G 0.36 — Identity Theft · Cenedril Wiki

Email senders can be forged with minimal effort. Equally simple is the manipulation of the caller ID display on phone calls. An attacker who convincingly impersonates a manager, IT support or business partner can get even trained employees to disclose credentials or trigger transfers.

Identity theft (G 0.36) ranks among the most effective attack techniques, because it strikes at the foundation of every security architecture: the trust in the identity of the counterpart.

What’s behind it?

In identity theft, an attacker uses information about another person to act on their behalf. The goal can be financial fraud, access to protected systems, circumvention of approval processes or targeted reputational damage to the victim.

Attack methods

Phishing and spear phishing — Forged emails or websites that trick users into entering credentials. Spear phishing is personalised and therefore significantly harder to detect.
Credential stuffing — Automated trying of stolen credentials (from data leaks) on various platforms. This works because many users use identical passwords on multiple services.
Session hijacking — Interception or theft of session cookies to take over an already authenticated session.
Sender spoofing — Manipulation of email headers, caller IDs or sender identifiers in faxes and messenger services.
Masquerade — Hooking into an existing communication connection (man-in-the-middle) to exploit the already completed authentication of the original participant.

Impact

The damages are diverse: financial losses through fraudulent transactions, access to confidential systems and data, reputational damage to the affected person and the organisation. Identity theft occurs especially where identity verification is handled carelessly — and attackers aim at exactly this weakest point in the chain.

Practical examples

Phishing with forged login page. Employees receive an email that visually appears to come from the internal IT service, asking them to change their password because of an alleged security incident. The link leads to a deceptively genuine copy of the login page. Several people enter their credentials. The attacker uses them to access internal systems.

Credential stuffing on corporate portals. After a large data leak at a social network, an attacker tries the leaked email-password combinations automatically against a company’s VPN portal. Three employees used identical passwords. The attacker gains access to the internal network.

Manipulated caller ID. An attacker calls an employee in the finance department. The caller ID shows the CEO’s extension. The caller impersonates the CEO and instructs an immediate transfer of 85,000 euros to a “new supplier”. Only a callback to the actual CEO prevents the damage.

Relevant controls

The following ISO 27001 controls mitigate this threat. (You’ll find the complete list of 20 mapped controls below in the section ‘ISO 27001 Controls Covering This Threat’.)

Prevention:

A.8.5 — Secure authentication: Multi-factor authentication, preferably phishing-resistant procedures (FIDO2).
A.5.16 — Identity management: Reliable identity verification when setting up user accounts.
A.8.4 — Access to source code: Protection of API keys and certificates that could be abused for identity theft.
A.6.3 — Information security awareness, education and training: Training on phishing, social engineering and CEO fraud.

Detection:

A.8.16 — Monitoring activities: Detection of unusual login patterns (geographical anomalies, login from unknown devices).
A.8.20 — Networks security: Detection of man-in-the-middle attacks and session hijacking.

Response:

A.5.17 — Authentication information: Immediate locking and reissue of compromised credentials.
A.8.10 — Information deletion: Secure deletion of stolen identity data on compromised systems.

BSI IT-Grundschutz

G 0.36 is linked by the BSI IT-Grundschutz catalogue to the following modules:

ORP.4 (Identity and access management) — Requirements for secure identity verification and authentication.
ORP.3 (Awareness and training) — Awareness training on phishing and social engineering.
NET.3.4 (Network Access Control) — Network-based identity verification and access control.
SYS.2.6 (Virtual Desktop Infrastructure) — Specific authentication requirements for virtualised workstations.

Sources

BSI: The State of IT Security in Germany — Annual report with statistics on phishing and identity theft
BSI IT-Grundschutz: Elementary Threats, G 0.36 — Original description of the elementary threat
ISO/IEC 27002:2022 Section 8.5 — Implementation guidance on secure authentication

ISO 27001 Controls Covering This Threat

A.5.14 Information transfer A.5.15 Access control A.5.16 Identity management A.5.17 Authentication information A.5.18 Access rights A.5.23 Information security for use of cloud services A.6.1 Screening A.6.3 Information security awareness, education and training A.7.14 Secure disposal or re-use of equipment A.8.1 User endpoint devices A.8.2 Privileged access rights A.8.3 Information access restriction A.8.4 Access to source code A.8.5 Secure authentication A.8.10 Information deletion A.8.16 Monitoring activities A.8.18 Use of privileged utility programs A.8.20 Networks security A.8.21 Security of network services A.8.31 Separation of development, test and production environments

Frequently asked questions

How does identity theft differ from unauthorised use?

In unauthorised use (G 0.30), someone gains access to a system without pretending to be a specific identity. In identity theft (G 0.36), the attacker specifically impersonates another, real person -- for example through stolen credentials, forged email senders or manipulated certificates. The deception targets the trust in the identity of the communication partner.

Which data are typically stolen for identity theft?

Usernames and passwords, email addresses, session cookies, credit card data, social security numbers, national ID numbers and certificates. In the business environment, VPN certificates, API keys and OAuth tokens are also sought-after targets, because they allow automated access without further authentication.

Does multi-factor authentication reliably protect against identity theft?

MFA considerably raises protection but is not absolute. Advanced phishing attacks (adversary-in-the-middle) can intercept MFA tokens in real time. Phishing-resistant procedures such as FIDO2/WebAuthn offer substantially stronger protection because they are cryptographically bound to the target domain and cannot be redirected to a forged page.