Dwan. B. Identity Theft

Document Sample
Dwan. B. Identity Theft Powered By Docstoc
					    id theft

                                                                                             after verification. Please note that if
Identity theft                                                                               you don’t verify ownership of
                                                                                             account in 24 hours we will block
                                                                                             it to protect your money. Thank
Berni Dwan                                                                                   you.
Almost every week I hear a news report or read a newspaper article about identity              From my own perspective, the phrasing
theft. It will either be about yet another person who suffers at the hands of the            and grammar in this letter would have
identity thief, some new software or hardware breakthrough that will foil the activ-         raised my suspicions anyway. Do the sen-
ities of the identity thieves, or, a new report or study telling us the cost of identi-      tences in bold read like official bank speak
ty theft to business. Six men have been jailed after a £345 000 plot to defraud              to you?
banks by obtaining fake identities over the Internet, said a recent BBC News                   These identity thieves must have stud-
report. The men used house auction websites to find out the details of people who            ied the psychology of advertising because
had died. With the information, they forged documents to open bank accounts                  they are very aware of the trust con-
and receive loans from Lloyds TSB and the Halifax and Co-operative banks. The                sumers’ place in well-known trademarks,
men were jailed for between 18 months and four-and-a-half years.1 According to               and they are using that trust
the Federal Trade Commission Identity Theft Data Clearinghouse 215 000 people                against them. Even experts admit that
had their identities stolen in 2003, up from 162 000 in 2002. A third of the thefts          sometimes it is hard to differentiate
were used to perpetrate credit-card fraud, while 21% were used for phone or util-            between real mail and phish. So, in
ities fraud.                                                                                 actuality, the ID thieves are committing a
I’m constantly hearing about it because       directs you to a Web page that is identical    double ID theft, first the corporations
there is money to be made from it, and the    to the site of the company or bank you         then, the consumers. The notes appear
perpetrators are correct so far in thinking   normally do business with. These phish-        to be personal, referencing an open
that it is worth the risk. There are hand-    ers don’t miss a trick, and they ensure that   account at a bank or website, but they are
some profits to be made from email phish-     the graphics, forms, and links on their        really just spam. Sent to a wide enough
ing and Web phishing, and I am continu-       rogue Web pages are clones of the real         audience, an emailing referencing
ally amazed at the way people can still be    thing. With a note of urgency obviously        Citibank or eBay will hit plenty of
tricked into divulging their personal         designed to deter the victim from deliber-     people who really are account holders.
details. To the tune of $53 billion ( 42.6    ating for too long, the email often says       90 different versions of the scam emails
billion) in 2002 alone according to the       that account information needs to be           appeared in November and December
Federal Trade Commission. While tradi-        updated right away and asks you to click       2003 and now there are about five
tional dumpster diving, mail theft and the    on a link that will take you to the website    new attempts every day according to the
contents of lost or stolen wallets have       and an information update form. The            Anti-Phishing Working Group. Targeted
reaped handsome profits over the years,       linked page will look just like the compa-     companies include eBay, PayPal,
the digital world offers a lot more oppor-    ny’s actual website but the information        Citibank, Bank of America, Best
tunities to those with enough imagination     will be sent to waiting identity thieves and   Buy, Earthlink, AOL, the FDIC, and
and determination. The latest verification    not the legitimate company. Here is a typ-     AT&T.
scams, according to the Identity Theft        ical and recent example given on                 Remember, URLs that begin ‘http’ are
Resource Centre include E-Bay, Best Buys,     www.antiphishing.org:                          not secure. Only those that begin ‘https’
Discover Card, e-gold.com, ebay-verifica-                                                    are secure sites to send sensitive infor-
tion.net and change-ebay.com. Almost all      Dear Wells Fargo Valued Customer!
                                                                                             mation. It is worth checking to see if
Internet server names have been used for                                                     that ‘http’ changes to ‘https’ when you
this scam as well, they say, and companies    Please read this important message
                                              about security. We are working very            go from your bank’s main Web page to
that have been known to be victims of this                                                   your personal password protected
                                              hard to protect our customers against
scam include: AOL, MSN, Earthlink,            fraud. Your account has been ran-              account information. Furthermore, for
PayPay, Discover Card, Bank of America,       domly chosen for verification. This            years, consumers have been told to look
Providian and Wells Fargo.                    is requested to us to verify that              in their Web browser’s address window
   Phishing trips take place on email and     you are the real owner of this
                                                                                             to ascertain the veracity of a website. An
Web servers, and in both cases the catch      account. All you need to do is to
                                              click on the link below. You will see          address that seemed suspicious, perhaps
can be surprisingly lucrative. Email
                                              a verification page. Please com-               beginning with a numeric address, like
phishing typically originates with an email
                                              plete all fields that you will see   , or containing a series
that warns of some problems with an           and submit the form. You will be               of stray characters was a sure sign of
account, promotes a special deal, or          redirected to Wells Fargo home page            trouble, suggesting to users they’d land-

