There is evil lurking in our midst. What's the evil that I'm referring to? Identity theft—a crime bred out of pure selfishness, a crime that allows someone to steal your identity and use it for themselves. These thieves often use your credit card numbers to purchase expensive electronics and jewelry. Or they use your social security number to get a loan to buy a car or house. Of course, they never actually make a credit card or loan payment. They may show your driver's license number to the police when they're pulled over, but they never pay the fines or show up for court dates. And suddenly you have a criminal record! Or, for a tidy sum, they sell the entire database they've stolen from their employer to someone who will perform volumes of invalid credit card or bank transactions. Why are these crimes committed? In my opinion, one word sums it up: greed.
You may have heard about some of the recent events in which laptops that contained personal data have been stolen. One laptop stolen from the offices of the YMCA contained member information, another contained information on former employees from three supermarket chains, another from users of Hotels.com (thank you very much; now some thief has my credit card number), and the one that has caused the most outcry is the theft of a laptop containing SSNs and other personal information of millions of our brave military servicepeople. The number of affected men and women grows with each newscast.
Are the thieves ever going to be prosecuted? If caught, yes, but often the intent of the thieves is to steal the computer itself, not necessarily the data. In these cases, unless the thieves are paying attention to the news, they may not realize the "gold mine" they are sitting on in terms of the value of the data on the computer they've just stolen.
The outrage over having our servicepeople's data stolen has prompted various committees in Congress to pass three separate and slightly varying bills, all relating to theft of private information: the House Judiciary Committee's Cyber-Security Enhancement and Consumer Data Protection Act of 2006, the Committee on Financial Services' Financial Data Protection Act of 2006, and the Committee on Energy and Commerce's Data Accountability and Trust Act (DATA). The last two bills include the requirement to have policies and procedures in place to protect the data, so those two bills get my vote. Unfortunately, Congress debated this issue before (prompted by the loss of an unencrypted backup tape containing many Congressional members' personal banking information) but could never come to an agreement on the terms.
Rather than depend on the government to stem the loss of personal data, I believe businesses need to get serious about protecting our data. Why are businesses allowing personal data to be downloaded to unsecured laptops and stored in unencrypted form? Even more appalling are incidences of theft of auditors' or vendors' laptops that contain their clients' personal data. One has to wonder about these companies' security policies (or lack thereof) that allow this type of data to be available to vendors and auditors in the first place and then set the access controls so the data can be downloaded to their laptops!
The numerous headlines about identity theft may inspire you to check your credit rating. But it's doubtful that you would think to check on the latest victims' credit rating—that of your children. Yes, children are now targets of identity thieves. Their social security numbers are stolen and their credit ratings ruined. Unfortunately, they usually don't find out until they attempt to obtain a college loan or get their first credit card.
Identity theft affects over 9.3 million Americans annually, according to the 2005 Identity Fraud Survey Report from Javelin Strategy and Research. So let's take a look at some of the things you can do to protect yourself—and your children—from identity theft.
- Be vigilant. Check your bank and credit card statements as soon as they arrive. Or if you do online banking, check your accounts several times a month. The Javelin report shows that significantly less time and money is spent resolving the issue if the victim discovers the problem quickly and proactively (rather than finding out when you're trying to apply for a home equity loan for that new deck you want this summer).
- Shred documents. Not all theft is online. Many thieves sift through garbage.
- Check your credit rating and your children's credit rating. Because of the Fair and Accurate Credit Transactions Act (FACTA), we are entitled to a free copy of our credit report from all three of the credit bureaus annually. You can request this information from www.annualcreditreport.com, but be careful when typing in this URL; many thieves have reserved very similar URLs and made them phishing sites. You may be more comfortable calling the toll-free number (877.322.8228) to request your annual credit report.
- Install a personal firewall, anti-virus software, and spyware detection software on your PC.
- Educate the people around you. You and I know not to respond to phishing scams that request our private data. You and I know enough to install spyware to prevent keystroke logging and the gathering of personal data. But do your friends and family know about these things?
- Be cautious about with whom you share your personal information or who has access to your credit cards and other information. I'm sure you think that I'm about to warn you to be careful about where you shop online or to stop giving out your social security number unnecessarily. While these warnings should certainly be heeded, my real warning is to safeguard your information—even around your friends and family. The most disturbing statistic in the Javelin survey was that over half of the thieves were friends or family of the victim. To make matters worse, friends and family stole significantly more than thieves who didn't know their victims, requiring the victims to spend much more time resolving the issue.
If you are an employer or someone in control of the contents or security of data, you can help to protect us, too.
- Secure the files containing private information. The best thing you can do for all of us to is secure the databases containing private data and restrict access to the entire database to only a few, select users. And these users should not include the programmers on your staff; they're the ones with the know-how to "harvest" the information and move it into a portable (and therefore sellable) form.
- Wherever possible, eliminate private data from screens, reports, and spreadsheets.
- Find all the servers and data warehouse sites where this information has been propagated and remove it.
- Shred documents containing private information. Like I said, some thieves actually use "dumpster diving" to obtain private data from businesses.
- Educate employees on scams such as phishing and other social engineering techniques.
Thwarting Evildoers
Evil lurks. But the good news is that the statistics indicate the incidents of identity theft are leveling off. However, if you discover that you are a victim of identity theft, a good resource for the next steps you should take is the Federal Trade Commission's identity theft resource page.
Carol Woodbury is co-founder of SkyView Partners, Inc., a firm specializing in security policy compliance and assessment software as well as security services. Carol is the former chief security architect for AS/400 for IBM in Rochester, Minnesota, and has specialized in security architecture, design, and consulting for more than 15 years. Carol speaks around the world on a variety of security topics and is coauthor of the book Experts' Guide to OS/400 and i5/OS Security.
LATEST COMMENTS
MC Press Online