Wednesday, May 24, 2006
This week we have heard officials of all stripes assure us that "we have no reason to believe anyone’s identity is at risk" even though a laptop with the personal identifying information of 26.5 million U.S. veterans on it has been stolen. Their words represent the party line we typically hear when a security breakdown of this magnitude occurs. Their words aren't worth the cue cards their lackeys wrote them on.
The latest big-ticket data breach has endangered not only individuals’ bank accounts, but also national security. For expediency's sake, we'll leave national security to Homeland Security; it's pretty much out of our hands now no matter how apprehensive we may be about their ability to secure the homeland. So let's focus on what we can do.
Here's my advice for companies and other large organizations that store sensitive information on laptops, machines prone to theft: Don't. Laptops are the last place any organization should be storing the personal identifying information on 26.5 million people.
If for some untenable, inexcusable reason you must use laptops for this purpose, please, at the very least, keep those laptops in a safe place and locked down when authorized personnel aren’t using them. Make sure the machines are fully secure with functionalities designed to ward off thieves. I suggest the use of products such as the Staples® WordLock™ for laptop computers, a simple and inexpensive device that allows users to employ a letter password, which they can reset at any time, to lock their laptop computers.
But now that we're already in this mess courtesy of an improperly secured laptop, I urge consumers to treat this very real threat to their identities like the emergency it is—luckily, one they can manage. Luckily, a service available to everyday consumers can mitigate the ruined credit ratings and other aftermath nightmares individual veterans might otherwise have to endure.
All of you on the list of 26.5 million affected by this week’s laptop theft should immediately enroll in a service like IdentitySweep, which manages subscribers’ public records while monitoring their credit card information and Social Security numbers. Veterans can go to www.identitysweep.com/vet and receive a full year’s worth of IdentitySweep for only $18, a discounted rate, from MyPublicInfo, the Arlington, VA–based consumer identity protection company that created the service.
The Social Security number is the key to the kingdom, and it's a number these thieves now have—along with the dates of birth for the veterans affected and for some of these veterans' spouses. Without a monitoring service of their own to fall back on, these veterans and their families will be at the mercy not only of the thieves, but of credit companies’ good will, which is likely to wane after the usual offer we’ve seen following massive data breaches: pro bono credit monitoring for one year.
Thieves are smart. They'll wait at least a year before they use the information. Identity theft has become a part of life for these veterans. It didn't have to be this way, but it is. Enrolling in a service like IdentitySweep is the best way a veteran can save his reputation now that the institutions he's relied on to protect his personal data have failed at that very task.
Wednesday, May 10, 2006
A litany of data breaches filled the month of April. The deluge again typified industry’s seeming inability to solve the problems surrounding information security.
Infamous security breaches such as those at ChoicePoint Inc. and elsewhere happened more than a year ago. Now that we’re well into our second year of ‘The Identity Theft Apocalypse,’ I’m sure consumers are anything but pleased to learn that their personal and financial information is still out there, like loose change on the sidewalk, for the taking. After all, it’s usually identity thieves who are doing the taking.
April’s breaches ran the gamut:
=>According to a report in the April 27 edition of Newsday, the Long Island Railroad (LIRR) lost the personal information (e.g., Social Security numbers, names, addresses, and salary figures) of nearly “everyone who has ever worked for the agency”—about 17,000 people.
=>An April 26 CNET News article reported that scammers had succeeded in stealing the credit card details of 2,000 MasterCard holders. MasterCard, according to the report, said it was able to disallow activity on the accounts before the would-be online thieves could use the cards.
=>Reuters reported on April 26 the theft of a laptop computer containing the personal information of approximately 38,000 members of the health insurer Aetna Inc. Names, addresses, and Social Security numbers were among the information on the stolen computer, although an Aetna spokesperson stressed that no banking or health claim data would be available to the thief.
=>On April 14 TheHawaiiChannel.com reported that more than 40,000 Hawaii residents were at risk for identity theft as the result of tertiary activity surrounding an attorney general investigation. According to officials there, a security breach occurred at a professional copying service tasked with duplicating state employee documents that the attorney general’s office had requested for litigation purposes.
We’ve seen the loss of personal and financial records on nearly 100,000 people this April, and more than half of these went missing during the month’s last week alone. Times it by 52, and you begin to understand why identity theft is a problem requiring urgent attention.
Consumer Vigilance and “Smart Suiting” of Personal Computer Security Systems Go a Long Way in Thwarting Identity Thieves
Reports last week indicated that phishers continue to exploit security flaws in news ways. Voice over Internet protocol, also known as VoIP, has become the latest target. Phishers’ ever-improving scams again underscore the need for consumer education efforts, which should promote vigilance and smart use of security technology.
Successful education of consumers is the best line of defense against identity thieves, including the ones who operate online. Consumers need to know what security technology is right for their habits.
Consumers should consider “smart suiting” their personal computer systems with software that supplements antivirus and antispyware solutions. A recent press release from Spain-based Panda Software announced availability of what the firm calls “proactive technology.” Proactive technology performs tasks that software to combat viruses and spyware does not, such as striving to recognize whether the user’s personal computer has become a zombie—i.e., one that a computer hacker uses, unbeknownst to its owner, as a server for phishing and other online scams.
Right now, consumers seem to know only so much. Their lines of personal defense are down. Recent studies and surveys suggest that industry has a long way to go in teaching consumers how to take precautions against online scams. In fact, in many cases, consumers still need to learn that they must, indeed, even take these precautions.
Such studies include “Why Phishing Works” by collaborating researchers from Harvard University and UC Berkeley and a survey of UK consumers by British firm MyCallcredit.
The research also may explain why phishers’ scams are so effective. As reported by NetworkWorld and others, a new phishing tactic has gained prevalence. Ostensibly to verify bank account information, spoof e-mails encourage recipients to call a listed toll-free number.
Phishers perpetrating these attacks set up inexpensive VoIP systems that emulate legitimate organizations’ phone systems. With the mechanics of their ruse in place, the scammers then field victims’ calls, all in an effort to fool those who dial the provided phone number into revealing personal and financial information.
Consumer education and security technology go hand in hand. But sometimes, commonsense is all you need. Vigilance is the number-one antidote to online scams.
New Research into Online Threats Underscores the Need for Widespread Consumer Education
Results from a recent survey of UK consumers’ attitudes toward identity theft have shown that many underestimate the probability of the crime occurring. A joint Harvard University–UC Berkeley study, meanwhile, has demonstrated just how susceptible even a sophisticated Web user can be to a phishing attack, often the precursor to identity theft.
Education campaigns are the key to raising awareness. When even the savviest of Web users can’t recognize a crafty phishing attack, imagine how often average computer users might fall prey to online identity theft schemes. We need to undertake a massive, Apollo project–scale education effort to turn the tide.
Recently reported research suggested that only one third of UK consumers know that their risk of falling prey to identity theft is one in 1,000. British firm MyCallcredit’s survey also revealed that nearly 25 percent of respondents drastically underestimated their risk by as much as 15 times less than their actual risk.
Meanwhile, findings from a study titled “Why Phishing Works” conducted by researchers at Harvard University and UC Berkeley suggested that phishers fool even sophisticated Web users. “Good” (i.e., polished) phishing sites were effective, in fact, at fooling 90 percent of the study’s participants.
The authors of “Why Phishing Works” then collaborated to isolate the factors behind the efficacy of phishing attacks. They concluded that users’ lack of knowledge of—or an inattention to—common security indicators helped to make phishing attacks effective. In addition, “typejacking,” a tactic that replaces the key characters of a legitimate organization’s domain name with similar key characters (e.g., the use of the Arabic numeral “1” in place of the lowercase letter “l”), and other visually deceiving practices also seemed to be effective at duping users.
Is it any wonder why we need to educate consumers about the dangers they face? The task before us is monumental. Identity theft and the computer threats that facilitate this crime have been prominent in the public consciousness for years now. And yet the levels of awareness and savvy needed to thwart scammers are sorely lacking.
Fortunately, stopping identity thieves before they even have a chance to commit their crime is pretty straightforward. Comprehensive education for consumers will do it. The challenge resides in summoning the will to invest in that education, a worthy investment of time and energy.
News of widespread high-tech crime has become trite and may lead to consumer apathy
According to an identity theft and personal security expert, the press coverage of identity theft, phishing scams, and other types of fraud may be reaching the saturation point. Robert Siciliano, president of IDTheftSecurity.com, said the problem now runs the risk of becoming mere background noise to a public that feels helpless and may have a short attention span.
How are we going to publicize the threat of identity theft and other high-tech crimes in a way that leads to improvement, not apathy? The only way consumers will get effective tools to combat high-tech crime is if the threat remains a primary concern for consumers. Big companies answer to their customers, investors, and nobody else.
=>On March 22, The Boston Globe and others reported the loss of a laptop computer from Fidelity Investments, the Boston, Mass.–based financial firm. The computer, according to the article, held personal data on 196,000 retirement account customers.
=>NBCSandiego.com reported on March 24 reported on an apparent software glitch that caused the State of California to inadvertently send “64,000 tax forms containing Social Security numbers and income information to the wrong addresses.”