                                                                                                                       id theft

ed in a bad place, says Ravalli County         account name, password, credit card          ters for the victims, who will not notice
Bank in Montana.2 A simple address like        number, or Social Security number.           for some time that their identity has
www.msnbc.com was considered a green           There’s no way to tell it’s a scam because   been used to process transactions
light. But a flaw in Microsoft’s Web           there is no address bar on the pop-up        unknown to them, and when they do
browser allows a malicious website oper-       form, and anyway, it looks extremely con-    find out, the damage has been done. The
ator to “spoof ” his/her locations, like for   vincing. Of course the information you       association of large banks, known as the
example the email that linked to a spuri-      enter is sent to fraudsters and not the      Financial Services Roundtable5 obvious-
ous www.Earthlink.net, the real site           legitimate company.                          ly thinks that $1.5 million is well spent
actually sitting on a Web server in China         The Identity Theft Resource Centre4 is    in establishing the Identity Theft
and designed specifically to steal debit       a national non-profit organization in        Assistance Centre to help victims, and it
and credit card numbers. “These                the United States that focuses exclusively   will open in May of this year. Wells
spoofed addresses are incredibly easy to       on identity theft. One of ITRC’s             Fargo & Co. will operate the centre,
create”, says Ravalli Bank, and to prove       co-founders, Linda Foley was herself the     while other financial institutions will
it    they     invite    you     to    type    victim of identity theft in 1997 when        participate on a voluntary basis.
http://www.amazon.com@ravallibank.c            her employer used the information on her     Consumers who believe they are victims
om in the address bar of Internet              tax forms to get credit cards and a cell     of identity theft will contact their bank
Explorer. “It looks like it should take        phone. At that time, there was little        or credit card company, who will record
you to Amazon.com”, they say, “but             information for victims to use and no net-   the details on a uniform affidavit, and
you’ll wind up at our homepage. That’s         work of people with whom to talk, and        then       contact      the      Identity
because Internet Explorer ignores every-       it became apparent to Linda that a           Theft Assistance Centre with the infor-
thing before the “@” sign – one of the         specialised programme was needed, focus-     mation. So, consumers only have
flaws that phishers like to exploit.”          ing on victim assistance and serving as a    to make one phone call and the Identity
   Phishing attacks have progressed from       clearinghouse of information. The            Theft Assistance Centre will then act
the straight email messages with Web links     ITRC raises some important questions.        as a one-stop shop for the financial
to phony sites. Hackers have now devel-        Why are students, the elderly and the mil-   institutions reporting the compromised
oped two Trojan horse programs known as        itary more vulnerable to identity theft      accounts. The centre will then call
MiMail and MmdLoad that arrive as email        than other groups in society? Who is sup-    the victim and gather all the
attachments. If you double-click on the        porting and who is opposing legislation      necessary information to establish if
attachment, it unleashes a program that        on identity theft?         Who are the       their account has been compromised. It
not only takes you to a phony sign-on          identity theft criminals and are there any   will also work with law-enforcement
screen but also uses your email client to      similarities among them? It is of prime      agencies.
send a copy of the booby-trapped message       importance therefore, say the ITRC, to
to everyone on your contact list. The          understand how thieves steal your infor-
latest phishing scam targeted at Australian    mation via the telephone and computer          The Financial Services
Westpac bank customers is ‘smart as            systems.                                      Roundtable is establishing
a whip.’ The architects of the scam adopt-
ed a more insidious Web redirection                                                              the Identity Theft
technique to bamboozle victims,                  Why are students, the                       Assistance Center to help
reports ZDNet Australia.3 “Activating the
link in the email directs the victim to a       elderly and the military                              victims
fake version of the site but also opens          more vulnerable to ID
an authentic copy of the site in a
second browser window behind it.
                                               theft than other groups in                     “As our reliance on interconnected net-
                                                         society?                           works has grown with the rapid
The fake version of the site asks for the
                                                                                            mainstreaming of the Internet, the prob-
victim's account access details but
                                                                                            lem of identity theft has been exacerbat-
returns an error message if he or she
                                                 Financial institutions are getting bet-    ed”, says C. Maxine Most, Principal and
attempts to use it. The victim is then sent
                                               ter at preventing identity theft through     founder of Acuity Market Intelligence. In
to the real site unaware that they've been
                                               improved training and screening, and         her article, Biometrics and Trusted
                                               the use of fraud-detection software that     Identity6 combating identity theft she
   A Web phishing scam on the other hand
                                               can spot suspicious activity where it is     says,
sends you to the real company’s legitimate
                                               most likely to occur – an impostor open-       “The stakes are higher than ever and the
Web page, but a pop-up form asks you to
                                               ing new accounts with somebody else’s        game more compelling for perpetrators of
enter personal information like your
                                               personal details. This may improve mat-      fraud. Instead of grabbing a gun and head-

