Identity theft

By the Numbers

I was reading through the list of 2009 reported data breaches/identity theft/etc over on Identitytheft.Info and pondering the patterns that might be visible with a little help of sorting/filtering in Excel.

Part of the problem is that there is no one complete source for gaining hard numbers on medical identity theft, identity theft, data breaches, lost, stolen, etc. Every tracking organization orders their data differently. But just for grins, let’s take this one web page sited above, as a source for analysis, and drop it into a spreadsheet.

Between January 2009 and August 18, there is a total of 237 incidents. Without any further analysis, say to numbers of people/records exposed, we can draw some interesting conclusions:

58 of those incidents involved theft by owners or employees (about one quarter)
52 happened due to hacked networks, servers or PCs
44 happened due to lost, missing or stolen computer equipment containing PII or CC#
32 were due to paper documents in trash (looked in YOUR dumpster lately?)
21 were due to Web or email exposure - i.e., poor custodian security practices
10 were due to Skimming via CC # or ATMs (including some employee & owners)

There were about 20 that defied this simplistic categorization - my favorite was “patient records left on train.”

The first group (58) interested me greatly; it shows the impact (IMHO) of our economy, and, perhaps, the growing awareness on a public level that credit card numbers and personal data are now worth stealing.

The second one I find fundamentally clueless, because there are excellent whole disk encryption products that are FREE.

I was tempted to combine 52 and 21, but refrained simply because there are zero-day exploits out there.

The most appalling, are, of course, the data dumpster droppers. The good news is that there are now data dumpster dropper divers. (Sorry, I couldn’t help it.) At least somebody is looking in dumpsters for this kind of information now. That’s a Good Thing. Anyone who puts that kind of information in the trash should be handcuffed to a shredder, don’t you think?

Google Thyself

I have a series of Google Alerts set up to alert me daily on such interesting topics as data theft, data breach, etc., etc., and I have one set up for my full name, or any two parts thereof. I have, as it happens, a very unique name, and should someone decide to post my name and information for sale on any of “those” forums, or otherwise post as me, I will be notified.

It is common these days for HR staff to run a search engine query on potential employees. I still capture emails I sent out in 1999 about a technical issue where I was working that are archived in various places.

So you have a terribly common name - no big deal. Try using your full name in quotes, with a plus sign, then your city and state. So, for example John Smith might start out with Google results of “about 66,500,00,” but use of quotes narrows the results to “about 5,730,00.”

Now add a city, say Atlanta, and the results draw down further to “around `130,000.” Paradoxically, if you add Atlanta, Georgia, the results go up to 150,000, but if you add the state as GA, the results drop further to around 39,000.

If you’re on the web on a regular basis, do yourself a favor and keep an eye on yourself.

Facebook Hacking

I don’t have a Facebook profile. I’ve never even been ON Facebook. There’s something about posting one’s life constantly that I just don’t find all that appealing. I’ve got too much to do online as it is. I admit to being on LinkedIn, mostly because my University dean pushed the entire graduating class from Norwich to get connected, but I find it is of limited value. I often get people I don’t know trying to connect into my network. If I don’t know you personally, I’m not about to do any connecting.

Posting information about oneself has definite perils. I thought long and hard about doing a blog, and I think (or try to) carefully about what I write and who I write about. When I “google” myself, (you have, haven’t you? I know you have) I still see posts from the year 2000. So consider that what you posted five years ago about your problem with your Exchange server using your work email address is probably still out there. How detailed was your post? If somebody read it today, what would it tell them about your network?

So I read with considerable interest a blog posting detailing the use of Facebook as the social research part of penetration testing, and I’d suggest you read it too, especially if your company is using Facebook as a Team tool.

I guess it’s another way of saying that Facebook isn’t just for identity thieves, stalkers and pedophiles anymore. Considering such articles as “Facebook Killed My Career,” a woman being killed due to her Facebook update, and now using it for hacking, I’m a bit dismayed by the ingenuity of “bad people.”

I’d also like to recommend an article, “Ten Settings Every Facebook User Should Know,” as a good starting point for adults and kids. And take the hacking article to your team if you’re using Facebook/MySpace for team building.

Thank you, Federal Trade Commission…

For saying the blindingly obvious:

“Companies and schools should find new ways to authenticate the identities of customers, employees and students that do not involve social security numbers, a U.S. consumer protection agency said on Wednesday as part of recommendations to fight identity theft.”

