In January 2004, the MyDoom computer virus proved so malicious that Microsoft and other companies offered hundreds of thousands of dollars in reward money for information leading to the arrest and conviction of the virus author. Is it possible that those were the good old days?
As this year began, computer security vulnerabilities again made headlines, but the nature of the attacks was far different. A hacker stole the Social Security numbers and other personal data of thousands of students and employees at George Mason University, home of the Center for Secure Information Systems, a project that involves the U.S. Department of Defense.
Sensitive personal information was also at issue at T-Mobile, which said in January that it had cooperated with authorities that had made an arrest in a case involving security breaches in 2003 and 2004. Those breaches reportedly involved not only the names and Social Security numbers of 400 customers but also Secret Service information and even photos taken by celebrities with their camera phones.
And, of course, the theft of the personal data of 145,000 consumers from ChoicePoint Inc., which was made public last month, made the reality of identity theft front-page news yet again.
Virus attacks remain a threat, of course, but far more worrisome is the trend toward identity theft and theft of data. Unfortunately, a new CFO IT poll suggests that CFOs may not be adequately focused on this emerging threat. ID theft, dubbed the fastest-growing white-collar crime in America, is not just an issue for consumers and their financial institutions. It also poses a very real danger to any company that uses computers and the Internet.
Armed with the user name and password of an employee in your company, an ID thief can access your company’s computer systems with virtually no risk of detection. “Getting a person’s password is actually an elegant way of attacking a corporation,” says Peter Firstbrook, a program director at Meta Group. “It’s like starting a car with a stolen key — there’s no shattered glass, no alarm set off. It’s entirely possible that nobody will notice.”
Stealing user names and passwords is relatively easy, but a would-be criminal doesn’t even have to do that. Security experts and studies indicate that there are possibly thousands of Websites that exist solely for the purpose of stealing, buying, and selling IDs. In fact, ID theft has become a big business, big enough to attract international organized crime.
The potential damage goes well beyond the value of the data stolen. Jonathan Penn, a market analyst at Forrester Research, maintains that because of the fear of ID theft, consumer confidence in conducting business online is now eroding. “People are moving off online banking because of security concerns,” he says. “Suddenly this is becoming a trillion-dollar problem once you look beyond fraud loss to consumer E-finance adoption and retention.”
While few people regard the CFO as the front line of defense on computer security, the potential damage to corporate reputation, the threat of fines for failing to protect sensitive data, and the actual hit that corporate coffers could take make data protection a major facet of risk management. Some CFOs get the message, yet while companies do continue to spend heavily on computer security, awareness may still lag in reality (see “Security by the Numbers“).
Security vs. Convenience
Thieves employ several simple, straightforward techniques to steal personal information. They snatch documents containing Social Security numbers and other personal data from the mail. They steal computers on which ID information is stored. They hack into corporate databases. They buy IDs from other thieves. They bribe company insiders to provide printouts of customer and employee data. They fish through trash bins, looking for human-resources documents. They trick consumers (and employees) into providing their user IDs and passwords via E-mail or links to phony Websites, a process known as phishing (see “Gone Phishin’,” at the end of this article). And they use spyware that captures keystrokes, essentially a high-tech way to peer over someone’s shoulder as he enters personal data.
Most companies do little to deter ID theft. Many actually make it easy by, for example, printing Social Security numbers on a wide variety of easy-to-steal documents and ID cards. “We’re at the cusp of a shifting balance between security and convenience,” says Penn. “We need to reassess it.”
Some believe that such reassessment will ultimately fall to finance. “As far as compliance goes, CFOs play a key role in addressing this problem,” says Bill Conner, president, chairman, and CEO of Entrust Inc., an Addison, Texas-based maker of digital-identity software and services. “They’ve got legal guys on one side of compliance, business-unit guys running the business, and maybe a chief security officer on another piece. But it’s up to the CFO to balance the balance sheet, the profit-and-loss picture, and Sarbanes-Oxley compliance across that.”