    id theft

ing down to the corner convenience store,        The perpetrators of identity theft are        grained methods are needed. There is no
would be thieves sit in the comfort of their   also counting on the vulnerability of           absolute answer, only appropriate action. As
homes and surf their way to mayhem.            human emotions in the face of lost credit       you connect more and more systems
With a few key bits of information — a         cards. “They will phone the person whose        together more vigilance is needed”, says
social security number, billing addressee,     cards they have stolen, posing as the help-     Small.
mothers maiden name — identity thieves         ful person who found them. They will               Mathieu Gorge, Managing Director of
easily appropriate identities and instantly    then ask you to give details to prove that      VigiTrust Pro-Active Enterprise Security
open credit card accounts, make purchases      the card is yours (details they will of         says “Identity theft is only one part of
and apply for loans.”                          course need when they go to use the             a bigger set of risks that need to be
   “The Initial focus on combating iden-       card themselves). Another weak link             addressed, and physical security must be
tity theft has been on addressing con-         occurs when you receive credit card             tackled first”, says Gorge. “There is no
sumer complaints”, she says, however,          offers by email, and simply discard             point in having a state of the art IT securi-
broader economic implications and              them in the recycle bin. They are sitting       ty system if anyone can walk in the front
national security concerns are far more        there waiting to be filled in with              door. Staff should be trained to foil social
insidious and the consequences poten-          your details by A N. Other.” Alternatively,     engineering tactics. Regarding the man-
tially dire. Consider 9/11 the highest         a fraudster will take over another              agement of access / biometric cards, com-
level of disaster possible when identity       person’s identity or account by                 panies need to have audit trails that can
theft goes unchecked. Hijackers easily         finding information out about them and          guarantee the whereabouts of everyone – a
obtained the base form of ID in the US;        contacting the card issuer for a replace-       system that can achieve full non-repudia-
driver's licenses. Why should biometrics       ment card.                                      tion”
vendors care? Successful biometrics mar-         With identity management it’s all a mat-         “One problem is how to manage multi-
ket development requires identifying                                                           ple identities accessing multiple systems
                                               ter of lowering the cost of risk, says Small.
and solving high point-of-pain                                                                 within the same organization,” says Gorge
                                               The French introduced smart cards as
                                                                                               – “people accessing different levels of sys-
problems. In this regard, identity theft       credit cards 10 years ago to counteract
                                                                                               tems on a need to know basis. An increas-
is a ringer. This is a point of pain           identity theft. So why didn’t they do the
                                                                                               ing number of customers are looking for
that directly ties consumer fear               same in the UK? “The amount of fraud
                                                                                               two-factor         authentication8        or
and healthy, sustainable economic devel-       suffered didn’t warrant the cost”, says
                                                                                               challenge-response systems for employees
opment to homeland security. The               Small. “Security is about the cost of man-
                                                                                               remotely accessing the corporate
problem of identify theft is enormous          aging the risks versus the cost of the risk.
                                                                                               network. The good thing about these sys-
and biometric identification in and            As risks go up banks tighten the system.
                                                                                               tems is that you can easily revoke a users
of itself cannot prevent the theft or          Different types of organizations have dif-
                                                                                               rights if you have any reason to be
fraudulent use of thieved identities.          ferent attitudes to risk. Banks live
However, it is highly unlikely that indi-      with risk – repayment amounts are based
                                                                                                  In fact Vasco9 has an interesting device
viduals will want to leave biometrics          on how much they think you are
                                                                                               called Digipass especially designed to
markers behind as they engage in crimi-        capable of paying back. Government              counteract phishing. It is based on the
nal activity.”                                 organizations on the other hand                 premise that phishing schemes can only
   Mike Small, director of eTrust strategy     behave as if every risk is unacceptable. For    succeed if the information the fraudster
at Computer Associates, wonders if we          them, no measure is too great. Did you          wants to obtain is static (user id's, PIN
are not turning into a Kafkaesque7 socie-      know that Bury Council did a risk analysis      codes, credit card information).
ty,    where      people     (victims    of    of Bury taking part in the Britain              Digipass creates one-time passwords,
identity theft) are unable to prove their      in Bloom competition? Before putting            changing every 36 seconds. In addition, it
identity? “And what if someone steals          hanging baskets on the lampposts, the           calculates digital signatures, allowing bank
my DNA, I cannot revoke my DNA                 gardening society had to get written            account holders or credit card users to
identity – unless that is they take me out     reports from the lamp post manufacturers        perform online transaction without
and shoot me!” “Technology will not            and the contractors who installed the lamp      revealing any secret information on the
solve all the problems.            Thieves     posts to ensure that the hanging baskets        Internet.
are clever and will always find the weak-      could be safely accommodated. Is this              “The challenge”, says Gorge, “is to make
est link.        Technology can only           appropriate?”                                   sure that you provide the right access lev-
manage the pieces that it is designed to         “What context is the identity being used      els, accompanied by a clear audit trail
manage.                                        in – a bus pass, a credit card, a passport?     that provides accountability. A solution
   We must look at the whole system”,          Identity is simply an enabler to do with        is only as good as the procedures
says Small, “and the weakest point is          access control, and consequently there has to   built around it. You must be able to
people”.                                       be a range of solutions. Much more fine -       monitor an individuals usage of the corpo-