=>A March 24 report that aired on KSBI-TV 52 in Oklahoma detailed a social engineering scam involving phone callers who have stolen a number of unsuspecting citizens’ identities. Accusing the victims of missing jury duty, the scammers have managed to compel those they call to reveal identifying data.
=>Numerous news media outlets have reported that the Internal Revenue Service is warning taxpayers to beware phishers whose e-mails masquerade as IRS communication and ask for financial information.
A lot of people just want this problem to go away. Those who might have to take the blame for a general lack of security might in fact choose, at this point, to let news of identity theft and similar crimes saturate the news media.
The notion of an intractable high-tech crime problem might compel consumers to tune out. The voices for change would retreat, and the pressure to fix things would subside. After all, it costs money to beef up security.
Hackers remain steps ahead of watchdogs even as industry groups have succeeded in shutting down online criminal operations. Self-policing actions on the part of industry are a step in the right direction, but consumer awareness and education represent the best path to security against hackers, who invariably rely on their victims’ lack of vigilance.
Most malware, spyware, and viruses can ruin a computer and steal the owner’s valuable identifying information. Easy for the trained person to spot, these threats benefit from a civilian computing culture of ignorance and carelessness.
On March 8 TechWeb reported industry self-policing activities that thwarted hackers’ activities. According to the article, U.S.-based RSA Security collaborated with Panda Software, a company based in Spain, to shut down a number of Web sites that were selling readymade Trojan horse–style viruses custom-made for identity theft and other unscrupulous activities.
Typically, consumers only invite malicious code onto their computers if nobody has taught them what to watch for. While a number of companies may be well-equipped to ferret out and thwart hackers at the source, the best route for us all to take, economically speaking, is the education of end users. Policing efforts, no matter how aggressive, will always remain steps behind cybercrooks, whose tactics continually evolve.
Also on March 8, an article in the Channel Register, a publication based in the UK, described the success phishers have had with “smart redirection,” which helps phishers, who typically run multiple sites related to one spoof, to keep track of their sites’ availability. When the victim clicks on a malicious link, smart redirection figures out which of a phisher’s sites have evaded shutdown and points the doomed browsers only in the direction of sites that remain live.
Phishing tactics continue to grow in sophistication. But the fact remains that a phishing e-mail, the requisite precursor to the phisher’s criminal activity, is telltale. No reputable banking or other financial institution requests sensitive information from its customers via e-mail. Any consumer can learn to spot and avoid the facades the veil malicious code.
High-tech thieves hacked the computer systems at Citibank in March and made off with countless ATM cards’ PIN numbers, four-digit consumer security codes previously considered impervious to attacks. No system of security is foolproof. Any tendency to believe so breeds complacency, the key ingredient online identity thieves and others need in order to operate under the radar.
We need to lose the Titanic mentality when it comes to high-tech crime. How many times do we need to hit an iceberg before we alter our course? Anything can happen and will. No computer system is immune. Even the tried-and-true PIN number method of security can sink.
According to a March 9 report in InformationWeek, the PIN number scam that Citibank experienced affected additional institutions: Bank of America, Wells Fargo, Washington Mutual, and smaller banks. Thieves apparently hacked into an “as yet unknown system” to pilfer all the information they’d need to make use of victims’ ATM cards, which the article described as the “data stored on debit cards' magnetic stripes, the associated 'PIN blocks,' or encrypted PIN data, and the key for that encrypted data.”
A Gartner Research analyst remarked that the industry had always thought PIN numbers would be safe from hacking attacks, but the InformationWeek article went on to explain how retailers’ infrastructure can undermine PIN security. Stores’ computer data storing systems can play fast and loose with the PIN numbers consumers leave at the point of sale. ATM machines are largely secure, but checkout line PIN use can be risky.
One of the problems with identity theft and related fraud is the sprawling transactional system we use for retail. Point-of-sale transactions occur every second across a nation bursting at the seams with retailers ranging from large chains to mom and pop shops. This yields a large quantity of personal financial data, and no standard seems to be guiding retailers in the safekeeping of this information. Without standardization of security, the quality of security is bound to vary wildly and collapse in failure.
Commonsense indicts organized crime rings such as Webmobs in sophisticated breaches such as the PIN-related thefts at Citibank. And recent reports have indicated that identity fraud–related organized crime continues to flourish. A March 6 Denver Business Journal article documented the shenanigans of a Mexico-based crime family whose alleged fake ID operations reach into 33 states. According to law enforcement officials quoted, the group’s infrastructure is robust.
As many have noted, identity theft, fraud, and related online theft all threaten not only our finances, but our national security. Lax policies may cut costs in the short term, but in the long run consumers lose money, and we all lose our security.