Thursday, April 28, 2005
Industry and government are responding to the identity theft threat, but the approach varies from state to state and business to business.
Industry and government are responding to the identity theft threat, but their approaches vary from state to state and business to business. It is imperative for government and industry to develop a unified front against identity theft.
On April 21, United Press International’s Al Swanson provided an overview of the current and pending safeguards government has against identity theft.
We need a national policy. The messages from all corners should be in agreement. Identity thieves need to know that industry cares about its customers and that government has industry’s support in developing punishments to fit this crime.
Senator Diane Feinstein (D-Calif.) has proposed legislation that would require any company nationwide to inform potential victims of identity theft as soon as it learns of a security breach. California is the only state to demand such action from industry.
I applaud Sen. Feinstein’s efforts; however, legislation is reactive. Putting systems in place to stop identity theft is proactive. There shouldn’t be an opportunity for industry to notify consumers if identity theft is stopped in the first place.
Most of the action being taken by politicians constitutes ineffective responses to the crime. It’s like eating fast food, gaining weight, clogging your arteries, and then drinking diet cola. It makes no sense.
As explained [free registration required to view article] by Knight Ridder’s Matthai Chakko Kuruvila on April 13, only a handful of states offer -- or soon will -- a “credit freeze” option for consumers. California, again, is the pioneer. Any consumer there can prevent new accounts from opening in her name. To apply for a new account, she must manually “unfreeze” her credit -- even for herself.
The credit freeze is the single most useful tool consumers can use to foil identity thieves. Every state in the nation should offer this option.
Legislators should also push for proper authentication via biometric security solutions. Many financial accounts don’t use Social Security Numbers for authentication. A freeze won’t stop identity theft here, and criminals can continue to commit crimes under the names of victims, too. Authentication is the only solution.
Industry has also responded. A number of companies are assisting organizations that offer free or affordable help to victims of identity theft.
On April 18, InformationWeek’s Steven Marlin reported that a group of financial institutions called the Financial Services Roundtable “has made permanent its Identity Theft Assistance Center.” According to Marlin’s article, victims of identity theft receive free assistance there. Banks fund the operation, and Intersections Inc., “a provider of bank-branded ID-theft-protection services,” runs it.
Every victim of identity theft deserves access to free assistance. All too often, victims are saddled with the arduous task of fixing their credit histories themselves. This costs money and can make them feel like they’re guilty until proven innocent.
In an April 13 press release, the Calif.-based Identity Theft Resource Center (ITRC) announced that ChoicePoint Inc. has committed to fund an expansion of the ITRC’s programs for victims of identity theft.
Any help from industry is welcome, but ChoicePoint is also part of the problem. Identity thieves are criminals but not solely to blame. Those who pursue legal profits by buying and selling people’s identities assume a heavy responsibility indeed. It will take a noticeable change in business practices to halt the barrage of identity theft.
Sunday, April 17, 2005
Organized crime is hijacking the Internet for its purposes. The Internet is the thief’s playground. These cons will exploit every channel and employ every tool at their disposal. Identity thieves and computer hackers will seek increasingly unconventional and shady channels for their shenanigans.
As reported by John McCormick and Deborah Gage of Baseline Magazine in a lengthy article last month, the phenomenon of Web Mobs flourishes. Web Mobs function much like traditional organized crime rings, but the affiliations are looser, and Web Mobs more easily evade law enforcement. The differentiator is that Web Mobs proliferate and exist exclusively online.
Organized crime has gained a stronger foothold online. Nigerian crime rings fueled widespread phishing scams last summer and, allegedly, the thefts at ChoicePoint over the past year. The Russian mafia has displayed an appetite for identity theft for a long time. Even 22-year-old white-bread American kids in Web Mob Shadowcrew stole millions.
In an illegal rendition of the business plan of data brokers such as ChoicePoint and LexisNexis, Web Mobs trade and buy credit card numbers and Social Security Numbers online for as little as $10 each. Then participants buy under the guise of unsuspecting others’ names.
The Web is great for organized crime, which is bad for legitimate business. Online ruses come to light and receive widespread attention. Consumers lose confidence in their security and become less inclined to shop and bank online.
The banking industry seems to be in denial and simply hasn’t harnessed opportunities to show clients it is on top of the problem. I haven’t seen one effective awareness campaign.
In yet another insight into online criminals’ creativity, Blogs have become a haven for malicious code. As reported by Gregg Keizer of TechWeb News, hackers are storing their keyloggers, spyware programs that furtively intercept identities emanating from people’s computers, at blogs. Blogs offer anonymity and a low threshold of security, which hackers prefer.
Online crime has reached pandemic levels this past year with more than 14 major breaches of data. Hackers, identity thieves, and Web Mobs have elevated their game in tandem with the expansion of the Web. The speed of technology has far outpaced its security.
The Internet has led to not only more opportunities for consumers, but also for criminals. Criminals look for the path of least resistance. The Web makes a virtual mugging or robbing a bank an easy score.
New identification technologies and hardening practices are needed now more than ever. Two-factor authentication and other innovations must be implemented on a wide scale immediately if not sooner.
Wednesday, April 13, 2005
Advocates and elected officials continue to call for privacy rights in the wake of this year’s blitzkrieg of identity theft and related attacks. I advise those seeking solutions to the problem of identity theft not to view privacy rights as a panacea. People are, in fact, conflating the problem of identity theft and the quest for privacy rights.
The security of people’s identities and the idea of privacy are two different matters. We can achieve identity security, but the idea of ‘privacy rights’ clings to the mistaken notion that privacy exists in a high-tech world. Privacy is an unnecessary variable to stop thieves and safeguard consumers’ financial information.
This is a war not only against identity theft, but also against the misperceptions surrounding how to combat it. To strike a decisive blow against identity theft, those fighting this war must strive for security, not privacy.
An April 7 press release from the office of Congressman Bennie Thompson, D-Miss., illustrated how ideas about privacy permeate efforts at the highest levels to curb identity theft. In the release, Rep. Thompson, ranking member of the Committee on Homeland Security, called not only for better security of personal and financial information, but also for the protection of “individual privacy.”
Privacy is an illusion. Consumers, privacy advocates, and elected officials alike should never expect it. To try to ensure it is a misguided response however well-intentioned. Technology available for many years has rendered the notion of privacy quaint and antiquated. The information is already out there. Industry needs to realize that it is nearly impossible to protect consumers’ financial and identifying data from thieves.
We have a lazy system. It is an honor system set up for convenience’s sake. It promotes theft. We still rely on a person’s handwritten signature as a form of identification. It’s comical, actually.
Any unauthorized individual or organized criminal organization can open numerous accounts under anyone’s name at any time. We must upgrade and change, in fundamental ways, how we authenticate identities.
On March 15, CFO Magazine’s Peter Krass and, last week, MSNBC’s Bob Sullivan wrote articles providing useful overviews of the year’s debacles, thus far, in identity theft, the types that can occur, and various companies’ responses to the problem.
With security breaches occurring on a massive scale, we are in the midst of an identity theft apocalypse, a pandemic. We must employ every tool at our disposal and make serious changes to defeat the crafty identity thief, who masquerades in countless forms.
Saturday, April 09, 2005
Reports show that many businesspeople and individual consumers still do not recognize the full gravity of the identity theft threat. Industry should be taking identity theft seriously and implementing measures to combat the danger. Identity theft can occur in myriad ways. The possibilities are endless. A complete overhaul of identifying standards and processes is paramount and needs to be industry’s driving objective.
In an April 1 CNET article, Jon Oltsik, senior analyst at the Enterprise Strategy Group (ESG), shared information from a survey of 229 U.S.-based security professionals. ESG's survey found 23 percent of respondents reporting internal security breaches at their organizations over the past year. An additional 27 percent of respondents did not even know, when asked, whether such a breach had occurred.
On March 29, Digital-Lifestyles.info reported research from Infosecurity Europe. Apparently, for the chance of winning theater tickets, 92 percent of 200 people surveyed provided strangers with all the personal information a criminal would need to steal their identities.
Clearly, security is lacking—as is awareness and concern—not only at the consumer level but also at the highest levels of corporations. This includes CFO and CIO naïveté about the issue.
Corporations have been slow to realize that identity theft is not just a problem for consumers. The crime and how a business behaves afterward can attract lawyers and litigation.
In press releases dated April 1, class action lawsuits alleging federal securities laws violations at companies such as Mamma.com, Inc., Molex Incorporated, and ChoicePoint Inc. were filed. The same day, The Atlanta Journal-Constitution’s Bill Husted reported [link requires free registration] that ChoicePoint would let consumers review the personal information it has obtained about them.
It is likely only because of legal and legislative pressure that ChoicePoint has responded by stopping the sale of Social Security numbers to third-party private investigators who then resell them to ‘Joe Identity Thief.’
At times of heightened awareness, inaction can be costly, and damage control, no matter how genuine, can be too little too late. One misstep in data security puts a company and all its executives’ actions under the microscope for a very long time.