                                                                                                     id theft

rate network, building up a profile            ty/print.htm?TYPE=story&AT=3911890              intentions that I reproach them; I demand
of his/her habits. Then if the usage pattern   2-39024655t-40000024c                           from their hands the person I now am, and
suddenly changes it can be flagged on the      4 If you think you have received a              since they cannot give him to me, I make
system. You can then do either of two          SCAM, please forward the ENTIRE                 of my reproach and laughter a drumbeat
things – look at the forensics and preserve    email to ITRC at: itrc@idtheftcenter.org        sounding in the world beyond."
the evidence, or activate your corporate       and they will forward it to the FBI for         8 Two-factor Authentication is when
security response. The idea is to be proac-    you and let you know if it is a confirmed       you have to provide something you
tive”, he concludes.                           scam.                                           know (a password or PIN), and some-
                                               5 www.fsround.org                               thing you have (smart card or token)
                                               6http://www.findbiometrics.com/Pages/fe         before being recognised by the system
References                                     ature%20articles/identitytheft.html             and granted access. Two-factor authenti-
1 BBC News 2003/11/21                          7 "I can prove at any time that my educa-       cation provides a greater level of security
2 www.ravallibank.com – this community         tion tried to make another person out of        because you need to have both to gain
bank in the US has a really informative        me than the one I became. It is for the         access.
section on identity theft                      harm, therefore, that my educators could
3 http://www.silicon.com/software/securi-                                                      9 See details at www.vasco.com
                                               have done me in accordance with their

                            getting the whole picture

                                                                                               ical components of an enterprise governed
Policy domain mapping                                                                          by a single security policy. The policy may
                                                                                               be explicit, as in a corporate policy, proce-
                                                                                               dure or guideline, or, more commonly,
Peter Stephenson
                                                                                               implicit as in the configuration of devices
                                                                                               governed by a policy. Typically, for practi-
This month’s column looks at policy domains and the application of threats and the             cal purposes, we consider those configura-
mapping of interdomain communications.                                                         tions as the instantiation of the policy.
                                                                                               Our working definition reflects this. This
Last month I introduced you to security        ‘…an environment or context that is defined
                                               by a security policy, a security model, or      week we’ll do a bit more work with policy
policy domains. The notion of policy
                                               architecture, and includes a set of system      domains including applying threats and
domains is not new. The CORBA
                                               resources and a set of entities that have the   mapping interdomain communications.
(Common Object Request Broker
Architecture) Glossary1 defines it as:         right to access the resources.’

“A domain whose objects are all governed by      A couple of months back we introduced         Identifying policy domains
the same security policy. There are several    two additional definitions (SANS and M-
types of security policy domain, including     Tech). In that issue we posited our own         The process of identifying policy domains
access control policy domains.”                definition, the one with which we will          has a couple of aspects to it. First, we want
                                               continue to work:                               to group data (and the devices upon which
Smith, in a presentation for NIST2 defines                                                     the data resides) based upon sensitivity
a security policy domain as:                   A security policy domain is a set of require-   and criticality. On the surface that sounds
                                               ments for system configurations that enforce    pretty simple. However, we also are con-
‘The scope over which a security policy is     rules of behaviour for users, administrators    cerned with the use to which the data will
                                               and systems intended to protect those systems   be put.
enforced. There may be subdomains for dif-
                                               and the data they contain.                        For example, we may have data that we
ferent aspects of this policy.’
                                                                                               consider to be at a level 5 (on a scale of 1
                                                  Regardless of the source of the defini-      to 5, 5 being the most sensitive) sensitivity
Sanchez, Waitzman, Condell3 et al              tion, the concept is consistent: security
describe security policy domains as:                                                           and 5 criticality (same scale as sensitivity).
                                               policy domains are those logical and phys-


Shared By: