-1- When looking at a compliance issue, one key issue is to establish precisely what the Information System under consideration involves.
Taking the broad view of this case, one lists:
- - the individual victim, who will be tricked into voluntarily disclosing his or her confidential information
- - the perpetrator, who is collecting the data for his or her own benefit
- - the organization whose name is being used to dupe the victims, eBay in this case
- - the individuals and organizations which will benefit from the use of this information (eg., buyers and resellers of personal, confidential information)
- - the individuals and organizations which will be harmed by the use of this information (eg., merchants and credit card issuers)
-2- Often individual victims are derided as both hapless and clueless. Yet do they not deserve as much protection from fraudulent misrepresentations as those whose information is stolen by more indirect means, such as breaking into a database of a third party which this party is legally authorized to maintain?
However legal protection without redress is worthless and actual redress is very difficult to obtain when perpetrators are operating from foreign countries and no third party is to blame.
-3- The key to this case is the role played by the third party.
When a hacker breaks into the computer system of a credit information processor, the processor is:
But when its good name has been used and abused, the third party is in a totally different position:
- - an actual victim of the perpetrator of an unauthorized entry
- - but also a potential defendant, if the individual victim can prove negligence relative to the security of either its computer system or its handling of confidential data
- - it is protected from being sued by individual victims, since it has no responsability in the fraudulent misrepresentation
- - yet it still is very much an actual victim of the perpetrator, as its reputation has been sullied
-4- The reputation of an organization is one measure of its credit. eBay, in the case at hand, has suffered a blow to its credit as would any individual victim of an identity theft.
Just as for an individual, the third party faces costly expenses to clear its good name and restaure its credit.
For example, assume the third party chooses to ignore the issue: the spoofing campaign can quickly turn into a public relation nightmare.
But if the third party wants to respond, it must understand its very effort to communicate with the victims will look suspicious to them. This is the sting of all identity thefts, personal or organizational.
In the instance, ordinary email as a communication channel is hopelessly compromised by the past abuse. Though more expensive, regular mail is better but one must realize it will be likely to be confused with ordinary marketing communications, which most people discard as junk. For this and other reasons eBay has gone to the extreme of creating a special, secure email system to communicate with its users, "My Messages" (see New York Times article)
-5- Third party institutions likely to be targeted by phishing perpetrators share two characteristics:
Banks make up the bulk of the victims (Citigroup, Barclays...) but eBay also fits this profile, especially given its PayPal activity.
- - they have a large number of users
- - their operations have a financial activity akin to money creation
As it is also valuable to an Internet-based criminal to commandeer the underlying email accounts of known email addresses, ISP's are also targeted.
According to the Anti Phishing Working Group (as reported in the Financial Times), more than 140 brands have been targeted since November 2003.
-6- Legitimate marketing and illegal phishing are related.
Phishing is illegal while marketing is not.
Having someone leaving a trail of bad debts in one's name is also a far more serious damage than receiving even more junk mail.
This said and were it not for the unauthorized use of the name of a third party, the process for phishing would be the same as some commonly used marketing scheme:
This is not without a serious consequence: the more legitimate marketing is used to extract confidential data from users, the more difficult it is for unsuspecting users to spot phishing when it occurs.
- - make users to provide confidential data about themselves, through the filling in of countless forms under many types of incentives, some of which highly debatable
- - resell personal, confidential information in bulk or filtered files to others in exchange for money
- - stay as clear as possible from knowing to what usage these others will put this data
-1- The following analysis focuses on the third party through which private information may be stolen.
Main lesson: as long as an organization is in possession of personal, confidential identifiers (such as name, social security number, mother's maiden name, credit card account number and security code...), it can and should expect to be a victim. The reasons are as varied as the system and process used to handle this information is complex.
As seen in the case above about "phishing", such an occurrence may even happen without any direct involvement by the company, through the mere use and abuse of its good name.
Other recent cases, as reported in the media, more directly involve the third party and include:
This list calls for four quick comments:
- - 6/05: criminal penetration of the computer system of CardSystems, a credit card processing company working for merchant banks (40 Millions ID's exposed, 200,000 stolen)
- - 6/05: accidental loss in UPS transit of a box of back up magnetic tape of CitiFinancial, a subsidiary of CitiGroup (3.9 Millions ID's exposed)
- - 5/05: accidental loss in Iron Mountain transit of a box of back up magnetic tapes of Time Warner (600,000 ID's exposed)
- - 4/05: abnormal activity at a computer of RuffaloCODY (IA), a subcontractor used for fund raising by Tufts University (MA) (100,000 ID's exposed)
- - 4/05: unauthorized money transfers by employees of Mphasis BPO (India), a call center outsourcing for Citibank, a subsidiary of CitiGroup ($350,000 stolen)
- - 3/05: access, using stolen access codes, to the computer system of Seisint, a data brokering unit of LexisNexis controlled by Reed Elsevier (310,000 ID's exposed)
- - 2/05: legitimate acquisition of ID's by Senator Schumer (NY) from Westlaw, an information broker operated by WestGroup (harmless political publicity stunt)
- - 2/05: ordinary sales to criminals posing as legitimate businesses, by data broker ChoicePoint (150,000 ID's released)
- - 2/05: accidental loss in shipment of 5 back up magnetic tapes of Bank of America (1.2 Millions ID's exposed)
- - it has become more difficult for companies to keep adverse events from the press due to recent laws enforcing disclosure of such events to potential victims in California
see California laws on identity theft
- - this is just the tip of an iceberg, corresponding to a momentary interest for the subject by the press, fed by numbers obligingly rising by orders of magnitude
for a longer list, visit the Privacy Rights Clearinghouse
- - loss of tapes in transit, a third of the events listed, means that one does not pay attention when little value and penalty are involved, not that truck transport is unsafe per se
- - most cases reported, two thirds, involve the alleged negligence of subcontractors. This is significant but it should be reckless to go on and ignore internal risks.
-2- Next lesson: ID thefts can potentially lead to large exposures and the associated risk cannot be ignored.
In all cases mentioned above in the press, investigations have been ordered. It would be edifying to quantify the total cost born by an organization being investigated, in terms of disruption of operations, lost manpower, legal representation, even if no fine nor penalty are ever assessed.
To the above, one must add the costs to the ongoing business:
To illustrate the point, the share price of ChoicePoint dropped by more than 9% one day after the event was reported in the media.
- - sudden loss of reputation and its consequences:
- - loss of clients, especially when clients are businesses who might be held responsible if they were to continue a relationship with subcontractors proven to be unreliable
- - containment costs, such as the opening of new accounts for individual victims: eg. credit card replacement is estimated to cost from $10 to $20 per account
-3- Since the risk must be addressed, the first question to ask is whether the possession of such dangerous information is necessary at all.
This question cannot be answered outside of each specific case. But one can consider two points:
Notice that the most eggregious case mentioned above, involving CardSystems, falls into that category. According to reports from the New York Times, "MasterCard said its investigation found that CardSystems, in violation of MasterCard's rules, was storing cardholders' account numbers and security codes on its own computer systems" and "John M. Perry, chief executive of CardSystems Solutions [...] said the data was in a file being stored for research purposes[...]"We should not have been doing that"."
- - until recently the trend would have been that the more data, the better. So unnecessary data could very well have been collected.
- - eliminating such unnecessary data would be the most economical solution by far
In most cases of course, the presence of dangerous data cannot be avoided. But care must still be taken to track down and eliminate any unneeded duplication. Risk being multiplied by complexity, one less system element or one less process step will directly reduce risk and improve the bottom line.
-4- Beware that real life is messy. In following the previous advice, CitiFinancial could have decided against the creation of back up tapes, thereby eliminating a very real source of risk. But one can see that, in the instance, the risk associated with irrecoverable loss of data by lack of a back up is highly likely to be greater. One should therefore never loose sight of the global nature of risk management.
Beware how messy real life can be. Most information systems, when correctly defined, happen to be very decentralized. What if a modest reduction of risk assumed by one executive leads, as in the example of CitiFinancial, to a stronger risk for another, independent executive ? What if the former executive decides to reduce his or her risk and does not even realize the risk transfer or "omits" to inform the other party. Risk management can be seen to be intimately linked to companywide policies and arbitrations between departments and explicit contractual clauses between suppliers and purchasers.
Yet the case of CardSystems is exemplary. The media have taken the trouble to explain to the public the total system to be considered. Far from being limited to the computers of CardSystems, the relevant system includes the merchant, the customer, their respective banks, the credit card network plus their own subcontractors, a very complex system indeed.
