ID THIEVES AMONG US

Jul 1, 2005 12:00 PM, BY JACQUELINE EMIGH

As more and more records move from paper to the Web, personal information is becoming increasingly accessible — not just to legitimate organizations, but to criminals and other bad guys, too.

Honing in on new opportunities to make a quick buck, crafty cyber-thieves carve out myriad ways of performing “identity theft” by stealing social security numbers, bank account records and other data.

“The threat is very real,” observes Mark Durett, product manager at Covelight Systems, Cary, N.C., one of a growing legion of vendors offering defense against this murky underside of cyberspace.

“This isn't just ‘two guys in a basement.’ It's organized criminal activity, with the idea of pulling in a ton of money,” concurs Lance Cotrell, founder and president of Anonymizer, San Diego.

Moreover, it often takes months and even years to get to the bottom of identity theft incidents — giving perpetrators plenty of time to abuse the purloined data.

In January, a 35-year-old man was imprisoned for 14 years for his role in one of the biggest identity theft scams in U.S. history. Philip Cummings admitted that, as a help desk employee of Teledata Communications from 1999 to 2000, he downloaded account passwords and credit reports and sold them for about $30 each to a band of Bronx-based Nigerian immigrants. Teledata provides software for running credit checks to major U.S. credit bureaus.

Cummings' cohorts allegedly used the stolen information to bilk about 30,000 individuals out of between $50 million and $100 million. The federal district court in New York received statements from about 300 victims, who reported that criminals had emptied out bank accounts and taken out fraudulent loans.

Information security vendors are taking a variety of approaches to curbing identity theft. Durett likes to cut through the technical complexities by dividing ID management products and services into two main categories. “Some identity management vendors are trying to build ‘better locks on the doors,’” Durett says. “Others are monitoring the folks who have access to the ‘crown jewels.’”

Durett places Covelight Systems in the second of these two categories. Specifically, Covelight sells its Percept plug-in hardware to companies that want to track the online activities of employees who work with sensitive customer data — whether this information is related to finances, health or human resources, for example.

“Somebody working in a call center might be viewing 50 different customer records in a day,” Durett says. “We build profiles of how employees interact with the data, keeping an eye out for behavioral anomalies.”

“Company insiders” have already been caught as culprits in ID theft cases, Durett notes, pointing to a recent case in Hackensack, N. J. as additional proof. On May 23, police in that city announced the arrests of nine people — including several former employees of the Bank of America — in connection with the illegal sale of information on more than 676,000 accounts from four financial service firms.

In another solution targeting “inside jobs,” Thor Technologies, New York, recently teamed up with Bridgestream Inc., Washington, D.C., to combine “business roles automation” with enterprise identity management.

The integrated offering lets organizations automate and enforce employees' access rights to customer data, software applications and computer systems even on the basis of temporary projects, according to Alberto Yepez, Thor's executive chairman. If an employee leaves a project, or the project ends, any related access rights automatically cease.

Threats are out there

Lots of “outsiders” commit ID theft, too, launching fraud attacks over the Internet. In one common sort of Internet scheme, known as “pharming,” fraudsters “redirect” Web users from legitimate Web sites to copycat sites which look exactly like the real thing but are actually malicious.

After landing on the copycat site, Web visitors can fall prey to any of the many “phishing” techniques which are used by predators to rip off personal information.

Statistics from the SANS Internet Storm Center show that at least 1,300 Web sites were compromised by pharming exploits in early March alone.

In most pharming attacks, cyber-criminals surreptitiously poison some special purpose computers on Web sites — collectively dubbed DNS (Domain Name Service) servers — with nasty software code. In some instances, hackers also secretly corrupt a file on the user's PC — known as the “host file” — which most people do not even know exists.

Enterprises whose identities are hijacked can also suffer badly from reputational damage and lost business. Anonymizer is battling this breed of identify theft with a technology that essentially routes all customer traffic from the Web site to Anonymizer-operated DNS servers that are protected from all known pharming methods. As the re-routing takes place, host files on end-users' PCs are never accessed.

Other IS vendors, such as Strike Force Technologies Inc., Edison, N. J., straddle the line with product suites aimed at solving multiple aspects of the mounting ID theft crisis. GuardedID, the newest module in the company's Identity Assurance Product Suite, fights against keystroke logging.

By recording a person's strokes on a keyboard, hackers can discern passwords and credit card numbers, for instance.

But some culprits are getting so ingenious that they are downloading keystroke loggers onto users' PCs entirely disguised as something else, such as a printer driver or a video driver. GuardedID is still able to ferret out the logging software, says George Waller, executive VP at StrikeForce.

VerifyID, another software module from Strike Force, helps to prevent fraudsters from impersonating other people online, even if the criminals are already armed with data artillery such as social security and credit card numbers.

“A lot of online fraud takes place at the registration point,” Waller says. VerifyID screens individuals who are trying to sign up for accounts by quickly poring through online records, coming up with questions that would be hard for anyone but the “real” person to answer.

Beyond name, address, and the last four digits of the social security number, the software poses four or five additional questions. Some of these are trick questions, Waller adds.

For instance, the system might ask, ‘Is your sister Susan older or younger than you?’ when you actually don't even have a sister named Susan.

Other modules in the Strike Force suite include ProtectID, for sending account usernames and passwords to Web sites through separate channels; ResetID, for securely changing a person's computer passwords; and TrustedID, for verifying the authenticity of PCs and other computers trying to log in to enterprise networks and Web servers.

---

ABOUT THE COMPANIES

For information, circle the Reader Service Card number (listed below) or visit securitysolutions.com

Anonymizer	95
Bridgestream Inc.	96
Covelight Systems	97
Strike Force Technologies Inc.	98
Thor Technologies	99

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue