Invasion of the Identity Snatchers

Aug 1, 2007 12:00 PM, By Sandra Kay Miller

While attending the Black Hat digital security briefings in New Orleans in 2002, Jim Harrison, an employee at Microsoft, was pick-pocketed in the French Quarter. He filed a police report, canceled his credit cards and borrowed some cash from a colleague for the remainder of his trip. He didn't think much more about the incident until he began receiving collection notices for not one, but two stints at a drug and alcohol rehab center in Oxnard, Calif. However, during the alleged rehabilitation admissions, Harrison had been hard at work in Redmond, Wash. He had been a victim of identity theft — the fastest growing crime in this country, according to the Secret Service and Federal Trade Commission (FTC). for not one, but two stints at a drug and alcohol rehab center in Oxnard, Calif. However, at the time of the alleged rehabilitation admissions, Harrison had instead been hard at work in Redmond, Wash. He had been a victim of identity theft — the fastest growing crime in this country, according to the Secret Service and Federal Trade Commission (FTC).

In addition to accessing medical services, the FTC points out that identity thieves routinely open a number of account types including bank, credit, utility, mobile phone, Internet services as well as make fraudulent purchases (real estate, vehicles) and enter into rentals and leases under the assumed name. On average, it takes a year for victims to realize their identity has been stolen.

Despite two federal criminal statutes — The Identity Theft and Assumption Deterrence Act of 1998 and the Identity Theft Penalty Enhancement Act — that provide stiff penalties including up to 15 years in jail, the Secret Service and FBI are limited in their resources to investigate the 15 million identity thefts now occurring annually. Justin Yurek, president of Denver-based ID Watchdog, a consumer-based service for monitoring personal identity information, says that a theft has to reach at least $100,000 to catch the attention of federal authorities. “For the average consumer, and more importantly the average thief, these laws will never apply,” Yurek says. Avivah Litan, vice president distinguished analyst at Gartner, a research firm in Stanford, Conn., substantiates Yurek's assessment by pointing out that less than one in 700 identity thefts results in a conviction.

Ten years ago, identity theft was barely a blip on law enforcement's radar, but according to Javelin Strategy and Research, Pleasanton, Calif., it racked up $56.6 billion in losses for businesses and consumers in 2005. Many law enforcement agencies and analysts, including Ed Mierzwinski, consumer program director at Washington, D.C.-based U.S. Public Interest Research Group, contend one's identity can easily be filched because of the use of Social Security numbers as the primary way to identify and authenticate individuals.

In July 2007, in an effort to reduce identity theft, the House Ways and Means Committee unanimously approved HR bill 3049 to eliminate Social Security numbers from public display on ID cards and online accounts. If passed, the bill will require government agencies, schools and businesses to issue a unique identification number instead of using Social Security numbers for official documents, identification cards and as a means of authentication for procuring goods and services. Utility companies will not be allowed to demand Social Security numbers in order to engage their services.

Unfortunately, Mierzwinski predicts there will be a lot of opposition to signing the bill into law due to the costs of retooling systems as well as from businesses such as credit reporting agencies that routinely sell consumer information.

In order for identity theft to occur, the perpetrator must first gain access to private data. Identity thieves employ a variety of methods ranging from dumpster diving to using fake card readers to scan debit and credit cards and retrieve information.

In its 2007 Breach Report, the Identity Theft Resource Center (IDRC) (www.idtheftcenter.org) lists 204 high-profile data leaks that resulted in more than 88 million personal records being exposed. Breaches occurred just as often from human error, such as private databases being posted online and portable storage devices being lost, as from deliberate targeted attacks on both the high-tech (hacking, malware) and low-tech side (stealing laptops).

With the proliferation of digital information, online business and ultra-portable devices such as PDAs and smart phones, the capacity for electronic identity theft has also risen sharply. Last year just prior to tax time, the Internal Revenue Service (IRS) issued numerous warnings about scams using fraudulent e-mails asking for detailed personal information (also referred to as phishing) under the auspices of official IRS business. Many of the major financial institutions and online businesses, including eBay and PayPal, routinely receive notification that customers have received unsolicited e-mails and telephone calls requesting passwords, personal identification numbers and account information. Once identity thieves receive private data, they work at lightning speed.

Dave Jefferies, a high school math teacher, responded to an official-looking e-mail from his online brokerage firm asking him to reset his password due to a security breach. An embedded URL provided access to what appeared to be a legitimate site. “Less than 15 minutes after I entered my username and password, I began receiving e-mails from the brokerage company alerting me to three transactions that were selling off stock and redirecting the funds to a bank account in Singapore,” Jefferies says.

Regardless of how sensitive data has been compromised, most states now have laws requiring that consumers be notified if their private information is at risk. Currently, the federal government has no obligation to issue such alerts, but high-profile data losses such as the stolen Veterans Affairs department laptop incident and the incident that involved the removal of classified information by a contractor using a USB flash drive at Los Alamos National Laboratory routinely garner attention in national news outlets.

While Harrison had the necessary evidence to back his claim of innocence, untangling the mess consumed many hours of his time. The Privacy Rights Clearinghouse (www.privacyrights.org) estimates that it takes an average of 600 hours and $1,400 for victims to deal with the repercussions of identity theft. The Federal Deposit Insurance Corporation (FDIC) warns consumers that identity theft “can do damage to your financial history and personal reputation that can take years to unravel,” and the IDRC cites as many as 70 percent of identity theft victims reported recurring problems. Often, the damage goes far beyond the loss of money and time when victims fail to pass background checks for employment or encounter a severely damaged credit report when purchasing a home.

The fight against identity theft is being waged on two fronts — by individuals and by the organizations housing private data. As both become aware of the methods by which criminals are gaining access to information used to commit identity theft, both sides are taking action to mitigate risk.

Organizations, especially those bound by regulatory compliance, have beefed up security handling and storing of private data using a variety of traditional defenses such as firewalls, intrusion detection systems and malware scanners along with emerging technologies offering granular information access control, application firewalls, strong encryption, advanced authentication and device/port control. Companies frequently targeted by identity thieves, such as the financial industry and online businesses, have waged campaigns to educate customers on how to avoid identity theft and have stepped up customer service related to possible fraud reporting.

After his brush with identity theft, Jefferies offers this advice for avoiding future disasters, “Use common sense. If someone asks for personal information online, over the phone or in the mail, take the time to be sure they are really who they say they are.”

Want to use this article? Click here for options!
© 2012 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue