How do identity thieves sell your identity

On behalf of the other

Identity theft is increasing and becoming more sophisticated

Your digital identity has become a sought-after target. The risk increases that strangers will go shopping on your behalf or illegally publish your data. But if you know the methods used by identity thieves, you can protect yourself.

It was a long-planned vacation trip to New York. Simone Peters was looking forward to celebrating her 33rd birthday with her best friend in the Big Apple. When she had her passport checked for entry at the airport, three uniformed officers appeared: “Come with me,” one of them asked. In a back room, Peters was suddenly faced with grim-looking armed police officers.

It later emerged that the banker had landed on a US wanted list without her knowledge - someone had digitally misused her identity to open a fraudulent online shop and sell counterfeit Louis Vuitton bags. The summons were sent to a fake address, so that Peters was declared volatile. The case was only resolved a day later and Peters was allowed to enter.

This is one of many true stories told by journalist Tina Groll and policeman Cem Karakaya. The two recently published a book in which they use concrete examples to shed light on many facets of identity theft [1]. It is about stalkers who hijack Facebook accounts, the illegal trade in stolen personal data, and above all product fraud, which sometimes brings the victims a lot of money.

Spongy term

Theft, or more precisely: the misuse of identity data has developed into a massive problem in recent years. According to a representative survey by PwC, almost every third person in Germany had already been the victim of an identity theft in 2016. Six percent each reported that a fake account was created with their data - for example on ebay or Facebook - or that their credit card details were stolen and misused. Three out of ten of those affected had suffered financial damage (see figure on p. 31).

Although the term identity theft is on everyone's lips, what exactly it describes is often vague. Unsuspecting consumers often lack the imagination to imagine what malicious perpetrators can do with just a little bit of private information - it doesn't even have to be a password. It is therefore not clear to many potential victims which attack vectors perpetrators use to gain access to third-party data.

Nasty tricks

The journalist Richard Gutjahr once reported moodily in his blog how he was annoyed listening to the cell phone conversation of a businessman next to him in the airport waiting area: “Apparently he was just about to book a limousine. At some point he pulls out his wallet and starts reading out his credit card details. I pull out the keyboard of my iPad reflexively and start typing. Digit by digit of the card number, then the validity date and the verification number. Why am i doing this? Because I'm able to do it."

Gutjahr put it in a nutshell: "Suddenly I realize that God knows I could do something with his data: shop, set up online accounts on eBay, Amazon or Apple." According to his report, he left it at that, the "victim." "To send a Fun Card home after identity theft via the Deutsche Post print and delivery service:" Paid with his credit card. That had to be."

Hans-Joachim Henschel, Chief Detective Commissioner at the State Criminal Police Office (LKA) Lower Saxony, reported to c’t on request about attack methods that are currently frequently reported. For example, there are the unsuspecting users of eBay and other rental or sales platforms. As a buyer, seller or landlord, criminals demand proof of authenticity from them, such as a scan of the identity card, a registration certificate, a rental agreement or proof of salary. They collect this data in order to later abuse or sell it themselves.

It is currently popular to abuse the Videoident process with job seekers. The perpetrators place fake job offers from well-known companies, for example Tchibo or Deutsche Bahn, and copy their application portals. They get job seekers to use a bank's video identification process to purportedly authenticate themselves in the online application process. In reality, the victims here are confirming to the bank that they want to open an account.

The perpetrators face correspondence between the Videoident process, the bank and job seekers. All the documents required by the bank are passed on to the perpetrators so that the other two parties do not notice anything: "The job seeker is then put off or ultimately not 'hired' after all. He does not notice that a bank account exists in his name, or only notices when the police are investigating him. Just a few days and weeks are enough for the perpetrators to abuse an account for money laundering, for example, ”describes the LKA.

Aroused desires

The more business we do online, the more processes from the offline world can be done via our digital identity on the Internet, the more desirable the associated data becomes. And criminals are developing ever more sophisticated ways to get hold of them. Security authorities are currently warning to take this problem seriously. In its annual report, the European Union Agency for Network and Information Security (ENISA), for example, categorized the crime group “Identity Theft” as “increasing risk” in both 2018 and, most recently, 2019.

The Federal Criminal Police Office (BKA) speaks in the current “Federal Situation Report Cybercrime” (9/2018) of a “common and lucrative business model”. However, according to the report, the thieves are apparently currently changing the methods by which they obtain identity data from people. Both the BKA and Europol have observed a decline in the number of phishing attacks reported. In their place came more and more "data outflows from large service providers", as the BKA calls it. This refers to data breaches in online shops, web services or credit agencies with the aim of stealing personal information such as addresses and credit card numbers, but above all access data for user accounts.

Combinations of user names and passwords, the so-called credentials, are at the center of desires. One of the combinations is often enough for criminals to use it as a starting point to gain access to all possible accounts of a person and thus completely hijack their digital identity [2], for example using password recovery mechanisms.

To the box: from a legal point of view, identity theft

The operators of the services bear a great responsibility. They regulate admission to their platforms and are therefore obliged to manage the necessary credentials in a burglar-proof manner. A password, no matter how cryptic, is of little help to the user if it can be accessed in plain text at the remote station. And that's exactly where there is something wrong, as the article on page 38 describes. There we give tips on how you can recognize which service you can trust and which better not.

Starting on page 32, we will show you the methods you can use to minimize the risk of identity theft. Among other things, it is important to authenticate yourself with a second characteristic (token) in addition to the password wherever it is offered. Almost all large, important providers now offer this additional protective layer, which is borrowed from particularly sensitive online banking. But here, too, it is important to bring yourself up to date: the more two-factor authentication prevails, the more intensive the efforts of criminals to outsmart this barrier too.

For example, authentication with a PIN sent to the cell phone via SMS is already seen as somewhat holey protection: attackers misuse the phone number porting of the cell phone provider in order to assign a number to another SIM card. To do this, you call the mobile operator and convince the support employee to port it. The attackers use social engineering, i.e. spy on the victim's personal environment in order to be able to fake his or her identity.

Only a few such acts are known in Germany. In contrast, the "port-out scam" (also known as SIM swapping) is now a regular occurrence in the USA. In a particularly spectacular case, a 20-year-old student from California stole five million US dollars in crypto money through SIM swapping and is now in jail for ten years. He had hijacked SIM cards from around 40 victims and thereby gained access to accounts in order to finally gain access to the victims' crypto wallets from there.

Beware of fake accounts

Criminals make it especially easy for those users who too freely publish personal data and identification features on social media. The security company Eset recently warned that social media profiles of private individuals are increasingly being targeted. "Identity theft is automated," explained Thomas Uhlemann from Eset: "The social media platforms scan the social media platforms for suitable profiles without human intervention in order to then access personal images and account information." This information is then used - also fully automatically - to create new ones Accounts created on the platforms.

These fake accounts are used by criminals to attract new victims. They do not realize that they are on a fake profile and fall into the trap. For example, they become victims of fraud or unknowingly load malware onto their computer by clicking on a seemingly harmless short link in the fake profile.

The “PIN code scam” has been rampant in Germany for a long time: the perpetrator uses a fake Facebook identity to write to friends of the real account owner via messenger and for some urgent reason asks them for their mobile phone numbers. Shortly afterwards, the victims receive a text message with a confirmation code. The “friend” asks you for the code, which is actually a payment password, which he uses right away: The victim bears the damage because it is billed to his mobile phone bill (with a time delay).

What is particularly perfidious about this scam is that it often goes undetected for the victims. “The victims often assume that their own account has been hacked. Often also because the Facebook friends suspect it and convey it to the injured party. It was not noticed that it was a copy that may have been deleted in the meantime, ”explains Hans-Joachim Henschel from the Lower Saxony LKA.

Anyone who suspects they are a victim of identity theft should definitely take action. In the article on page 36 we have put together first aid measures that make it easier to respond quickly. In addition to technical interventions, going to the police is also pending. Just like the colleagues from the BKA in their 2017 situation report, Henschel also assumes a high number of unreported cases, because many victims - often out of shame - shy away from criminal charges.

A recent, particularly spectacular find shows that the user is not always to blame: The security expert Troy Hunt found a collection of hacked online accounts with over a billion combinations of login names and passwords underground. Shortly after the discovery of this "Collection # 1", other collections "Collection # 2 to # 5" appeared. The almost 700 GByte large files contain collections of 2.2 billion online accounts, including e-mail addresses and passwords [3].

On you can check whether your own credentials appear in the fund. Alternatively, you can download a sorted list of hashes of passwords from hacks and leaks there so that you don't have to transfer your own passwords through the web. The colleague Pina Merkert has developed a Python tool with which you can search through this list in a few milliseconds despite its size (25GByte). Instructions can be found on page 42. ([email protected])


  • [1] Tina Groll, Cem Karakaya, The Cyber ​​Professionals: Don't Leave Your Identity Unattended, Ariston-Verlag, 2018
  • [2] Axel Kossel, Risk of identity theft, When money and a good reputation are in danger, c’t 24/2012, p. 132
  • [3] Fabian A. Scherschel, Der Hacker-Hunter, Troy Hunt and the huge password fund "Collection # 1 to # 5", c’t 4/2019, p. 16
From a legal point of view, identity theft

Nicolas Maekeler

From a legal perspective, the digital identity is actually not stolen because, unlike a theft, the data subject can usually continue to use his or her data himself. To be more precise, one should speak of identity abuse. In the Criminal Code (StGB) - unlike in US law - there is no specific offense entitled "Identity theft".

Rather, the misuse of one's own name or other personal data by unauthorized third parties can lead to a large number of different criminal offenses. Which laws a perpetrator violates therefore depends on how he gets the data and what he does with it. It is therefore difficult to deal with all the different forms of identity theft with the existing means of criminal law.

In the area of ​​computer crime, Paragraphs 202a to c StGB criminalize various forms of illegal data acquisition. Anyone who gains unauthorized access to specially secured data for themselves or someone else - for example using key logging Trojans or back doors - must expect a prison sentence of up to three years or a fine. The interception of data from a non-public data connection implemented by technical means - for example using sniffing software - is also a criminal offense. Anyone who prepares such acts by producing, procuring or selling the required software is also against the law.

Phishing does not fall into this category, as the data is provided by the victim himself and is not particularly secured. However, if phished-out data is used to order goods under someone else's name in an online shop and to redirect the delivery, then there is anyway a commercial credit fraud, but also a computer fraud according to Section 263a StGB. In addition, Paragraph 229 of the Criminal Code (“falsification of evidence-relevant data”) also applies in such a case. Many lawyers see this criminal offense as fulfilled if the registration of an account is made with false personal details - at least as far as the terms of use have to be accepted. In both cases, the law provides for a prison sentence of up to 5 years or a fine.

Toxic doxing

The transfer, sale or publication (doxing) of collected personal data is also illegal. In what is known as ancillary criminal law, Section 42 of the new Federal Data Protection Act (BDSG) criminalizes, among other things, the commercial transfer and unauthorized publication of personal data with intent to cause damage. This norm should apply, for example, in the case of the massive publication of private information from politicians and celebrities by the 20-year-old student from Hesse in December 2018.

In cases like this, if the perpetrator has been identified, the injured party can also take civil action against him. So not only injunctive relief are conceivable, but they can also demand compensation in the form of compensation for pain and suffering - because of the violation of their general right to privacy. For example, the Memmingen regional court has awarded a 12-year-old cyberbullying victim compensation for pain and suffering in the amount of 1500 euros (Az. 21 O 1761/13). In this case, the perpetrator had, among other things, created a new Facebook profile with the victim's name and placed fake postings there, which made the student appear homosexual, violent and pedophile.