I have maintained a daily chronicle of my thoughts and experiences during this most interesting of times
{ in·deed·a·bly }

adverb: to competently express interest, surprise, disbelief, or contempt

Doppelgänger

I learned something new recently.

I have a doppelgänger. Somebody out there does a passable impersonation of me.

This enterprising imposter successfully applied for a credit card in my name. Then merrily maxed it out.

Except here is the thing. According to the National Fraud Intelligence Bureau, I am not the victim of a crime.

The use of another person’s identification details (or the use of false identification details), often referred to as ‘identity theft’, is not an offence in law. We can only record a crime report on behalf of companies or organisations which incur a loss as a result of the misuse of your identity.

My doppelgänger effectively robbed the stores at which they used the credit card to purchase things.

Nor as visible as a ram raid.

Not as dramatic as an armed robbery.

Yet the financial outcome is the same.

The card issuer is also the victim of a crime. They were conned into extending credit to someone who had no intention of paying back. There were more than 82,000 instances of fraudulent credit cards being issued in the United Kingdom last year.

Yet the doppelgänger’s credit card appears on my credit report.

Its very existence impacts my credit rating.

The bills for those fraudulent purchases arrive in my letterbox.

That card’s credit limit reduces the amount I could otherwise borrow.

If left undealt with, the debt collectors that the card issuer employs would start harassing me. Ultimately leading to county court judgements, and all the negative impacts they would bring to my employment prospects.

I may not be the victim of a crime, but I am certainly the recipient of a hospital pass. The time, hassle, and inconvenience of getting this investigated and resolved is entirely mine.

Doppelgänger

An inconvenient truth of identity fraud is that an impersonated party rarely discovers how their doppelgänger came to select them. Was it personal? Opportunistic? Systematic?

Nor are they ever likely to learn exactly where the information required to do so was obtained. Did they lose their wallet? Have their mail intercepted? Passwords compromised? Unshredded trash raided?

Perhaps they responded to a phishing scam or were socially engineered?

Or, was the failing through no fault of their own? A data leak at the bank? Changes in default privacy settings at a social media company? Some errant code inserted into the website of an online store? The result of a hack on a cloud storage provider?

It doesn’t take much.

Opening a bank account in someone’s name requires providing personal details, proof of identity, and recent proof of residence. Challenging to obtain, but not impossible.

A former financial services client used to store the passport scans of thousands of customers on an unsecured file store that was accessible by anyone with a network login. The CEO and the cleaners. Consultants and temps.

Not good. Not uncommon either.

Applying for a credit card requires even less.

Each question adds friction to an application.

Any request for additional information deviates from the happy path.

My retail banking clients referred to a punter who expressed an interest in willingly signing up to pay ruinous interest rates so that they can spend money they didn’t have as a “golden goose”. A gift that keeps on giving. The card issuer wants to do as little as possible to dissuade them.

No need to supply proof of identity.

Little interest in proof of residency.

In an alarming race to the bottom, some issuers turn their lack of due diligence into a competitive advantage. Marketing boasts of “instant approvals” and “decisions within minutes” are rife.

Honey pots

Companies House provides a honey pot for identity theft. Which is ironic, given the first line visible on their website clearly states “Companies House does not verify the accuracy of the information filed”.

Every company director, past and present, have their full name, nationality, partial date of birth, and sometimes their postal address published in an easily searchable public record.

Data broking companies have sprung up to take this type of public information, then enrich it by linking it to information screen scraped from social media sites like LinkedIn and Facebook.

Others have become adept at sourcing contact details for people. Want to know a politician’s mobile phone number or a celebrity’s home address? They can hook you up, for a nominal fee.

Algorithms take care of the heavy lifting. Gaps can usually be socially engineered upon demand.

Data breaches provide another honey pot of personal data. A who’s who of organisations large and small have leaked the sensitive data of their customers all over the internet.

The “have I been pwned?” service allows people to see whether their information has featured amongst the billions of compromised records exposed across more than 400 major data breaches. A quick search revealed that at the time of writing I had appeared in half a dozen such breaches, ranging from Dropbox to LinkedIn.

One of those data enrichment firms mentioned above prominently featured in the breach list, having leaked the personal details of more than 1,200,000,000 people in 2019. According to the search, they unhelpfully leaked some combination of my name, email addresses, telephone numbers, geographic location, employment history, and social media profiles to anyone with internet access.

Pandemic pandamonium

After receiving the doppelgänger’s bill, I attempted to get in touch with the card issuer.

