Public Safety Canada
Symbol of the Government of Canada
Skip to content | Skip to institutional links

Common menu bar links | Liens de navigation communs

Skip Navigation Links Home > National security > Situational awareness > Best Practices for Preventing Online Identity Theft

Institutional links

Best Practices for Preventing Online Identity Theft

Information Note Number: IN04-002
19 August 2004

Purpose

With the increased prevalence of identity theft incidences being perpetrated online, this Public Safety Canada (PS) Information Note is being issued to provide best practices for preventing identity theft.

Audience

This paper is primarily intended for owners and operators of Canadian critical infrastructure who should be aware of any potential threats to the security of their mission critical information.

Background

On 3 April 2003, AusCERT, the Australian Computer Emergency Response Team, issued an alert warning against numerous websites that are designed to glean personal and financial information from unwitting customers. The alert warned of "attackers constructing mimic sites to lure customers of online banking and other forms of electronic payments into accessing fake sites rather than the original." These sites were designed to fraudulently divest users of their personal (age, gender, marital status, Social Insurance Numbers - presumably for data mining purposes), financial (credit card, account and banking login numbers), and sensitive (personal and corporate passwords) information.[1]

These actions are often referred to as, but not limited to, "spoofing" and "phishing." Spoofing refers to the technique used to gain unauthorized access to computers by sending messages to a computer with an IP address indicating that the message is coming from a trusted host when, in fact, the website has been duplicated for fraudulent purposes. Phishing refers to the act of sending e-mails to users falsely claiming to be trusted enterprises in an attempt to gather personal, financial and sensitive information. Often, the e-mails contain a subject and message intended to alarm the recipient into taking action. Users are then sent to spoofed websites.

In the intervening year since the AusCERT alert, a number of highly publicized incidents have occurred.

  • On 9 July 2003, the Massachusetts State Lottery Commission website was spoofed. The fake website asked visitors to provide their credit card and Social Security Numbers, along with other personal information, and to pay a US$100 processing fee[2].
  • In mid-July 2003, a mass e-mail circulated advising recipients that an order made on www.bestbuy.com used their credit card information, and asked the recipient to follow a link to the company's fraud department web page. The link actually directed users to a different website masqueraded as the Best Buy website, which requested their personal information.[3]
  • In late-July 2003, a website spoofed PayPal (an online payment site) by attempting to deceive PayPal customers into divulging sensitive account and billing information. The site instructed PayPal customers to go, via an e-mail message that appeared to come from the company, to the site: www.paypal-billingnetwork.net.[4]
  • In June 2004, fraud operators launched a phishing attack against RBC Financial Group by sending customers what appeared to be a legitimate e-mail request from RBC asking for names, account numbers and personal identifiers to verify customers' standing due to "increased fraudulent activity." If a person clicked on the e-mail, went to a spoof site and entered personal information, hackers could obtain the information in order to access those accounts.[5]

According to the 2003 Computer Crime Survey conducted by the Computer Security Institute in conjunction with the FBI, nearly 13 percent of respondents had been the victim of identity theft in the past year in the U.S. In total, losses from identity theft in the U.S. in the past year are estimated to be approximately US$50 billion. At a summit of private and public sector U.S. banking and financial sector officials on 15 December 2003, it was assessed that fraudulent activity directed at the financial sector via the Internet will likely increase in 2004.[6]

Most recently, on 6 July 2004, PS issued an Advisory regarding a Trojan horse hidden inside so-called "pop-up" advertisements that appear on screen without warning. Clicking on the "close" button to get rid of the advertisement triggered the virus to attempt to secretly install itself on the computer. The bug was programmed to wait until the user began logging on to their Internet bank account where it tried to steal personal details, such as passwords, before the information reached the bank. This Trojan horse was aimed at customers of nearly 50 banks around the world.

top of page

Best Practices

Since the malicious actors who create spoofed websites or craft false e-mail solicitations go to great lengths to mimic the corporate personas of those they are copying, such impersonation activities have proven successful at capturing personal and financial information from unsuspecting consumers for the purposes of identity theft and subsequent financial fraud. All of the elements of the trusted corporate profiles are duplicated in the e-mails and spoofed sites including login pages, company logos, site banners and purchasing information.

PS suggests a number of best practices, which can help businesses and consumers protect themselves from identity theft while they are using the Internet.

