Reproduction permitted for personal use only. For reprints and reprint permission, contact firstname.lastname@example.org.
How to solve both sides of the equation
Identity theft has seen the largest increase in any one specific crime over the last three years. The United States is faced with an ever-changing and creative criminal. We must improve computer security on both sides of the equation, organizational and consumer.
Identity theft tops the list of consumer complaints, according to a new report from the Federal Trade Commission (FTC). Based on the FTC figures, approximately 700,000 people in the United States were victims of identity theft in 2002 alone. That number far exceeds the 418,000 robberies committed in the country in 2002, according to the FBIs Crime Report Program.
Identity theft is a larger problem than most people think. A recent survey by Gartner Group finds that as many as 7 million Americans feel they have been subjected to identity theft or something like it in the past year.
An identity thief intentionally uses or attempts to use any personal identifying information or documentation to obtain credit, money, goods, services or anything else of value without authorization or consent of the individual.
Frank W. Abagnale, a reformed thief and author of Catch Me If You Can, describes identity theft as one of those things you probably are not very concerned about if it hasn't happened to you. But, in his career, he says he does not know of any crime that was easier to commit and easier to get away with than identity theft.
It is simple to assume someone elses identity. A thief can gather personal information by hacking computer networks, using spyware or keyloggers, dumpster diving, or obtaining a canceled or blank check. Just think of the personal information that is on a single check. It has your full name and address, and possibly a phone number. It also has the full name and address of the bank where the check is drawn along with the individuals account number and banks routing and transit number. How do we protect ourselves?
There are two variables in the equation: the organizations that hold consumer information and the consumers.
Legislation is trying to address the issue with regulations such as HIPAA, GLBA, The Patriot ACT and several others. These federal regulations ask organizations to assess risk, identify and remediate vulnerabilities, implement policies and procedures, and implement secure networks to reduce risk and protect the personal consumer data they hold within their databases and systems.
Organizations need to address many areas relating to information security. Some of those top considerations are:
1. To protect the confidentiality, availability and integrity of private data belonging to their partners, employees, and clients.
2. To lower the risks associated with costs of civil, federal, and state laws that can result in lawsuits, fines, or settling out of court.
3. To provide due diligence mechanisms to protect data and systems.
4. To lower risks associated with malicious codes, such as, intruders, viruses, worms, key-loggers, and spamming.
5. To lower risks associated with network outages or failures due to bandwidth maximization associated with hostile attacks.
6. To use efficient methodologies developing and building affordable security solutions.
7. To comply with regulations such as Health Information Portability and Accountability Act (HIPAA), Grahm-Leach-Bliley (GLBA), and Child Online Privacy and Protection Act (COPPA).
Many organizations, regulated or not, are becoming aware of the importance of securing customer data. They recognize that hackers are no longer just after the companys intellectual property; they are after customers personal information to exploit the consumer.
The importance of identifying risk by performing security assessments is a critical first step in building a security program. By performing regular assessments and developing a security action plan, an organization can significantly reduce its negligence and liability risks. Even if an organization is in a regulated environment or faced with budget constraints, best business judgment rules applies when organizations can provide documentation showing diligence through sound policy, regular vulnerability assessments, and having a security action plan.
If you are with an organization that is not in a regulated industry required to follow HIPAA and GLBA regulations, you may want to consider following the NIST (National Institute of Standards in Technology) methodology to develop your security defense in depth program.
There are several resources available at www.nist.gov
. All the documents are free and available to use within your organization. Another Security Defense in Depth Framework is ISO 17799. This framework is most appropriate for organizations in the manufacturing industry; however, it may be useful for non-manufacturing organizations. The ISO 17799 framework can be purchased from www.iso.org
. Like NIST, the ISO 17799 framework addresses all areas of information security within an organization.
At one time Information Security was a technology challenge. Today, organizations are faced with a much broader issue related to Information Security - liability. There is an increased importance to show due diligence and document how one secures data.
Information security is 70% people and process and 30% technology. Each organization should consider a holistic approach to securing corporate assets.
Consumers represent the other side of the equation.. Individuals needs to assess their own risks and learn how to protect themselves, dispose of personal information appropriately, be aware of where they do their on-line banking and make use of personal firewalls along with up-to-date anti-virus software on home computer systems. The Federal Trade Commission at (http://www.consumer.gov/idtheft
) has great information on minimizing consumer risk from identity theft.Are you careful at an ATM?
Are you careful when using a public kiosk for online banking? Rrecently a New York man pleaded guilty for computer fraud; he installed a key logger on PCs in Kinkos stores in Manhattan and collected enough information about those users to open bank accounts and transfer funds.
