|
|
Newsscan Computer Security Column
Stephen Cobb, CISSP and Chey Cobb, CISSP
Computers Make Identity Theft Easier
The fastest growing crime in America is not drug smuggling or terrorism, but a crime that is increasingly computer-based: identity theft. So says the Federal Trade Commission, the lead agency at the federal level, and many state attorneys general agree. Last week it was widely reported that federal prosecutors had arrested and charged three people in connection with a scheme to steal the personal financial information of 30,000 Americans.
Given that the average cost to a consumer whose identity is stolen is
estimated to be more than $6,000, the potential impact of this scheme
was over $180 million, far bigger than any conventional robbery job we
can think of. Indeed, the scale of this scheme alone tells you it was
digital, and not the kind of digits that pick purses and wallets. In short,
in this case a computer help-desk employee who had access to sensitive
passwords from banks and credit companies stole that data and sold it
to scam artists, splitting a fee of $60 per name with an accomplice. The
theft continued for several years because during that time the passwords
were never changed.
The economic impact of this category of crime -- which almost always involves
some form of computer crime -- is already significant, and looks set to
increase. Here's just one example: the identity-theft caseload of the
LA County Sheriff's Department was 2,119 cases in 2000, 4,149 in 2001,
and will likely exceed 6,000 cases this year. A GAO report earlier this
year put the average cost of working ID theft cases at the federal level
in the $10,000 to $15,000 range, with prosecutions averaging around $11,000.
Exact numbers for ID theft are hard to track down, but one very telling
place to look is allegations involving SSN misuse. The GAO reports that
these increased more than fivefold, from about 11,000 in fiscal year 1998
to about 65,000 in fiscal year 2001 (about 81% of all allegations of SSN
misuse relate directly to identity theft).
At the federal level, complaints to the FTC have more than doubled recently
(85,820 last year, up from 31,113 in 2000). They are set for more double-digit
growth this year (the FTC received 70,000 complaints in the half of 2002).
A major reason for this explosion is "a shift by identity thieves
from going after single individuals to going after a mass amount of information,"
according to Joanna Crane, identity-fraud program manager at the Federal
Trade Commission, recently quoted in the Washington Post. Not surprisingly
she observed: "There's an awful lot of bribery of insiders going
on."
Which brings us to the first of today's three security lessons: your employees
are your biggest threat. If you are spending all your time trying to keep
the bad guys out, you are missing the point. Employee access to internal
systems needs to be tightly controlled. You can't keep using group logons.
Each user must be individually logged on. Group permissions are okay as
a way of managing access controls, but the membership of each group must
reviewed on a regular basis to make sure only the appropriate individuals
are included. And the individual passwords upon which permissions and
access controls are based must be regularly changed.
The second lesson is that personal information, what privacy professionals
refer to as "personally identifiable information" or PII, is
valuable. We now know that the average person's data is worth $60 per
head on the street, but that same data could net the buyer many thousands
in bank withdrawals, credit card purchases, cash advances and courtesy
checks.
So if your organization has any PII in its computers, it had better make
sure it is well protected. Because the third lesson is an example of what
we call "infoseconomics." The litigators are already circling
ID theft, looking for someone to blame and you can bet it's not going
to be the guy who's in jail for selling the PII. It's going to be the
company that didn't do enough to protect the PII from getting stolen.