Of all the factoids swirling around this topic, the one that may create the greatest sense of urgency is this: the Federal Trade Commission says that ID theft cost U.S. businesses and financial institutions nearly $48 billion in 2003. Nearly 13 percent of all U.S. consumers — some 9.9 million people — had their personal information misused in 2003, according to the FTC. Each ID theft costs businesses $10,200 per victim on average. And the estimated time spent resolving all these ID thefts? Nearly 300 million hours in 2003.
To possess enough information about another person to assume their identity is to possess the blankest of blank checks. ID thieves don’t simply buy things with other people’s credit-card numbers: they use phony IDs to avoid arrest, launder money, smuggle drugs, traffic in illegal immigration, and fund terrorist activities. As Judith Collins, a professor of criminal justice at Michigan State University (MSU) and author of Preventing Identity Theft in Your Business, says, “We’re just providing all kinds of opportunities for the theft of consumer identities.” The challenge, Meta Group’s Firstbrook adds, is that “you can’t think of this as ever being finished. You need to continuously update and educate staff about new threats as they become prevalent.”
Entire companies have had their identities stolen. In one recent scam, crooks set up phony credit-card service accounts in the names of 50 actual companies, most of them fairly small. The thieves would set up a fake Website and charge bogus transactions using stolen consumer credit-card numbers and have the funds routed into the phony company accounts, which were then cashed out. One company stung in the scam was T-Data, a small New York-based software company. Its losses totaled $15,000. “The bad guys are not targeting the individual anymore,” comments John Pironti, enterprise solutions architect at Unisys Corp. “Instead, they’re targeting corporate communities and the Internet population as a whole in order to have a greater impact.”
A Matter of Mistrust
Such crimes also pose a danger to companies by undermining consumer confidence. “Online banking will probably grind to a halt in the near future,” says Richard O’Connell, chief technology officer at AMIC Research Inc., a Jersey City, New Jersey-based supplier of security technology for the financial-services industry. “It won’t remain that way, but the fear of something horrible happening will severely hamper its progress.” Surveys of consumers do suggest that concerns about ID theft are a barrier to greater acceptance of online banking.
Companies that become known as the targets of ID thefts could find it difficult to maintain the trust of customers, suppliers, and partners. “Money is replaceable, but how much is your reputation worth?” says Linda Goldman-Foley, co-executive director of the Identity Theft Resource Center, a nonprofit organization.
Adds Rebecca Whitener, fellow and director of security and privacy services at IT-services provider EDS: “If your name gets associated with a major security breach that allowed the disclosure of certain personal information, that’s a nightmare.” When computers that contained customer data were stolen from a firm that prints loan statements for Wells Fargo, the bank offered affected customers a free year of enrollment in Wells Fargo’s ID protection program, beefed up security information on its Website, and launched a toll-free telephone service to advise customers on fraud prevention.
Companies that fall victim to ID theft may also find themselves tied up in court. For example, two airlines, Air Canada and WestJet Airlines, are locked in a lawsuit over alleged ID theft and corporate espionage. Air Canada alleges that WestJet officers used the personal ID of a former Air Canada employee to access Air Canada’s private Website thousands of times to collect route and market information. In its suit, Air Canada seeks $4 million in punitive damages, plus damages for lost revenues and profits.
Although identity theft is a relatively new crime, federal and state laws, including the well-publicized California statute SB1386 — which stipulates that if corporate computer systems are breached and the information is unencrypted, companies must notify all individuals affected — do provide some relief and protection. But experts warn that some of these laws create an opportunity for class-action lawsuits against corporations.
While most media reports of identity theft stress the consumer angle, by most accounts 50 to 70 percent of ID theft occurs in workplaces, and that figure may grow as the nature of ID theft shifts from simple rip-offs to complex efforts to defraud.
Go Where the IDs Are
Within individual companies, security experts say, the most vulnerable department or function is human resources. Why? Because, to paraphrase bank robber Willie Sutton, that’s where the IDs are. Also, many HR departments use temporary employees who are not always screened for security purposes. “Anyone who works in HR or anyone who has access to private data should have a thorough background check done by a reputable company — not just a cheap one that gets you by,” advises Troy Allen, vice president of fraud solutions at Kroll Inc.
