Approximately 10 million Americans fall victim to identity theft each year, a statistic that is expected to increase despite the diligent efforts of government and institutions to turn the tide, as discussed in Part 1 of this two-part series.
Leading IT security providers are arguably in the best position to understand the nature and scale of the problem, as well as help organizations and individuals prevent ID theft.
Insider and Outsider Attacks
The number of keyloggers increased by 250 percent between January 2004 and May 2006, according to a McAfee Avert Labs white paper released in January, while the number of alerts listed by the Anti-Phishing Working Group grew 100-fold — 17,600 in May 2006 compared with 176 in January 2004.
“ID theft is a huge problem,” Craig Schmugar, a virus researcher at McAfee Avert Labs, told the E-Commerce Times.
The act of stealing someone’s identity often combines physical methods — dumpster diving, fake telephone calls, snail mail rerouting and shoulder surfing — and virtual methods, such as hacking, phishing, pharming, keylogging, spam running and advanced fee fraud, according to Schmugar.
Recently, spam runs and insider attacks have been on the rise, although spam runs may become less of a problem over time, said Kaspersky Lab’s Shane Coursen, as users are becoming aware of their potential danger.
It’s a numbers game, however. “When a spam run consists of a million or more messages, statistically, there will always be a certain number of people who will fall victim,” Coursen said.
“As for insider threats,” he continued, “the problem is likely to get worse before we see a turnaround. The turnaround will come when the majority of IT personnel understand the threat, develop best practices that help their companies avoid falling victim to scams, and deploy software and hardware that can protect the infrastructure they manage.
“The security industry is also responding to this threat. For instance, Kaspersky Lab’s sister company, InfoWatch, provides data leakage detection and prevention solutions for the enterprise,” he added.
Averting Disaster
“McAfee pioneered detection of password-stealing Trojans a decade ago, a time when antivirus products were dealing with replicating viruses more often than Trojan Horse programs,” Schmugar recounted.
“That paradigm would shift several years later, when Trojans — especially those capable of stealing passwords — would take over as the most predominant type of malware,” he said.
What can organizations do to protect and prevent ID theft and unauthorized network and systems incursions? “Securing sensitive information is key. Access controls must be secure, data needs to be encrypted and Web and database applications need to go through extensive security auditing,” he recommended.
“Strong network and system policies need to be put in place. SOHO (small office-home office) users who jump on and off corporate networks are often a challenge for organizations to secure,” Schmugar said. “Additionally, theft of mobile devices such as laptops seem to be in the headlines every week; in many cases confidential data has not been encrypted,” he said, adding that the Privacy Rights Clearinghouse site is a good source of information.
Keeping Vigil
Vigilance and following some relatively simple “best practice” guidelines are good bets when it comes to avoiding becoming just another ID theft victim.
Best practices include running the latest versions of antivirus and spyware programs, running a firewall, and downloading the latest updates from software vendors, particularly from Microsoft if you’re running Windows.
“To avoid becoming a victim, never provide any personal information to a Web site link that was e-mailed to you — more than likely, it’s a scam. Take precautions in the event your computer or laptop is stolen,” Absolute Software CEO John Livingston told the E-Commerce Times.
Other recommendations include regular, careful monitoring of your financial accounts and credit report. “The consumer’s only significant defense right now is to be vigilant in checking their financial balances and credit reports,” commented ESET’s Randy Abrams. “While there are the basic steps of shredding documents, covering the keypad when you enter your PIN (personal identification number), consumers also need to be careful of their online habits.
“Consumers can use resources such as the Identity Theft Resource Center to help improve their prevention practices. Social Web sites, such as MySpace, where users include every detail of their life, make social engineering attacks designed to garner enough information to perform identity theft a breeze,” he added.
The Need for Authentication
Another line of defense against ID theft lies in enhancing organizations’ ability to authenticate users. Banks and financial services providers, in particular, are now embedding a variety of authentication processes at all levels of their online platforms.
In use at more than 50 financial institutions, Corillian’s Intelligent Authentication system is a case in point. Considered a “strong” multifactor authentication solution in accordance with recently introduced FFIEC authentication guidelines, the system resides between users’ computers and a financial institution’s Web servers and online transaction systems, monitoring and analyzing online activity in real-time in order to detect potential unauthorized and fraudulent access.
“It is generally accepted across the industry that the use of a user name and password is simply not a strong enough mechanism to secure sensitive information in today’s Internet security landscape,” according to Corillian’s Chief Security Executive Greg Hughes.
“As a result, a wide variety of authentication approaches have been introduced to the market over time, including multifactor, multilayer and multiband methods. In addition, authentication methods involving tracking and validating other types of data have been created with tools that watch specific behaviors to build a user’s normal ‘behavioral fingerprint.’
“We can leverage that behavioral fingerprint and compare its consistency at any point in time with a user’s past behavior patterns, and use the result of the analysis as an additional factor and layer of authentication,” he said.
Are We There Yet?
There are some simpler but effective steps that need to be taken to help prevent ID theft, however. Banks and other financial organizations need to know what data is questionable and where their networks are vulnerable. They must also start looking outside the organization to identify sources of data that can be used to perpetrate ID theft and online fraud.
“Businesses, especially banks, have a long way to go to help solve the problem. Many banks have neanderthal security practices … Businesses and other entities also need to stop putting personal data on laptops that do not have encrypted drives,” recommended ESET’s Abrams.
“Credit agencies, such as TransUnion, are able to enter incorrect information about a user without any proof of validity, but will only change the fictitious information they enter if a physical document is mailed to them. If the credit reporting agencies cannot validate their data, we are in trouble and the identity theft problem will continue … Free annual credit reports are a meager start,” he continued.
As long as the U.S. treats personal information as a commodity, it is difficult to enforce the vigilance required to eliminate ID theft. “Until the U.S. legally adopts a policy that private information belongs to the individual, we will lead the world in identity theft problems,” concluded Abrams.
This series provides good, unbiased information, but avoids mention of the key solution.
Companies bear significant responsibility and liability for stewardship of their customer and employee data, but generally do a very poor job. Over 80 million identity records were compromised just in 2006 — and the response/recovery cost to the companies that lost them was about $100 per record, according to an authoritative study by Ponemon Institute (no connection to my company).
There are a number of improvements companies need to make from a technical standpoint, to encrypt their data and do better access control and security. But the most important solutions are:
1) remove the data entirely from most data stores, and grant access to it only on a need to know basis. Identity data is the personal asset of the person — just like actual cash — and needs to be safeguarded as such.
2) require those with access (employees, contractors, service providers) to complete an acknowledgement of accountability, making them directly liable for following standards for data security.
These steps will dramatically improve the effectiveness of the technical approaches this article is focused on.