Following this analysis, one can assume that merchant banks had hired CardSystems to process their data through competitive bids, thereby saving money for themselves. However it is the issuing banks used by potential individual victims which will appease their frightened customers by opening new accounts for them. Putting aside the fact that some banks might be acting for both the merchant and the customer, one sees that, in this case, there is neither a contractual relationship between the risk taker and the associated cost bearer, nor an obvious recourse in law since the harm done by the risk taker's actions is so indirect.
When normal economic incentives do not work and markets are powerless, two approaches remain possible:
- - proper insurance can be taken by a legal entity to cover against circumstances against which this legal entity has no actionable influence
- - enactment of laws or regulations which impose new burdens directly on the risk takers, on behalf of potential victims
-5- Short of eliminating all dangerous data, one must plan in advance how to mitigate the risk associated with its possession.
A more detailed approach will be developped later in part III-1: Protecting Digital Information, of which personal information is but one aspect.
-6- Although an organization might consider it has taken all reasonable measures to mitigate the security risks linked to ID theft, it must understand that adverse events are nevertheless bound to happen. Remember that some events are totally out of the organization controls.
In that case the best practice is to prepare a crisis management cell, in charge of containing the damage. From what precedes, this involves three kinds of measures:
In fact a way to determine how good the measures taken by an organization are, is to ask its CEO to defend them in a mock interview, assuming an hypothetical breach.
If it looks as if the CEO did not know a danger existed, or cannot clearly articulate the trade offs which have created the flaw leading to the breach nor the containment measures already under way, one can assume the organization is indeed at great risks.
- - operational, to repair the information systems and deploy other needed resources such as customer hot lines
- - legal, to ensure full cooperation with the investigating authorities and the best representation of the organization interests
- - public relations, as the point of view of the organization must be clearly communicated to interested parties as well as to the public at large
On the contrary a good performance can cast the organization in a very positive light, for example:
"The loss in shipment yesterday of 5 tapes containing customer ID's was an unfortunate event but all data on these tapes was encrypted. And while it might appear more modern, using electronic means instead of trucks would not have made us safer, given the difficulty to secure a whole new computer equipment at the archival site rather than a plain vault. Remember this is the first loss in shipment over the past 15 years. Besides it would also have cost 4 times as much, money we chose to invest in better protecting our operations center".
-7- One more word, on the companies which will be defrauded by criminals using the stolen identities. They fall mostly into three categories:
The risk of online merchants is high since credit cards will not reimburse them for the non payment of goods or services paid for on fraudulent accounts (so called "card not present" transactions).
- - online merchants to whom fraudulent credit card information have been presented
- - credit card issuers whose credit cards have been stolen from their clients
- - credit card issuers which have issued new credit cards based on stolen identities
Since they cannot possibly detect a stolen identity until the individual victim notifies its issuer and since they can hardly stop their online activities, the best solution is to obtain the proper level of insurance.
Merchants with a high frequency of fraud, for example very large merchants or sellers of small, valuable and desirable goods such as jewelry, should apply fraud detection techniques (see I-2 credit fraud).
When a credit card is stolen, its issuer generally shields the victim, especially if the theft has been promptly reported. While the merchants are generally held responsible for their own losses, the cost to the issuer can be considerable.
First one must consider the intangible losses, in terms of reputation, should it become known the issuer has been complacent in face of credit card theft.
Second one can easily tally the tangible expense of replacing stolen credit cards, estimated from $10 to $20, multiplied by the number of thefts.
In response, issuers have turned to fraud detection techniques (see I-2 credit fraud).
Interesting is the case of the issuers which have provided genuine cards to clients posing under a stolen identity.
Again it is difficult to detect a stolen identity until the individual victim finds out about it but such cards are often used in a way similar to stolen cards so that some fraud detection techniques will apply.
However it is interesting to know that the "new card" issuer may carry no liability with respect to the victim of the ID theft (see case in South Carolina).
From an extreme perspective, if one considers that ID theft is a larceny, one should be ready to view the "new card" issuer as a potential receiver of stolen property, a recognized offense against the original owner.
Information Systems include not only data and the equipment to store, process and transmit it, but also all the people which use this equipment, properly and improperly. Let us focus on people and how to know "whom" one deals with.
- - Employees, the acknowledged source of most breaches in confidentiality, through ignorance, negligence or nefarious intent.
Review in this light HR policies, operational policies, user identification techniques (local and remote), role/permission management systems.
- - what type of verification does one undertake when hiring a new employee ? what obligations are written into the employment contract ?
- - are employees categorized into separate groups, dependent on their need to access key equipment or data ?
- - how are more trusted employees selected and how does this trust endures over the years (see the course of Fraud Examination) ?
