Terrorists shop around for identities

By on
Terrorists shop around for identities

Shopkeepers urged to check their customers' bona fides.

It happens in every small business.

In the middle of the busiest part of the day, a harried customer swoops into the shop with an urgent need for a piece of kit they bought online or over the phone with their credit card.

"I'm rushing to the airport/hospital/work and need it right away!" they cry.

The harried sales assistant asks for a driver's licence or credit card to confirm the buyer's identity but, alas, after patting themselves down the customer realises they've left their ID at home.

Out of the goodness of their heart, to provide superior customer service or, more likely, to rid the customer to deal with the mess of people in the shop, the salesperson hands over the goods. The customer smiles, takes the products and whirls out the door.

Not only is that irresponsible and potentially costly for the shop owner, it could be part of the pipeline that sends material to terrorists and insurgents, a panel of security experts found in Sydney today.

Australian Retailers Association policy manager Michael Lonie told the panel hosted by internet security company F-Secure that in Australia's shops "most [credit card] fraud is in-store especially if someone comes in with a good story".

It was only when high-value goods such as plasma screens were at stake that most retailers paid attention to verifying buyers' identities, he said.

In Australia, it's the merchant that wears the cost of credit card fraud and most small shops "rely on the card they operate under" for their security, he said. Placing the burden on merchants was "holding back commerce to a fairly significant section" of the economy and even big retailers, he said.

The panel said a tectonic shift was needed by all parties - consumers to protect data that comprised their identities, merchants to verify identity documents of buyers and by the banks and card issuers to speed the rollout of smart-card machines at the point of sale.

Lonie said the magnetic stripe readers familiar in Australian shops for a quarter century were "antiquated" compared to the new smartcard readers that were gradually finding their way on to shop counters and required a personal identification number to authorise a transaction.

"The rollout of new readers from the banks has been appalling," Lonie said.

F-Secure chief research officer Mikko Hypponen said the proceeds of such thefts may find their way into the hands of terrorists.

He pointed to the case of Tariq al-Daour who, in July 2007, was found to have 37,000 credit card numbers on his laptop seized by police. Al-Daour pleaded guilty to stealing more than 2 million Euros from online poker sites, using the money to buy tents, knives and GPS units for Iraqi insurgents.

But even checking someone's bona fides with a second form or "factor" of identification has led to an arms race as criminals and terrorists up the ante, searching for more information about the unsuspecting.

AusCERT general manager Graham Ingram told the panel that much of the pain from online fraud wasn't felt until "well after the event ... six months or 12 months or years down the track".

"Criminal organisations are clearly mining data for several sequences of events," Ingram said. "[They are} profiling, collating and mining data. This is clearly concerning stuff."

Such information was like gold to criminal organisations - worth as much as $80 an identity.

And although individuals should do more to protect their personally identifiable information, they would never be able to completely innoculate themselves from fraud, he said.

"Some malware (malicious software) you cannot protect against; consumers do not have and will not have the capability to defend themselves," Ingram said, adding that if they were "thrown to the wolves" to protect themselves and bear total liability for online losses it "will be a carnage".

"We have to save everyone but eventually the enemy [malicious hackers] will find their way through," said F-Secure's Hypponen. "It's a game of cat and mouse."

The panel was hosted by F-Secure and moderated by security commentator Patrick Gray, a member of the SC Magazine Australia advisory panel and judge on last year's SC Magazine Awards hosted by AusCERT.


Got a news tip for our journalists? Share it with us anonymously here.

Most Read Articles

Log In

  |  Forgot your password?