Predictably, they had a premium rate customer service line, the obligatory voice recording announcement that due the pandemic lockdown their operations had been disrupted, and a warning that the expected wait would be more than two hours. Some enterprising management consultant had transformed customer support into a profit centre!

A bit of research later, I turned up the (standard rate) number of their fraud investigation department, buried on a pre-pandemic archived version of their web site’s customer support page.

When I called that number I received a different recording, announcing that their fraud reporting line had been suspended due to the pandemic lockdown. They were now only processing complaints submitted via email.

After two weeks, and much chasing, I had received only radio silence from the card issuer’s fraud investigations team.

What I did have was copies of the chat transcripts with their offshore customer support live chat operators. This proved to be a frustrating and surreal experience. To their way of thinking, I was not the customer because I had not opened the credit card account. Therefore “privacy concerns” prevented them from discussing the activities of other customers with me.

I decided to try a different approach.

A suspicion was forming that the card issuer’s fraud investigations department may not exist. A ghost from the internet’s memory, or a figment of my hopeful imagination.

Was it another profit maximising device? Like the fabled loss adjusting department, who automatically rejected all insurance claims the first three times they were submitted. Only persistent policyholders, who really wanted it, had their claims investigated.

After having learned how easy it had been for my doppelgänger to obtain my personal details, I decided to apply similar tactics to learn the contact details of the card issuer’s Chief Executive Officer.

I wish I could tell you that I donned the obligatory hoodie. Slouched in a darkened room. Feverishly typed on the latest Macbook. The display flashing metaphors of transcendence, flying through a virtual world made of pipes, cracking safes, and opening padlocks. Dramatic sounding doof-doof dance music with a heavy baseline thundered out of oversized headphones.

That after a couple of minutes of Hollywood-style hacking, I was able to call the CEO’s personal mobile phone number. It would be answered by an affable old Irishman who instantly took an interest in my case and moved mountains at the click of his fingers to make my problems go away.

Alas, that would be a lie.

Instead, I searched LinkedIn for folks who worked at the card issuer. Scrolled through the list until I found the Head of Compliance. Used the contact details contained in their profile to initiate contact.

Shortly afterwards, I received an acknowledgement that my previous communications had been received and my case now being processed. The response outlined an eight week Service Level Agreement to investigate the matter, after which I could escalate things to the Financial Ombudsman Service if I remained unhappy.

Apart from flagging the fraudulent card to the consumer credit agencies, and filing an Action Fraud report, there isn’t much more a person can do to have an incidence of identity theft resolved.

Underwhelming really.

Blackmail

A few days later, I was attempting to sign into my account with an online retailer. A new workflow had been added to combat identity fraud. Customers were required to demonstrate that they still controlled the email address associated with their account. A One Time Password would be emailed out.

This struck me as slightly odd.

If a bad actor had gained control of the email account, then wouldn’t they receive the one time password? These days our email accounts are the skeleton key to our entire online identity.

After waiting a few minutes for an email that didn’t arrive, I thought to check my spam folder. The one time password message sat at the top of a long list of dubious promises of instant riches.

Immediately below it was another message that caught my attention.

The subject line contained the line “I know your password is:” followed by a unique and distinctly memorable password I had indeed used.

Curious, I read the body of the message.

It was a blackmail threat.

The sender claimed to have compromised my computer with malware. They had remotely activated the webcam to record a compromising video of me playing with my joystick. Send $2000 worth of bitcoin within 24 hours of receipt or the video would be distributed to all my social media contacts and everyone in my address book.

Interesting.

The password was one I had used back in my university days, some 20 years ago. Weak by today’s standards. Witty at the time, an inside joke. I hadn’t used it anywhere else. Recycling may be good for the environment, but it is terrible for online security!

I did a quick bit of online research. Sure enough, my former university had suffered a data breach. Their student services system, containing nearly 20 years worth of personal data on every student and staff member, had been hacked and its content stolen.

Now that content was turning up in an amateurish blackmail scam.

I hadn’t been notified of the breach, but then in the subsequent years I’ve changed email address and moved house several times over. The university would have long since lost track of me.

Which made me pause for a moment.

The university would only hold my ancient email address. Yet the blackmail demand was sent to my current address.

Someone had gone to the effort of joining the two together. A data merging and enriching exercise.

That troubled me. Having spent a couple of decades torturing data for a living, I know this would be a straight forward technical exercise to perform. The required datasets aren’t all that hard to find.

Yet this meant it was more than an opportunistic endeavour undertaken spontaneously.

It required planning. Resources. Investment in specialist skills and tooling.

In other words, it was a business.

