THE NEW FACE OF IDENTITY THEFT
As scams become more sophisticated, companies of all kinds find themselves at risk.
By Peter J Krass

in january 2004, the MyDoom computer virus proved so malicious that Microsoft and other companies offered hundreds of thousands of dollars in reward money for information leading to the arrest and conviction of the author of the virus. Is it possible that those were the good old days?

As this year began, computer security vulnerabilities again made headlines, but the nature of the attacks was far different. A hacker stole the Social Security numbers and
other personal data of thousands of students and employees at George Mason University, home of the Center for Secure Information Systems, a project that involves the US Department of Defense.

Sensitive personal information was also at issue at T-Mobile, which said in January that it had cooperated with authorities that had made an arrest in a case involving security breaches in 2003 and 2004. Those breaches reportedly involved not only the names and Social Security numbers (ID numbers issued by the US government) of 400 customers but also Secret Service information and even photos taken by celebrities with their camera phones.

And, of course, the theft of the personal data of 145,000 consumers from ChoicePoint, which was made public last month, made the reality of identity theft front-page news yet again.

Virus attacks remain a threat, of course, but far more worrisome is the trend toward identity theft and theft of data. Unfortunately, a new CFO IT poll suggests that CFOs may not be adequately focused on this emerging threat. ID theft, dubbed the fastest-growing white-collar crime in America, is not just an issue for consumers and their financial institutions. It also poses a very real danger to any company that uses computers and the internet.

Armed with the user name and password of an employee in your company, an ID thief can access your company’s computer systems with virtually no risk of detection. “Getting a person’s password is actually an elegant way of attacking a corporation,” says Peter Firstbrook, a program director at Meta Group. “It’s like starting a car with a stolen key – there’s no shattered glass, no alarm set off. It’s entirely possible that nobody will notice.”

Stealing user names and passwords is relatively easy, but a would-be criminal doesn’t even have to do that. Security experts and studies indicate that there are possibly thousands of websites that exist solely for the purpose of stealing, buying, and selling IDs. In fact, ID theft has become a big business, big enough to attract international organized crime.

The potential damage goes well beyond the value of the data stolen. Jonathan Penn, a market analyst at Forrester Research, maintains that because of the fear of ID theft, consumer confidence in conducting business on-line is now eroding. “People are moving off on-line banking because of security concerns,” he says. “Suddenly this is becoming a trillion-dollar problem once you look beyond fraud loss to consumer e-finance adoption and retention.”

While few people regard the CFO as the front line of defense on computer security, the potential damage to corporate reputation, the threat of fines for failing to protect sensitive data, and the actual hit that corporate coffers could take make data protection a major facet of risk management. Some CFOs get the message, yet while companies do continue to spend heavily on computer security, awareness may still lag in reality.

Security vs. Convenience

Thieves employ several simple, straightforward techniques to steal personal information. They snatch documents containing government-issued identity numbers and other personal data from the mail. They steal computers on which ID information is stored. They hack into corporate databases. They buy IDs from other thieves. They bribe company insiders to provide printouts of customer and employee data. They fish through trash bins, looking for human-resources documents. They trick consumers (and employees) into providing their user IDs and passwords via e-mail or links to phony websites, a process known as phishing. And they use spyware that captures keystrokes, essentially a high-tech way to peer over someone’s shoulder as he enters personal data.

Most companies do little to deter ID theft. Many actually make it easy by, for example, printing government-issued identity numbers on a wide variety of easy-to-steal documents and ID cards. “We’re at the cusp of a shifting balance between security and convenience,” says Penn. “We need to reassess it.”

Some believe that such reassessment will ultimately fall to finance. “As far as compliance goes, CFOs play a key role in addressing this problem,” says Bill Conner, president, chairman, and CEO of Entrust, a US maker of digital-identity software and services. “They’ve got legal guys on one side of compliance, business-unit guys running the business, and maybe a chief security officer on another piece. But it’s up to the CFO to balance the balance sheet, the profit-and-loss picture, and Sarbanes-Oxley compliance across that.”

Of all the factoids swirling around this topic, the one that may create the greatest sense of urgency is this: the US Federal Trade Commission says that ID theft cost US businesses and financial institutions nearly US$48 billion in 2003. Nearly 13 percent of all US consumers – some 9.9 million people – had their personal information misused in 2003, according to the FTC. Each ID theft costs businesses US$10,200 per victim on average. And the estimated time spent resolving all these ID thefts? Nearly 300 million hours in 2003.