Likewise, with offshoring on the rise, some experts believe a similar vetting process should be put in place for outsourcers. “We should require [offshore] companies to adopt, implement, and enforce uniform standards for ID security,” says MSU’s Collins. “We’ve already got computer and IT security in place, but computers do not steal identities — it’s the people who use the computers.”
Another issue is the widespread use — some would say misuse — of Social Security numbers. These nine-digit combinations appear on a wide variety of company documents and ID cards, and they are also commonly used to identify callers for customer-support telephone services. Banks, phone companies, utilities, even cable-TV providers routinely ask callers for their Social Security numbers. For consumers this means that their most vulnerable piece of personal ID is being used and distributed in ways they can’t control, by people they can’t identify.
You’re Not Just a Number
Ditto for employees, but some companies are beginning to take action. At IBM, chief privacy officer Harriet Pearson has led an effort to reduce the company’s and the health-care system’s use of employees’ Social Security numbers. When Pearson became privacy officer in 2000, overuse of Social Security numbers was cited as the leading area of concern by employees.
In response, Pearson began to address the issue by launching an effort within IBM to have its employee health-care plans remove Social Security numbers from member ID cards and other items that are frequently shared. She also spoke with officials in government and other experts, who told her that the best practice is simply to stop using the numbers.
Pearson and IBM’s HR leadership then worked with the company’s health-insurance vendors to remove Social Security numbers from roughly 500,000 health-care ID cards issued to employees, their dependents, and retired employees. All the providers complied with Pearson’s request. Pearson, who deals directly with IBM’s senior leadership, says that a gap analysis helped determine whether existing policies were sufficient to match company goals. When they aren’t, the support of senior management is key to making changes.
General Motors plans to consolidate what’s known as end-user identity management services into a single global system by 2006. GM’s goal is to provide single sign-on capabilities for some 500,000 employees, suppliers, contractors, and other business partners. Single sign-on, a hot concept in the computer-security world, refers to a software process that permits a user to enter one name and password to access multiple applications. When users first log on, they are authenticated and are then able to access all the applications they have been granted the right to use. This makes life easier for employees, because they don’t have to remember (or jot down on Post-its) multiple passwords. At the same time, it gives GM network administrators greater control and security. But such a system hints at the complexity of enforcing security: with only one password to remember, employees can be required to change it more often without flooding the help desk for reminders about their newest password, but a stolen password provides access to far more systems.
At Motorola, filtering software that helps block most unwanted E-mail isn’t just a way to help employees avoid in-box overload, but is in fact a big part of chief information security officer William Boni’s efforts to keep the company safe. Motorola’s global network supports more than 65,000 employees in nearly 50 countries, and Boni says many of them have been subject to numerous phishing attacks that seek passwords and other personal information. While the software tools Motorola uses to block these scamming E-mails are effective, even a small number of thefts could still cause havoc, says Boni. “The spam filters kill 99 percent of the incoming stuff — but then the other 1 percent kills you,” he says.
To help fill the gap, Motorola makes sure that employees are aware of the risks. “For us, the identity-theft issue is primarily one of education,” says Boni. Postings on key internal Web pages, online staff training classes on Internet risks through Motorola University, and reminder E-mails about the risk of identity theft are all part of a day’s work now.
Education has also been key for the state of Florida, where, says state CFO Tom Gallagher, an older population provides a rich target audience for scammers. Gallagher and his colleagues have launched several anti-ID-theft efforts, including a Website that offers help for ID-theft victims. “About all you can do in a free, open society is give people a good education to protect them,” Gallagher says. “If they don’t choose to listen to the advice, then they’ve got a good shot at being abused.”