Now here is the real challenge: could the FTC, a government agency, please communicate this point with Medicare? You, know, the government agency that puts the social security number on the medical benefits card it requires members to carry? The report addresses the use in the “private sector,” but medical use of social security numbers is a huge factor in medical identity theft, synthetic identity theft, and plain ol’ identity theft.

The FTC released the report on December 17, 2008, and you can read it here. All 21 pages of it in double space.

The “Social Security Number” was created in 1936 for the purpose of tracking workers’ earnings for benefits purposes. Not as a universal identifier. Any good DBA will tell you that only using one “identifier” predicates a high risk of false positives. Newer techniques, such as full name, address, date of birth, place of birth, etc, as a group predicate a much more accurate positive response (”Yes, this is the right person”).

But this additional data is “out there” as well, along with social security numbers. The genie IS out of the bottle.

The report worries about social security numbers data already being out of control. Given how many databases are out there (public and private) with ALL of the above information in storage, I think it is already way out of control, and the other identifying data along with it. Daily reports from the “Breach Blog” saturate my email box. Reading Pogo Was Right only confirms my opinion.

The FTC report seems to be an exercise in “too little, too late.”

Nobody is “Too Small” to Get Hacked

It’s been an interesting week in “Breachland,” with reports of breaches in all sorts of places: eyewear companies, auto dealerships, Universities with “password-protected laptops,” Dallas City Hall, and, unfortunately, a big German Bank.

We are already statistically well past any previous year’s statistics for number of break-ins, laptop losses, backup tapes stolen, and internal employee data theft.

And yet I still see organizations that blithely ignore data on laptops, don’t monitor or encrypt their backup tapes, and have firewall rules that are like Swiss cheese.

Security costs money. Organizations struggling to meet payroll don’t have the willingness to allocate resources to address logical security issues. “It hasn’t happened here!”

It will. The big businesses make it harder (not impossible, just harder) to hack in from the Internet, but small businesses online are becoming the focus of cybercrime cartels. Especially if those businesses have a back-door connection to much bigger organizations.

Many large organizations outsource their data to third party service bureaus, marketing firms, or connect via an Extranet. If the small organization has weak security, it provides access to the back door of the larger one. Something to think about.

More on ATMs - The Daily Store Owner Log

Did you know that a store that puts in an ATM for customer use also provides a daily log of transactions to the owner? The log includes the Bank name, last four numbers of the account, the customer name, and the transaction.

So if I do an account balance request, that comes up in the log. The amount in my account comes up in the log.

The log includes all transactions done on that machine, so everyone’s name, Bank name, how much they have, how much they took out, etc, is all there on the log.

I was chatting with an acquaintance who owns a store in Maine, and she pretty much knows everyone who comes in her store. When she had an ATM put in, after numerous customer requests, she began getting those daily reports (probably because she gets a percentage of transactions). She was embarrassed at how much information she could see about people she knows. I would be, too.

Where does this report get stored? Who has access to the reports? The manager? The clerks?

Here’s an acronym I really like: TMI (TOO MUCH INFORMATION)

Why does a store owner need that much information? I’ll try and find out.

“Selling It”

Information about consumer purchases, habits and history have become multi-billion dollar treasure troves for businesses to sell and mine for others.

Specialized, targeted information from consumer databases held by banks and other financial institutions are being used to develop business lines. Advertisements, mailings, telemarketing and other targeted ads are the marketing tools of choice to offer services to the targeted market of financially stable consumers. But it’s no accident that identity thieves use the same tools the marketers do. It’s the same information, put to illegal ends. Identity thieves have become experts at following the money.

I recently received a letter in the mail, with the words “Important Information!!!” emblazoned on the front, (along with the bank’s name and return address) and inside, along with my name and address, was the entirely unsolicited offer to let me cash out on the equity in my house via a six figure loan.

What would have happened to that information if it had been intercepted and I had never seen the offer? Or tossed it in the trash, to be opportunely reviewed by whoever took an
interest? How long would it have taken for me to find out a loan had been taken out on the equity in my house?

Mailing products have become the favorite hunting grounds of small-time identity thieves. One thief can ruin several dozen credit histories and move on before a consumer can react.

Consider the arrival of checks. Those pleasant brown boxes the bank orders for you are distinctive AND contain important nuggets of information, such as address, phone number, bank account and routing number. Some folks have had their driver’s license number printed on their checks. By providing this service via regular mail, with no safeguards to confirm arrival to the proper party, retail institutions invite theft.

