Identity Theft in Canada

Identity theft in Canada is a growing problem. In the local Nanaimo newspaper, it was reported that a woman had her identification stolen in 2010 and four years later had her bank account drained. It was believed that her identification was sold and used to gain access to her bank account as well as set up credit cards.

Bill S-4 introduced in 2010:
As of January 8, 2010, Bill S-4 became law, making it illegal to possess another person’s identity information for criminal purposes. Why did it take the Canadian government so long to figure that out?

Canadian Anti-Fraud Centre
According to the Canadian Anti-Fraud Centre (CAFC) the number of identity fraud victims climbed from 16,997 in 2011 to 19,473 in 2013. Canadians lost over $16 million dollars to identity theft in 2012.

The CAFC is still located in North Bay, Ontario where it started out as Phone Busters. Now, 11 people work there to handle complaints from the 20,000 or so people who’ve had their i.d. stolen.

Shoppers at risk:
Sometimes, your identification doesn’t have to be physically removed in order for someone else to use it.

Last December, 70 million credit and debit card accounts of customers who shopped at Target were stolen in a malware attack. This malware attack  allowed criminals to manipulate Point of Sale (PoS) systems and gain access to Target’s database where the credit/debit card numbers and 4 digit PINs were entered during a purchase.

Why retailers need to salt their PINS

The best way to protect passwords is to employ salted password hashing
The best way to protect passwords is to employ salted password hashing

The credit/debit card numbers compromised in the breach are now up for sale in underground forums. Target remains confident that they adequately encrypted the PINs. Since the hackers stole only the encrypted PINs, Target claims the information is useless to the hackers.

Unfortunately, there is a problem. Security expert Robert Graham pointed out that hackers can get PINs without decrypting them, because two identical PINs decrypt to the same value. Thanks to the banks which have everyone using 4 digit PINS, there is only 10,000 possible combinations. The top most popular 100 PINs can be discovered with only a few thousand attempts, giving over a million cracked debit cards to work with.

For years, the Payment Card Industry has been asking for retailers to “salt” the encryption so that every PIN number decrypts to a different value. Why isn’t there a law in Canada that requires this?

But what about the banks? What are they doing about stolen credit/debit card information, or do they care? Most of the time, the onus is on the retailer if a fraudulent transaction occurs.

International criminals exploiting Canadians
A recent article on the CBC revealed that stolen identification including credit card numbers was posted on Pastebin was originally set up as a place where hackers could dump data recovered from hacks, without revealing a hacker’s identity.

International criminals are exploiting Canadians. We are particularly vulnerable because public services such as health care records, passports and census forms are now outsourced to private companies, some of which are offshore.

People have been complaining of tampered passports. Soon our mail will be sorted offshore. How can Canadians be assured that their personal data is secure if our government has let someone else control it?

Lost tax revenue:
Some of these criminals steal an individual’s information to file false tax returns and claim fraudulent tax refunds. They then use these refunds to make purchases, get money orders and withdraw cash. Criminals use an elaborate network of individuals to launder the tax refunds and recruit others to purchase prepaid retail cards on their behalf.

The fight against Malware:
Malware is a tool used by criminals to gain access to a person’s online information. It is a form of economic terrorism and governments and banks need to address it seriously.

Just last week it was revealed that a hacker known as Diabl0 was arrested.  He is accused of cracking banking computer systems and hacking bank websites in Switzerland while living in Thailand, causing a loss of more than $4 billion USD.

Also, hacking software is cheap and as a result, this type of crime is escalating rapidly. Meanwhile the Canadian government has been slow to catch up, let alone acknowledge it.

What’s being done?
There are a few organizations such as The Honeynet Project that try to fight against malicious hacking attacks.  A bunch of security researchers on twitter are starting a #MalwareMustDie campaign to raise awareness of malware threat issues. Clearly, much more has to be done to get a grip on the situation.

In Edward Snowden’s most recent interview, he revealed that the American spy agencies worked with technology companies to allow for vulnerabilities. While this might have aided the government’s mandate for mass surveillance, it did more harm than good.

Instead of the government spending untold millions tracking everyday Canadians, why not spend the money trying to put an end to this economic terrorism which starts with a person’s stolen identity?