Businesses
As businesses move portions of their services online, they may become vulnerable to attacks associated with the new medium. Responsible online retailers have responded by providing concerted programs to educate customers about fraudulent activities on the Internet. As a fundamental part of this education, businesses should:

  • inform customers exactly what information the company will, and will not, ask for on websites or via e-mail. If personal, financial or sensitive information must be exchanged, businesses must clearly indicate under what conditions that exchange will occur. For example, a retailer will only ask for a credit card number when completing a sale on its properly secured site. The same retailer will never ask for a credit card number via e-mail. PS recommends that businesses make their customers aware of their business practices with respect to the exchange of potentially sensitive information several times a year.
  • provide customers with information on inquiring about or reporting suspicious e-mails and websites.
  • ensure that they are listed as the registrant and responsible entity for their corporate website, rather than the web designer.
  • clearly advertise their valid website addresses on all corporate stationery, letterhead and advertising to ensure consumers are conscious of the proper corporate universal resource locator (URL).
  • protect customer security by registering variations of their corporate website domain URLs. For example, www.googel.com will still take users to the proper web address, www.google.com.

Consumers
PS recommends that Internet users exercise vigilance with online activity and perform due diligence on all parties involved in online transactions. As well, consumers should:

  • install and frequently update a proven antivirus software product.
  • ensure that browsers and operating systems (i.e. MS Windows) are up to date and that security patches are applied.
  • be suspicious of any e-mails with requests for personal, financial or sensitive information. Reputable websites will not normally ask users to disclose this kind of information via e-mail.
  • not fill out forms in e-mail messages that ask for personal, financial or sensitive information.
  • use caution with links supplied in e-mails. Do not click on links in e-mails if you suspect that the message might not be authentic (i.e. if you don't recognize the sender or understand the subject or message).
  • always verify they have the correct website address for sites that require users to authenticate by providing information such as a password. Users should change passwords regularly, use hard-to-guess passwords (e.g. using a combination of letters, numbers, and characters including both uppercase and lowercase format), and never share passwords with anyone.
  • use caution when locating a site through an Internet search engine, since it is not always possible to distinguish a fake site from a legitimate one. Consider creating a bookmark or favourite entry for important websites to ensure the valid site is visited every time. As well, look for a company's privacy policy or a link to its privacy statement when visiting its website. Pay attention to what information the company gathers, how it's used, and with whom it's shared.
  • always ensure that a secure website is used when submitting credit card or other sensitive information via your web browser (this is usually displayed in the status bar).
  • contact the organization via telephone if there is any doubt as to the veracity of an e-mail or website. Do not use the phone number provided by the suspicious e-mail or website.
  • always report phishing e-mails to the organization first. Users can report incidents to local law enforcement agencies to officially open an investigation.

top of page

Conclusion

While identity theft is not a new activity, the Internet has provided those intent on engaging in identity theft with an efficient means of capturing privately held personal, financial and sensitive information. It is important that businesses and users adopt a responsible posture while using the Internet. According to the U.S. Federal Trade Commission (FTC), identity theft was the top fraud-related complaint reported by consumers last year, comprising 42 percent of more than 200,000 consumer fraud complaints the FTC received. As well, two major Canadian credit bureaus indicate that they receive approximately 1,400-1,800 Canadian identity theft complaints per month. The majority of complaints are from the province of Ontario[7]. An official at the Identity Theft Resource Center (a U.S. non-profit organization) was recently quoted as saying "if you get just get [sic] a 0.5% return on 100,000 e-mails, that's a major ID breach".[8]

top of page

Resources

  • The former department of the Solicitor General of Canada (now Public Safety Canada) and the U.S. Department of Justice released a joint Public Advisory on Identity Theft here.
  • The Canadian Bankers Association (CBA) best practices regarding the use of online resources for conducting personal financial transactions can be found at www.cba.ca
  • The FBI/GSA/CIO 2003 Computer Crime Survey (PDF 2.2MB) is available online.
  • In May 2004, the U.S. Financial and Banking Information Infrastructure Committee and Financial Services Sector Coordinating Council published Lessons Learned by Consumers, Financial Sector Firms, and Government Agencies during the Recent Rise of Phishing Attacks. The paper is available on the U.S. Department of the Treasury website (PDF 1.1MB).

top of page

Note to Readers

The Canadian Cyber Incident Response Centre (CCIRC) provides a focal point for Canada's cyber threat and vulnerability warning, analysis and response. CCIRC is responsible for assuring the resilience of national critical infrastructure through monitoring threats and coordinating a federal response to cyber security incidents of national interest. CCIRC operates in conjunction with the Government Operations Centre (GOC) within Public Safety Canada and is a key component of the government's all-hazards approach to emergency management and national security.

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: communications@ps-sp.gc.ca

Date Modified: 2010-09-13
Top of Page
Top of Page
Important Notices