To possess enough information about another person to assume their identity is to possess the blankest of blank checks. ID thieves don’t simply buy things with other people’s credit-card numbers: they use phony IDs to avoid arrest, launder money, smuggle drugs, traffic in illegal immigration, and fund terrorist activities. As Judith Collins, a professor of criminal justice at Michigan State University (MSU) in the US and author of Preventing Identity Theft in Your Business, says: “We’re just providing all kinds of opportunities for the theft of consumer identities.” The challenge, Meta Group’s Firstbrook adds, is that “you can’t think of this as ever being finished. You need to continuously update and educate staff about new threats as they become prevalent.”

Entire companies have had their identities stolen. In one recent scam, crooks set up phony credit-card service accounts in the names of 50 actual companies, most of them fairly small. The thieves would set up a fake website and charge bogus transactions using stolen consumer credit-card numbers and have the funds routed into the phony company accounts, which were then cashed out. One company stung in the scam was T-Data, a small New York–based software company. Its losses totaled US$15,000. “The bad guys are not targeting the individual anymore,” comments John Pironti, enterprise solutions architect at Unisys. “Instead, they’re targeting corporate communities and the internet population as a whole in order to have a greater impact.”

A Matter of Mistrust

Such crimes also pose a danger to companies by undermining consumer confidence. “On-line banking will probably grind to a halt in the near future,” says Richard O’Connell, chief technology officer at AMIC Research, a US supplier of security technology for the financial-services industry. “It won’t remain that way, but the fear of something horrible happening will severely hamper its progress.” Surveys of consumers do suggest that concerns about ID theft are a barrier to greater acceptance of on-line banking.

Companies that become known as the targets of ID thefts could find it difficult to maintain the trust of customers, suppliers, and partners. “Money is replaceable, but how much is your reputation worth?” says Linda Goldman-Foley, co–executive director of the Identity Theft Resource Center, a nonprofit organization.

Adds Rebecca Whitener, fellow and director of security and privacy services at IT-services provider EDS: “If your name gets associated with a major security breach that allowed the disclosure of certain personal information, that’s a nightmare.” When computers that contained customer data were stolen from a firm that prints loan statements for Wells Fargo, the bank offered affected customers a free year of enrollment in Wells Fargo’s ID protection program, beefed up security information on its website, and launched a toll-free telephone service to advise customers on fraud prevention.

Companies that fall victim to ID theft may also find themselves tied up in court. For example, two airlines, Air Canada and WestJet Airlines, are locked in a lawsuit over alleged ID theft and corporate espionage. Air Canada alleges that WestJet officers used the personal ID of a former Air Canada employee to access Air Canada’s private website thousands of times to collect route and market information. In its suit, Air Canada seeks US$4 million in punitive damages, plus damages for lost revenues and profits.

Although identity theft is a relatively new crime, federal and state laws, including the well-publicized California statute SB1386 – which stipulates that if corporate computer systems are breached and the information is unencrypted, companies must notify all individuals affected – do provide some relief and protection. But experts warn that some of these laws create an opportunity for class-action lawsuits against corporations.

While most media reports of identity theft stress the consumer angle, by most accounts 50 to 70 percent of ID theft occurs in workplaces, and that figure may grow as the nature of ID theft shifts from simple rip-offs to complex efforts to defraud.

Go where the IDs are

Within individual companies, security experts say, the most vulnerable department or function is human resources. Why? Because, to paraphrase bank robber Willie Sutton, that’s where the IDs are. Also, many HR departments use temporary employees who are not always screened for security purposes. “Anyone who works in HR or anyone who has access to private data should have a thorough background check done by a reputable company – not just a cheap one that gets you by,” advises Troy Allen, vice president of fraud solutions at Kroll.

Likewise, with offshoring on the rise, some experts believe a similar vetting process should be put in place for outsourcers. “We should require [offshore] companies to adopt, implement, and enforce uniform standards for ID security,” says MSU’s Collins. “We’ve already got computer and IT security in place, but computers do not steal identities – it’s the people who use the computers.”