Banks and financial institutions that send unsolicited checks in the mail (the kind used to withdraw from CDs, for instance) are also providing opportunity. Those long white envelopes from business addresses are becoming noticeable by their very anonymous return postal addresses.

Banks looking to expand markets often run credit checks on potential customers in order to offer tailored services (witness my home equity loan offer). But by doing so, banks open themselves to legal risk when data is lost or stolen, and angry consumers demand to know why their information was revealed.

Businesses can run credit checks with any of the “Big Three” credit bureaus (Experian, TransUnion and Equifax) by acquiring a business account and password. Once they log on, all they need to obtain a credit record is a name and Social Security number. That means those access codes are digital gold for would-be thieves who also happen to be employees.

Such temptation sometimes proves too much: 7,300 customers of Marchese Auto World settled a class action suit in May 2004 for $2.45 million. The charges were criminal and civil, based on customers of Marchese Auto World whose credit information was accessed by the defendant who used the information to take out loans in their names without their permission. The suit stated that the general manager of B.J. Marchese Auto World, Limerick, PA, illegally obtained credit reports for the victims and obtained more than $4 million dollars in unauthorized auto loans that were never purchased or leased. The plaintiffs were unaware of the loans, and suffered from credit damage and invasion of privacy.

It will be difficult for business organizations that depend on credit reviews to resist marketing campaigns that have provided profit before. Banks and businesses have been willing to absorb “acceptable levels” of fraud loss as part of the cost of doing business. The cost of this form of fraud is becoming extremely expensive when class action lawsuits take place.

What does a Data Breach REALLY Cost?

If you want to experience pain in the corporate wallet, I invite you to go to the Data Loss Cost Calculator. Plug in some numbers and look at the costs in the different regulatory penalties, attorney fees, investigation costs, etc. I recently completed a SMALL forensics exam that cost the client in the six figures without crisis management/client notifications.

A survey conducted by the Ponemon Institute (you need to give up info to access the study, unfortunately) found that 58% of respondents who had received notification that their personal information had been compromised by a data breach had lost confidence in the company and that 31% planned to cease doing business with the company. The cost of a data breach is estimated at $197.00 per record.

The actual cost to the consumer (you and me) is usually estimated based on identity theft statistics. Not every data breach results in identity theft. But the potential for identity theft automatically exists for every data breach. This is what business is forced to address, and rightly so. We have to endure the inconvenience of changed credit card numbers, and other minutia for data breaches. The cost to consumers for identity theft is much larger.

Best case estimates are that it takes between 25-40 hours of the consumer’s time (you and me) and a cost of $5720.00, according to PrivacyRights.org. But consider also that the consumer (you and me) may be dealing with the trail of the identity theft for up to 10 years or more. What fun. No wonder they’re suing.

Those of us working in small organizations often think we are somehow “immune” from data theft. It’s kind of like planning for your own funeral - no one wants to think about it. But when it happens, what’s your plan? Are bits and pieces inside your Disaster Recovery Plan and/or your Incident Response Plan? Has your company done an impact analysis?

Keep in mind that many smaller companies do not recover from data breaches; if you lost 31% of your business, would the company survive?

A business impact analysis of the cost of damage recovery should include the following:

• Investigation costs
• Remediation costs
• System updating
• Outside forensic consultant fees
• Downtime related costs:
Loss of productivity
DR deployment
Employee downtime or overtime
• Legal fees, court costs
• Replacement and/or retraining of employees
• Loss of intellectual property
• Possible replacement of equipment
• PR costs to recover reputation
• Regulatory fines

It’s better to plan the funeral and hope you survive the service. Having a plan will keep you out of the unemployment line.

Where The Thieves Are

The core requirements for committing the kind of data theft that leads to identity theft are ability, motivation and opportunity.

Ability means having the skills to do the actions required. Start-up costs for data theft are low, with information readily available, computer equipment purchased, leased or rented and high profit potential. Stealing someone’s mail is free.

Thieves can spend many years honing their skills in order to capture large aggregate data for bigger money. By breaking into servers accessible from the Internet that are not configured correctly and monitored daily, thieves create a springboard for attacks into the heart of the corporate network. Further, it is not the cracker who defaces your website and announces it to his IRQ peers that you have to worry about, it’s the cracker who doesn’t want to be seen. The thief wants to be in and out of the corporate databases with the information he/she needs quickly and quietly.

