceptance that while fun, there are real-world risks associated with these websites. And clearly that applies not just to the risk from sexual predators, but from criminals preying on personal details.

The Garda spokesman said that as well as learning not to trust people online, users also need to be more cautious about what information they post and to whom they make it available.

From a crime-prevention point of view, you really do need to be very careful about this, he said. It surprises me that these days young people seem to be putting details online about themselves that they wouldnt say to anyone at school or tell the priest in confession.

As Victoria Sennitt admits, a lot of it is to do with personal naivety and theres evidence of that naivety right across the internet.

But the cyber criminals dont just harvest details from social websites details from planning applications and planning decisions may also be fodder for such fraud.

Another area of concern is online job recruitment. By setting up a fake company and paying a small subscription, criminals have been able to pose as employers and so access thousands of CVs.

While jobseekers are often advised not to include all their personal details on applications, if approached by a fraudster posing as a would-be employer they are hardly likely to refuse to give them whatever they want dates of birth, PPS numbers, whatever.

Its something that 38-year-old Kamilah Reid knows about. For two years she has been plagued with demands to repay r900 for a carpet. The trouble is, her home is all wooden floors and lino.

She is certain her identity has been stolen and fears it may have occurred after posting her details on a recruitment site when looking for a job as a receptionist.

Ive told the company that is after the money that the carpet is nothing to do with me over and over again, says Mrs Reid, who lives in the south of England. But they dont seem to listen to me. Its so frustrating and really worrying. I just dont know what else they could use my identity for.

For those still not entirely convinced of the extent of the internet identity-theft problem, consider the following.

A litter of puppies was recently put on the internet for r1,500 a go. The owner told a prospective buyer that his pedigree champion poodle Blue had given birth to them. But it quickly transpired that the vendor didnt own Blue: he had simply stolen photos and details of Blue from a website in a bid to boost the value of his own puppies; and that Blue was a he not a she.

An amusing tale. Sadly, for the likes of Victoria and Kamilah and tens of thousands of others, when it comes to stealing identities of the human variety, the criminal fraternity rarely gets it so badly wrong.