Another issue is the widespread use – some would say misuse – of government-issued identity numbers. These nine-digit combinations appear on a wide variety of company documents and ID cards, and they are also commonly used to identify callers for customer-support telephone services. Banks, phone companies, utilities, even cable-TV providers routinely ask callers for their government-issued identity numbers. For consumers this means that their most vulnerable piece of personal ID is being used and distributed in ways they can’t control, by people they can’t identify.

You’re Not Just A Number

Ditto for employees, but some companies are beginning to take action. At IBM in the US, chief privacy officer Harriet Pearson has led an effort to reduce the company’s and the health-care system’s use of employees’ Social Security numbers. When Pearson became privacy officer in 2000, overuse of Social Security numbers was cited as the leading area of concern by employees.

In response, Pearson began to address the issue by launching an effort within IBM to have its employee health-care plans remove Social Security numbers from member ID cards and other items that are frequently shared. She also spoke with officials in government and other experts, who told her that the best practice is simply to stop using the numbers.

Pearson and IBM’s HR leadership then worked with the company’s health-insurance vendors to remove Social Security numbers from roughly 500,000 health-care ID cards issued to employees, their dependents, and retired employees. All the providers complied with Pearson’s request. Pearson, who deals directly with IBM’s senior leadership, says that a gap analysis helped determine whether existing policies were sufficient to match company goals. When they aren’t, the support of senior management is key to making changes.

General Motors plans to consolidate what’s known as end-user identity management services into a single global system by 2006. GM’s goal is to provide single sign-on capabilities for some 500,000 employees, suppliers, contractors, and other business partners. Single sign-on, a hot concept in the computer-security world, refers to a software process that permits a user to enter one name and password to access multiple applications. When users first log on, they are authenticated and are then able to access all the applications they have been granted the right to use. This makes life easier for employees, because they don’t have to remember (or jot down on Post-its) multiple passwords. At the same time, it gives GM network administrators greater control and security. But such a system hints at the complexity of enforcing security: with only one password to remember, employees can be required to change it more often without flooding the help desk for reminders about their newest password, but a stolen password provides access to far more systems.

At Motorola, filtering software that helps block most unwanted e-mail isn’t just a way to help employees avoid in-box overload, but is in fact a big part of chief information security officer William Boni’s efforts to keep the company safe. Motorola’s global network supports more than 65,000 employees in nearly 50 countries, and Boni says many of them have been subject to numerous phishing attacks that seek passwords and other personal information. While the software tools Motorola uses to block these scamming e-mails are effective, even a small number of thefts could still cause havoc, says Boni. “The spam filters kill 99 percent of the incoming stuff – but then the other 1 percent kills you,” he says.

To help fill the gap, Motorola makes sure that employees are aware of the risks. “For us, the identity-theft issue is primarily one of education,” says Boni. Postings on key internal web pages, on-line staff training classes on internet risks through Motorola University, and reminder e-mails about the risk of identity theft are all part of a day’s work now.

Education has also been key for the state of Florida, where, says state CFO Tom Gallagher, an older population provides a rich target audience for scammers. Gallagher and his colleagues have launched several anti-ID-theft efforts, including a website (http://myfloridalegal.com/identitytheft) that offers help for ID-theft victims. “About all you can do in a free, open society is give people a good education to protect them,” Gallagher says. “If they don’t choose to listen to the advice, then they’ve got a good shot at being abused.”

When we asked senior finance executives what trend holds out the hope of more-cost-effective computer security, the most commonly cited answer was “development of new technologies”. The computer industry is hard at it. New developments in biometric technology, which forgoes passwords in favor of identifying a person by various unique characteristics, continue to emerge. While these are promising, Collins of MSU points out, “Every time there’s a new type of technology, perpetrators find their way around it.” If in fact computer security is something of an arms race, waiting for the proverbial silver bullet is not an option.

Motorola’s Boni says that it’s important that companies talk about identity theft in terms of risk, as opposed to only technology. “Many of us who came up through IT frame it in a technical sense rather than as a business issue. But it’s like the conversation you have with your doctor: he tells you all the things you should do or change to be healthier, and you decide which suggestions to take. You might agree to exercise more but not be willing to give up red meat.”

By that analogy, companies will need to become more health-conscious than ever before.

Peter J Krass with additional reporting by Larry Lange