Any kind of personally identifiable information or proprietary institutional information being stolen leaves a business vulnerable to legal, operational, financial and compliance risks. And if the institution’s IT systems and administrative controls are not secure, there are grounds for a successful legal case.

Motivation. Any of a number of events can provide a “reason” to steal information and sell it: a disgruntled, overworked employee seizes on information as a way to receive compensation he feels entitled to; another employee becomes desperate when medical bills overtake her. The common denominator here is that the ability to acquire money pairs itself with a reason, no matter how badly manufactured in the mind of its creator. The reason becomes compelling when there is no oversight.

If the employer does not have controls in place to monitor access to the databases of personally identifiable information, it becomes impossible to prove who did access the information, except in an indirect fashion, such as a process of elimination or admittance of guilt. What does it say about the employer to the victim if such safeguards were not in place? Lawyers point to such lack of safeguards as negligence. Just ask Countrywide how much the illegal access to their customer databases is costing them.

Respondeat superior is the legal doctrine making an employer or principal liable for the wrong of an employee or agent if the wrong was committed within the scope of the employment or agency. This doctrine has been applied to a wide variety of computer crimes, and is likely to be used in a class action suit.

Just as the negligence doctrine could be used to impose liability for inadvertently spreading a virus, an organization may be held liable under the respondeat superior doctrine for an employee’s act of stealing and selling confidential customer information if: (1) the act occurred within the employee’s scope of employment, such as providing access to customer information to its employees; and (2) the employer knew or should have known that the employee was creating copies of confidential data and disseminating the data to inappropriate parties. Did Countrywide know? Nope. The FBI had to tell them.

Some might argue that employers would not know who exactly had stolen the information if it were taken in the course of normal duties, and this is entirely accurate. However, by logging and reporting on who has had access to the information the employer can rule out suspected internal thieves and narrow the focus of investigation. Better yet, the organization will have shown due diligence and sound business practice in addressing the risk of a lack of access controls for confidential data.

Opportunity Having access to information or materiel that can be exchanged for money is the primary goal. Proving due diligence in protecting information from outside crackers and monitoring employee access are important pieces of legal protection for our companies.

Customer service and support after the fact of theft will not let business off the legal “hook” if the institutions themselves have given the thieves unmonitored access to the information. The number of class action suits against organizations that have had data breaches is rising rapidly.

Data Breaches and Business Liability Part I

The most significant financial impact of identity theft has yet to be examined. I believe that the risks to business and other institutions now include legal, reputation, financial and compliance risks that cannot be transferred.

Victims of identity theft are looking to recoup their financial losses and punish those people or institutions that enable identity theft to happen. The average arrest rate (according to law enforcement) is under 5% of all reported cases. Thieves do not have the resources to repay their victims by the time (or if ever) they are caught. Business does. If business organizations are providing the opportunity for identity theft to occur, they will be sued. We should make it our job to see that we are not among the defendants.

According to the Identity Theft Resource Center, (An outfit that I happen to respect a lot because they are very specific about their statistics and criteria of what a “breach” actually is), As of November 11, 2008 there have been 574 breaches, with a total of 33,593,557 records exposed.

You can download the report at their site. It’s painfully interesting.
Here’s how it breaks down, keeping in mind that we’re not done with 2008 yet:

Category: Banking/Credit/Financial
Number of breaches: 66
Number of records: 17,231,057
Overall % of breaches: 11.5 (2007? 7%)
Overall % of records: 51.3% The fewest breaches, but the most loss of data. Thieves are not stupid.

Category: Business
Number of breaches: 202 The most number of breaches. We need to get much stronger here
Number of records: 5,705,628
Overall % of breaches: 35.2% (2007? 29.3%)
Overall % of records: 17%

Category: Educational
Number of breaches: 120
Number of records: 761,303
Overall % of breaches: 20% (2007? 24.7)
Overall % of records: 2.3%

Category: Government/Military
Number of breaches: 100
Number of records: 2,656,407
Overall % of breaches: 17% (2007? 24.5%)
Overall % of records: 7.9%

Category: Medical/Healthcare
Number of breaches: 86
Number of records: 7,239,162
Overall % of breaches: 15% (2007? 14.5%)
Overall % of records: 21.5%

Why do these statistics matter? Because, one way or another, every business and every person is affected.