- - how easy would it be to impersonate a trusted employee ?
- - what precautions are taken when an employee, especially a trusted demployee, leaves the organization ?
Data is money for the one who knows how to use it: many lessons commonly taught in Fraud Prevention will apply to Data Protection, e.g.:
- - if possible, separate data update tasks from data reading tasks and assign the roles to separate employees, with relevant access rights
- - monitor unusual and uncalled for, employee behavior from access logs
- - set up explicit measures against dangerous behavior in written policies distributed to employees
- - Subcontractors, suppliers, clients of the organization which have their own employees.
Expect trade-offs between two suppliers, one offering better guarantees on security, the other a lower price and faster service.
- - what type of contractual guarantees have they offered ?
- - how are they going to be enforced ?
- - how much do they cost ?
- - As a special case, what if the partnering organization itself is not what it claims to be ?
- - for how long have they been known ?
- - has there been a recent change in ownership ?
- - Consumers:
- - what precautions are taken to teach the consumer how to protect his or her own identity in general before it is too late ?
- - what precautions are taken to make sure the customer will spot fake claims specific to the organization ?
- - how likely is it to be given a false identity by a consumer ?
- - what measures are taken if a false identity is discovered ?
- - Criminals:
- - what documentation do normal operations logs retain which can lead to the identification of the perpetrators ?
- - what faked targets (so called "honeypot") have been created to steered them away from the data to be protected ?
compare this practice with seeding address list with control names as practiced by legitimate list renters
- - Human Resources: background checks
the use of credit reports is subject to laws and regulations referenced in I-2 credit fraud
also most employers cannot have direct access to an individual's official record(s).
when this is the case, the employer can:
one must remember that the identity listed in a state criminal record may itself have been stolen.
For a higher level of accuracy, FBI requests are protected by fingerprinting authentication but take more than a month to be processed.
- - Human Resources: sample data access policies
- - user identification solutions:
- - user self registration with attribution of an ID and password
this can be used as a way to recognize subsequent logins from the same user.
this is a good solution when user's positive identification is not critical. Otherwise reliance on user's declarations is quite unsafe
- - user central registration, followed by user notification by mail of the ID attributed, organization specific
this is the most common means used by retailers, the ID often conveyed on a card which can double as a fidelity card
this is also the way banks issue credit cards
without a password nor challenges, user identification is nothing more than the recognition of a valid ID
- - user central registration, followed by user notification by mail or email of the ID and initial password attributed, organization specific
this is the most common means used by banks for their ATM and debit cards and ISP's for their Internet accounts...
note the tradeoff when the organization lets the user personalize the password:
should one enforce "strong" passwords (with letters, digits and special characters) or let the user free for greater convenience ?
the downside is that users forget passwords, make them easy to steal by writing them down, and hate having too many of them
- - user central registration establishing a digital signature for this user, followed by user notification by email
this is both safe and relatively inexpensive but easier to impose on employees than on ordinary consumers
see for example RSA I&AM solution
- - user central registration using biometric measurements (voice print, finger prints, retina scan...)
this can be made very safe but is expensive, intrusive and may require the user to present themselves to "owned access points", such as gates and kiosks. As prices decrease, "brick and mortar" retailers are likely to be early adopters beyond US Homeland services.
- obviously the last four processes are not operational without some prior step to verify user credentials during the initial registration.
- - user declaration of multiple "secret" data, such as mother's maiden name, to be compared with stored data centrally in house
this of course leads to the multiplication of "secret" data and greatly contributes to the ID theft problem
- - user declaration of multiple "secret" data, such as mother's maiden name, to be compared with stored data centrally at a third party
if processed correctly, this minimizes the duplication of "secret" data by shifting the burden onto select third parties.
- the last two methods can be the first step in a user central registration method, thereafter replacing "secret" data by data:
- they are also used by companies accepting credit cards and other password-less ID schemes to challenge users if and when necessary
- - either company-specific, hence less beneficial to steal
- - or more difficult to forge, hence more expensive for ID thiefs
- - general information for consumers on identity theft
- - anti phishing tools
Providing an anti phishing tool to one's own clients can be expensive, although some are downloadable for free.
Google search for anti-phishing tools
However it is better to forewarn customers and establish a formal, easily recognizable way to communicate with them at the very beginning of the relationship.
a link to an organisation, public or private, does not represent an endorsement
and no compensation has been received nor sollicited by the author for its inclusion.