An unsophisticated, poorly executed one. Today.

How long before somebody decides to approach this type of attack systematically?

Executed properly?

Bring a level of professionalism and sophistication to operations? Similar to the maturing of the drugs trade portrayed in “Narcos”, or the way Moneyball changed sporting team recruitment and retention decision making?

Not long, I suspect.

A natural outcome of “know your customer” regulatory checks is an evidence trail of personal information.

Any good sales-led organisation seeks to maximise cross-sell/up-sell activities by establishing a “single view of customer”. Continuously building and enriching datasets about their leads, prospects, and customers.

Both of these common business activities create attractive honey pots for identity thieves.

Airport security

The standard “best practice” advice for protecting yourself from identity fraud consists of:

  • Shred paper based documents containing personal information.
  • Use unique, strong passwords that nobody (yourself included) can remember.
  • Use a password manager tool to securely generate and store those passwords.
  • Use hardware based two-factor authentication wherever possible.

Good advice as far as it goes.

Yet none of those things would have prevented my doppelgänger from obtaining the credit card in my name.

Nothing would.

The required personal information would be held by dozens of educational, financial services, government, retail, and tourism organisations I have done business with over the years.

Every one of whom is budget constrained. Fighting a daily commercial battle to weigh up the risks of a data breach versus the vast cost of addressing generations worth of accumulated technical debt and security vulnerabilities.

Ask a seasoned Information Security Manager about preventing identity theft, and you will receive a brief talk about cross-cut shredders, password managers, and not oversharing on social media.

Ask for more, and they will give a wry grin. Shrug. Admit there is little an individual can proactively do to prevent identity fraud from happening as a result of data breaches.

All you can do is pay attention to your statements and credit reports, then act quickly when the issues do occur.

As a friend once eloquently put it:

“You can have lots of safety/security features that will help if you get hit by Doris in her Ford Fiesta, but nothing can save you if you get hit by an 18 wheeler at 60mph”

It isn’t much, but it is what there is.

Update: The card issuer fraud investigators eventually conceded that my doppelgänger and myself were in fact two entirely different people. The card was cancelled. The account closed. My credit report cleaned up.


References


Featured by
--- Tell your friends ---

Next Post

Previous Post

13 Comments

  1. bsdb3 17 May 2020

    It’s interesting the doppelgänger managed to max the credit card out, in theory you’d have thought either large or frequent online purchases should have triggered them going through 3D secure or PSD2, or perhaps they were offline transactions or made outside the UK.

    The other one to watch for nowdays is your mobile phone going offline. The hacker basically impersonates you, and gets a replacement SIM card for your phone, an example here – all that reassuring feeling from having 2 factor authentication via your mobile bypassed. Hopefully the mobile phone companies are taking steps to prevent this.

    Re your credit record, have you tried any of the advice/tools from experian it looks like you can add a password that’s required to open new credit which might be advisable to prevent a reoccurance.

    Another other good piece of advice is you don’t have to give the right answer to those memorable words/places questions – where were you born: just enter some gibberish and stick it in the password manager.

    I guess if you were really inquisitive you could contact the merchants from the credit card bill. In theory they would be interested to stop any further fraud, and if the doppelgänger has used your name or address then they would probably share any further details.

    Working in e-commerce I’ve seen it mostly from a retailers’ perspective. We’re not hugely affected due to the nature of what we sell but it’s an ever present risk.

    • {in·deed·a·bly} 17 May 2020 — Post author

      Thanks for the suggestions bsdb3.

      In this case the card was a low limit store card, used to make a single purchase that consumed that limit.

      Agreed on the SIM porting vulnerabilities associated with 2FA using SMS messages. I recently ported a number from a physical to an e-sim, and remember being stunned at the minimal checks that were involved. That said, even an imperfect mechanism is probably better than no mechanism at all.

      Actually smart phones are a real weak spot in cyber security. If I steal your phone while the screen is unlocked, I have access to both your text messages and probably also your email account, without the need for any additional passwords or biosecurity authorisations. From an electronic perspective, for the length of time I can prevent the screen from locking, I am effectively you. For many sites, I can then initiate password reset sequences, and am good to go. Good sites have memorable fact challenges, but many don’t bother.

      Credit reporting agencies do offer products to help identify and alert an individual to potential fraudulent activity. The Experian one for example is about £85 per year. In this case it would have potentially alerted me to the fact the card had been issued in my name a month before the first bill arrived, but would not have prevented the card being issued in the first place.

