Part three: Identity Theft Case Study – Coming out the other sideThe following is an account of actual events. Names have been changed.
At around 7.30 am on a random Wednesday morning, as Kaitlyn is dropping her young son to daycare and preparing to head into work, she notices the ‘no service’ indicator on her phone. With the recent issues on various mobile networks lately, she thinks nothing of it and continues on her way to work.
Three weeks into her new job, the focus and intensity of the work day means that it’s around 3pm that day before she checks her phone again to realise it is still out of service.
Again, thinking nothing of it, she gives Telstra a quick call from her landline to check if there is a network outage or any other issues – no issues, but she is told the service outage is a result of her request to transfer her mobile account to Optus – a process that kicked off at around 7.30 that morning. Indicating that this was not a request she instigated, the Telstra operator notifies her that the transfer cannot be reversed by Telstra, Kaitlyn will now need to visit an Optus store to correct the error.
Kaitlyn thinks this is strange, but with her son needing to be picked up from daycare and other family demands, Kaitlyn leaves it until the following day to visit an Optus branch to rectify what is clearly a simple error – someone accidentally transferring the wrong phone number – simple enough to fix.
But is it?
What’s actually happened is that an individual has stolen Kaitlyn’s identity, used it to access her Telstra account and deliberately transferred her account to Optus.
During the time Kaitlyn’s phone was ‘out of service’ another handset had been connected by Optus to her phone number. Using other details stolen, such as her email address and date of birth, the identity thief then attempts to access her online banking profile. Of course they don’t have Kaitlyn’s password, but they simply enter the wrong password a few times, then get the option to have a security code SMS’d to the phone number attached to the account (which they now control).
Using this sophisticated approach, the identity thief is able to gain full access to Kaitlyn’s savings accounts, increase her daily transfer limits and move money around in a complex pattern of transactions and finally out of her account all together.
That evening, Kaitlyn routinely checks her personal email and sees notifications from her online bank indicating that large sums of money have been transferred out of her savings account. Immediately alarmed, Kaitlyn contacts the online bank to have her account frozen, but less than 24 hrs since she first noticed the ‘out of service’ on her phone, Kaitlyn has lost $60,000.
Unfortunately, stories just like Kaitlyn’s are becoming more and more common in today’s society. Fortunately for Kaitlyn, in this instance the bank was able to recover her funds and so financially she has been able to recover, but this is to say nothing of the emotional toll it has taken on her and her family. During the course of this ordeal, Kaitlyn spent many hours on the phone with her online bank - being exclusively online meant she was unable to visit them in person – forcing her to fully detail her situation time and time again as she spoke to a different person with each follow up call.
The bank was unable to provide clear guidance on why there were no checks and balances in place that would alert her of unusual activity, and the complete lack of communication from the bank left Kaitlyn feeling uneasy and emotionally drained.
At the bequest of her colleagues and friends and in the absence of a clear way forward, Kaitlyn attended the local police station to report her case. Alarmingly, the police did not record any of her details, instead recounting an absolute inability to cope with the volume of cybercrime and recommended she contact the Australian Cybercrime Online Reporting Network (ACORN), where she would be able to lodge details of her case.
What is ACORN?
ACORN is a national online system that allows victims of cybercrime to report their cases and provides advice to help people recognise and avoid common types of cybercrime. ACORN is not charged with investigating or prosecuting cybercrime, but in Kaitlyn’s case she felt much more comfortable having officially reporting the incident (in the event that the identity thief committed other crimes under her name, she would at least have a record of the theft). Learn more about ACORN here
Since recording her case in the ACORN database, Kaitlyn has had no contact from them, and shockingly (or perhaps not!) $60,000 is more than likely not a large enough sum to warrant an investigation from any government agency, so effectively those who targeted Kaitlyn will continue to target others – and no one is immune.
Some of Kaitlyn’s habits have certainly changed as a result of her experiences, and some tips she has shared include:
- Don’t get rid of any hardware that may still contain your personal details – either keep it or destroy it (even though you think you may have deleted the details, clever thieves can recover ‘deleted’ items quite easily)
- Avoid using external computers to access your personal accounts if you can
- Never save your username to a logon screen and of course never, never save your password to any computer
- If you have the option of setting safety questions for accounts – do it! Make sure you utilise every level of security offered by your service providers, whoever they might be
- Regularly logon and check the details of your savings accounts and other accounts you might not use often to ensure you notice any strange behaviour as soon as possible
- Make sure your physical mailbox is locked with a key and if you move, contact all of your service providers as soon as possible to notify them of your new details
- Kaitlyn will also never deal with an exclusively online bank again and has since moved all of her accounts to one of the Big 4. She says the emotional toll not being able to visit a branch in person took and the complete lack of compassion or customer service she experienced was more than she could handle at the time
How might the identity thief have gained access to Kaitlyn’s personal details?
While there are no clear cut answers to this question, there are a myriad of ways people can access your personal information. Of course in the weeks following the incident, Kaitlyn as spent many hours trying to figure out how her personal details were accessed by a random individual. These may have included:
- Through computers she had used outside her home – uni, library, public lounges, work
- Through her postal mail – and possibly through expired mail diversions when she has moved
- Through possible malware in various computers she has used
- Through her LinkedIn profile – although she does not and has never had a Facebook or Twitter profile
As the instances of cybercrime continue to rise, it is important that we take the learnings from Kaitlyn’s case and apply them to our own situations. Protect your personal information and be vigilant when transacting online. For more information on protecting yourself and recovering from cybercrime visit our previous blog posts -5 Ways to protect yourself from identity theft - and Identity Theft: a guide to recovery or visit http://www.acorn.gov.au