When we asked senior finance executives what trend holds out the hope of more-cost-effective computer security, the most commonly cited answer was “development of new technologies” (see “Security by the Numbers“). The computer industry is hard at it. New developments in biometric technology, which forgoes passwords in favor of identifying a person by various unique characteristics, continue to emerge. While these are promising, Collins of MSU points out, “Every time there’s a new type of technology, perpetrators find their way around it.” If in fact computer security is something of an arms race, waiting for the proverbial silver bullet is not an option.
Motorola’s Boni says that it’s important that companies talk about identity theft in terms of risk, as opposed to only technology. “Many of us who came up through IT frame it in a technical sense rather than as a business issue. But it’s like the conversation you have with your doctor: he tells you all the things you should do or change to be healthier, and you decide which suggestions to take. You might agree to exercise more but not be willing to give up red meat.”
By that analogy, companies will need to become more health-conscious than ever before.
Additional reporting provided by Larry Lange.
|ID Theft by Fraud Type|
|Phone or utilities||19%|
|Government documents or benefits||8%|
|Data: Federal Trade Commission data for 215,093 ID-theft victims during 2003.
Multiple replies were permitted, so the total exceeds 100%.
The latest ID-theft scam combines hacking with E-mail spam, and may cost businesses billions of dollars.
Why hack computer systems when it’s so much easier to hack people? That’s the philosophy behind phishing, an ID-theft scam that combines hacking and E-mail spam. In a phishing attack (the term is short for “fishing for information” and uses the alternate spelling popularized by the 1970s hacker group Phone Phreaks), the thief sends a fraudulent E-mail to victims soliciting some nugget of personal information. The E-mail may even provide a link to a Website, usually a phony site that perfectly replicates a legitimate site, such as for a bank, online retailer, or some other entity that the victim may deal with regularly. In fact, it is precisely because the victim has visited and interacted with the site before that he or she can be fooled into entering a credit-card number, password, or other information.
Market researcher Gartner says an estimated 57 million Americans were exposed to phishing attacks in 2003. Of these, nearly 20 percent clicked on the link, resulting in losses of $1.2 billion, according to Gartner. A recent survey of 348 online merchants places the losses even higher. The survey, conducted by CyberSource, an Internet payment solutions and risk-management provider, found that scammers stole more than $2.6 billion from online merchants in 2004, an increase of more than 37 percent over the previous year. Among the many companies targeted by phishing attacks are PayPal, an online payment service; SunTrust, a financial-services company based in Atlanta; and NatWest, one of the largest banks in the United Kingdom. Last November, NatWest actually suspended some of its online services following a phishing attack, though the bank says its customers lost no money due to the scam.
Education remains the best form of prevention. In the wake of recent phishing scams, no reputable online merchant or business partner would ask for personal data via an E-mail message. Employees should forward suspect E-mails to their managers or, if the company has one, chief security officer. While E-mail filters are constantly being tweaked to detect various threats, phishers, virus writers, and others are working hard to overcome technological barriers. But a savvy employee is your best defense. —P.K.
Preventing Identity Theft
First, work with your IT, legal, and HR departments to establish corporate policies for protecting employees’ identities, and enforce these policies from the top down.
Perform background checks on all personnel with access to sensitive corporate data. Keep records of these background checks on hard copy only, and store them in locked files.
Develop an encryption system for all computer-based information. Remove or encrypt as much personal information as possible from all computer files, especially on easy-to-steal laptops, PDAs, and other mobile devices.
Upgrade company ID cards, business cards, and name badges to include the bearer’s photograph.
Stop using Social Security numbers for identification purposes in routine customer interactions.
Perform due diligence on business partners and suppliers, to ensure they are properly securing confidential information provided by your organization.
Let customers opt out of receiving easy-to-steal paper statements, and rely on secure Websites instead.
Shred all discarded confidential information, including all invoices and statements. For ID thieves, office trash bags are favored hunting grounds. At home, be especially vigilant when shredding preapproved credit-card offers.
Suggest to your employees that they not carry Social Security cards, or any other cards bearing Social Security numbers, in wallets or handbags. While less convenient, it’s safer to store them in a secure place and carry them only when necessary. —P.K.