      In the US, Experian offers customers the ability to “freeze” access to their credit file. I’m not sure if the same capability exists in the UK. The idea is that when a doppelgänger attempts to obtain credit in the customer’s name, for example taking out a mobile phone contract or applying for a loan, the service provider would be unable to perform a credit check on the customer. The process is simple to set up, but a bit involved to remove or suspend should the customer themselves wish to conduct a legitimate activity that requires undergoing a credit check.

      • bsdb3 17 May 2020

        “In this case the card was a low limit store card, used to make a single purchase that consumed that limit.”

        ahh that makes sense I was wondering why you hadn’t recieved anything in the post to activate a card or setup 2fa.

        “From an electronic perspective, for the length of time I can prevent the screen from locking, I am effectively you”

        in some cases it’s actually worse than that. A lot of mobile phones have SMS messages as a notification that appear whether or not the phone is locked. A case in point was helping my boss log into the Government Gateway service a few weeks back. The txt messages (with the access code) were arriving and appearing as notifications with the phone still locked. I mentioned at the time to her this was a security weakness. A lot of 2FA does rely on an app on the phone/tablet itself which seems more secure as it requires the device to be unlocked and often a password for the 2fa app to be logged into.

        I’ve used the moneysavingexpert credit club which gives access to some free reports I say it’s free but I suspect in the T&C I’m giving access to something about me in return.

        • {in·deed·a·bly} 17 May 2020 — Post author

          The credit club provides a user friendly window into the already free Experian credit report. The links included to dispute an entry, such as the doppelgänger’s card, are actually Experian links and responded to by the helpful Experian customer support folks.

          Equifax and TransUnion also offer the same capabilities, though not through the credit club app.

          Good point about notifications visible on the lock screen. That always seemed like a design flaw to me, but I guess it is configurable so is down to personal preference. In my experience folks almost always choose convenience over privacy/protection, seems to be human nature to seek the path of least resistance.

  2. GentlemansFamilyFinances 17 May 2020

    potentially this is a great way to lose all of your money!
    Or just lead to a whole lot of stress!

    • {in·deed·a·bly} 17 May 2020 — Post author

      Not sure “great” is the word I would use GFF, but yes there is certainly ample scope for things to go south fairly quickly!

      • GentlemansFamilyFinances 17 May 2020

        Probably riskier than leaving your front door open.
        My mum was nearly (very very nearly) scammmed out of all of her savings recently. Old school phone scam and the cyber attack worries me for my own wealth.

  3. leon 21 May 2020

    The entire universe need to know how my relationship was saved by this great hacker called Vlad. I got contact of him through a friend,He is very honest and trust worthy He showed me proof of my cheating husband in 6hours after contacting him he offers legit services such as, he clones phones, hacks facebook ,instagram, whatsapp, emails, twitter, bank accounts,FIXES CREDIT REPORTS, tracks calls and others. Contact Email: [REDACTED], WhatsApp number +79[REDACTED] i Promised to tell the whole world about him.

  4. Foxy Michael 24 May 2020

    I received the same email asking for money. They knew my password from 15 years ago! I didn’t reply as I don’t use it anymore.

    It’s sad people use the same password everywhere. That’s paradise for hackers. LastPass greatly helps I even have it on my mobile.

    By the way, I’ve found that Android (or is it a OnePlus feature?) lets you lock certain apps. So even if the screen is unlocked you still need another lock to use the app.

    Now I know it’s inconvenient and I doubt people use it. Including myself 🙂

    But it’s handy when you want to repair a screen and they need access to your phone, for example. (Another potential security vulnerability – screen repairs)

    PS The e-sim fraud possibility gets me worried on many levels.

    • {in·deed·a·bly} 24 May 2020 — Post author

      Thanks Michael.

      That’s a good idea you mention with the application specific additional locks, very handy to prevent kids playing games on the phone from sending texts or emails accidentally.

      The SIM porting risk isn’t limited to e-sims unfortunately, it applies to phyisical sims also. The weakness is in the mobile provider’s transfer process. They seem to have opted for convenience and reduced friction over security.

  5. Bob 24 May 2020

    Nicely written article. A few years ago I spotted an identity theft by checking my bank account. It was an attempt to create a limited company. I traced the source of the information to a pet shop where I bought cat litter.

    Still convinced the moggy was in on the deal

    • {in·deed·a·bly} 24 May 2020 — Post author

      Thanks Bob. Glad you managed to catch the fraud early, before any real harm could be done.

      Have to keep an eye on those cats, always looking to get one over on their owners!

What say you?

© 2020 { in·deed·a·bly }

Privacy policy

Subscribe