InfraGard is another great resource for both the financial industry and the consumer. InfraGard is a cooperative association, sponsored by the FBI, whose primary objective is to increase the security of the United States national infrastructures through ongoing exchanges of information relevant to computer systems security; and, through education, increase awareness of infrastructure protection issues from InfraGards participation in Kids Improving Security (KIS) to organizational security awareness in securing critical national infrastructures. Find out more about Wisconsins InfraGard at (www.wi-infragard.com
Educating the consumer is a monumental task. InfraGards participation and involvement with KIS is an important long-term investment in youth. KIS highlights the education for our youth in bringing a heightened awareness to responsible use of computers and the Internet and helps show children how important it is to use computers responsibly.Take the Indentify Theft Challenge
Recently Special Agent Dennis L. Drazkowski with the Wisconsin Department of Justice, in the White Collar Crime Bureau delivered a presentation at which he included an exercise to test identity theft awareness and assess personal risk. It was a good gauge in taking the first step at being proactive. Please answer the questions below to see how you rate.
You receive several offers of pre-approved credit every week. 5 Points
Add 5 more points if you do not shred them before putting them in the trash.
You carry your Social Security card in your wallet. 5 Points
You do not have a PO Box or locked, secure mailbox. 5 Points
You use an unlocked, open mailbox at work or at home to drop off outgoing mail. 10 Points
You carry your military ID in your wallet at all times. 10 Points
You do not shred or tear banking and credit information when you throw it in the trash. 10 Points
You provide your Social Security Number whenever asked, without asking how that information will be used or safeguarded. 10 Points
Add 5 Points if you provide your SSN orally without checking to see who may be listening.
You are required to use your SSN at work as an employee or student ID number. 5 Points
You have your SSN printed on your employee badge that you wear at work or in the public. 10 Points
You have your SSN or drivers license number printed on your personal checks. 20 Points
You are listed in a Whos Who guide. 5 Points
You carry your insurance card in your wallet or purse and either your SSN or that of your spouse is the ID number. 20 Points
You have not ordered a copy of your credit report for at least two years. 10 Points
You do not believe that people would go through your trash looking for credit or financial information. 10 Points
Below is the scale. If you fall in the high risk area, seriously consider taking steps to reduce your risk.
100 Points High Risk
50 to 100 Points Your odds of becoming a victim are about average - higher if you have good credit.
0 to 50 Points Congratulations, you have a High IQ. Keep up the good work and dont let your guard down.
Another good resource is 14 Ways to Stop Identity Theft Cold. Once you have assessed your personal risk you can start to mitigate those risks by taking action using the 14 points outlined below.
1. Guard your Social Security number. It is the key to your credit report and banking accounts and is the prime target of criminals.
2. Monitor your credit report. It contains your Social Security number, present and prior employers, a listing of all account numbers, including those that have been closed, and your overall credit score. After applying for a loan, credit card, rental or anything else that requires a credit report, request that your Social Security number on the application be truncated or completely obliterated and your original credit report be shredded before your eyes or returned to you once a decision has been made. A lender or rental manager needs to retain only your name and credit score to justify a decision.
3. Shred all old bank and credit statements, as well as "junk mail" credit-card offers, before trashing them. Use a crosscut shredder. Crosscut shredders cost more than regular shredders but are superior.
4. Remove your name from the marketing lists of the three credit-reporting bureaus. This reduces the number of pre-approved credit offers you receive.
5. Add your name to the name-deletion lists of the Direct Marketing Association's Mail Preference Service and Telephone Preference Service used by banks and other marketers.
6. Do not carry extra credit cards or other important identity documents except when needed.
7. Place the contents of your wallet on a photocopy machine. Copy both sides of your license and credit cards so you have all the account numbers, expiration dates and phone numbers if your wallet or purse is stolen.
8. Do not mail bill payments and checks from home. They can be stolen from your mailbox and washed clean in chemicals. Take them to the post office.
9. Do not print your Social Security number on your checks.
10. Order your Social Security Earnings and Benefits statement once a year to check for fraud.
11. Examine the charges on your credit-card statements before paying them.
12. Cancel unused credit-card accounts.
13. Never give your credit-card number or personal information over the phone unless you have initiated the call and trust that business.
14. Subscribe to a credit-report monitoring service that will notify you whenever someone applies for credit in your name.
Willie Sutton, bank robber, was once asked. Why rob banks? His answer: Because thats were the money is.
Once an individuals identity and information has been stolen, what is the first thing the perpetrator will do? Go where the money is.
Tom Schleppenbach is a Systems Senior Security Analyst for Inacom Information Systems and can be reached at Tom.Schleppenbach@inacom-msn.com