Identity theft

LOOK at Your Credit Card Receipts

You would think that with all the news and noise about credit card information being stolen, that more folks would pay attention to what they’re signing at restaurants (an especially GOOD place to get your information stolen) gas stations and hotels. With the amount of travel I do, I end up with quite a collection from many places.

But your credit card information (and mine) is only as secure as the hardware at the point of sale. The machine that your card gets swiped through does all the work. And depending on the age of that piece of equipment, all of your information may be transmitted and stored elsewhere to be harvested by thieves. Or the machine may be compromised at the register by a dishonest employee that “harvests” your information. Other machines can be accessed (and hacked) remotely.

So, what do I check? Is the entire credit card number visible on the receipt? What about the expiration date? Some vendors sell machines that save the entire number to their copy and blank out the numbers on mine. You would think that PCI or the FTC’s FACTA law would mandate removal of all numbers on both receipts. True, FACTA does mandate that all but the last five digits be masked, as well as the expiration date. However, it doesn’t apply to manually generated receipts (the old-style imprint) or handwritten invoices or receipts. Notably it also does not require truncation of credit card numbers on the merchant’s transaction record or even the merchant’s copy of the receipt. Does that make sense to you? Me neither.

If you write in a tip, make sure you reconcile that number with what is billed to you….. otherwise you may be paying much more of a gratuity than you intended, AND you will have trouble reconciling expenses (I hate that).

And make sure the card you get back is YOURS. That’s another favorite trick I didn’t know about until recently when someone gave me the heads-up.

Let’s Talk About PCI (Payment Card Industry) DSS (Data Security Standards)

I’m going to assume that you have some baseline knowledge about the DSS, the 12 areas of coverage, different Tier Levels and other requirements for compliance. If not, visit here and bone up.

There is a lot of pro and con going on in the blogosphere right now about the “value” of PCI.

And the circle of blame amongst merchants blaming VISA blaming the banks blaming the merchants is certainly ongoing.

Now we have card processing hardware being easily hacked, it’s all just getting more interesting.

First, I’d like to say I trained at VISA and passed the QDSP exam. Second, I’ve performed three Tier 1 merchant audits. Third, I happen to like the DSS. It has specifics, as opposed to other “standards” that operate at the 10,000 foot level. In other words, one of the requirements is to have a firewall, have rules for the firewall documented, and access to the firewall logged. Nice. Easy to do, easy to test. All the technical standards are based on best practices, and they focus on the credit card data.

The enforcement and compliance requirements, on the other hand have no clothes. (See the Emperor? Doesn’t he look great?) Let’s make it a little more solid:

1.) All Tier 1 merchants should have their compliance audited and signed off on by an outside firm, just like the service providers. Letting merchants sign off on their own security makes me visualize foxes and henhouses.

2.) Outside firms should not be permitted to do any remediation work. Again, foxes and henhouses. It ought to be just like a SOX audit, where the attesting auditor cannot “fix” any problems found.

During my VISA class, I listened to my security vendor classmates press the instructors about “minimum requirements.” They were rather obviously looking for ways to get their clients off the compliance hook. The instructors weren’t pleased.

3.) Outside firms should be penalized if their auditee merchant is breached. It will certainly make them more vigilant when their pocketbooks are involved.

4.) In the race to the bottom, many merchants pick the lowest outside firm bid for assessing compliance. If running a scan and doing a canned report is an assessment, I should go back to PC service and support. Both the merchant AND the outside firm should be ashamed of themselves. And the acquiring bank should be slapped for accepting it.

5.) In the standard, you are either compliant or you’re not. TJ Maxx was not compliant. They had a “plan” to upgrade their wireless in the next year or so. Why was that acceptable to VISA and the bank?? Were there any compensating controls? Obviously not, since there was no firewall between the stores and corporate.

This is why we have high rates of “compliance” along with high breach rates.

6.) Publish the names of the Tier 1 and 2 merchants who are not compliant. (I can hear the screams now.) But implement the previous rules first.

P.S. Compliance Does Not Equal Security. But, as my Maine Yankee father-in-law would say, “It sure beats snowballs.”

“Synthetic” Identity Theft Part 1

Most of the current options for addressing identity theft focus on the individual victim. We use credit freezes, fraud reports to the FTC, free credit reports and credit monitoring.

But if “pieces” of my information were stolen, how would I know? My address, perhaps, or my birth date? Or one credit card number?

We don’t have good information about this type of fraud. Most of the statistics we have are taken from the reports of victims. Victims do not always know how the theft happened, or all the places where pieces of their information might have been used. Lending institutions (banks, credit card companies, etc) are not required to disclose statistics about identity theft. They have not provided this information because it could cause embarrassment and could attract unwanted regulatory attention.

There’s a good paper here about why statistics are so bad and what we could do about it.

Federal Regulations about the term “identity theft” define it as “a fraud committed using the identifying information of another person, subject to such further definition as the [Federal Trade Commission] may prescribe, by regulation.” (These quotes come from the Fair Credit Reporting Act.) But what if different pieces from different people were combined? That’s what we’re talking about here, and it is new territory for regulators.

The FDIC defines it as: “Unlike typical identity theft fraud where a fraudster steals the identity of a real person and uses it to commit fraud, a synthetic identity is a completely fabricated identity that does not correspond to any actual person.”

In synthetic identity theft, the fraudster creates a fabricated identity using some information from a victim’s personal information. For instance, the impostor may use a real Social Security number, but a falsified name and address. Since this synthetic identity is based on some real information, and sometimes supplemented with artfully created credit histories, it can be used to apply for new credit accounts.

If the thief has your bank account number and social security number, for instance, he can reference those accounts to create a new account without ever “touching” your information.

Why does this work? Because credit reporting companies and lending institutions have algorithms that allow for variations in input. So if you “fat-finger” your Social Security number on a credit card application, it will still “find” you. But synthetic ID fraud creates subfiles at the credit bureaus. (The term subfile, says Evan Hendricks, author of “Credit Scores and Credit Reports,” refers to additional credit report information tied to a real consumer’s Social Security number, but someone else’s name.)

Because the identifying information contains some data that’s already linked to a particular consumer, the subfile gets associated with the consumer’s main file, or “A” file. So if someone runs a query “just” on your Social Security number, those “subfiles” will pop up - and your credit rating can tank. But until that query is run, the information remains hidden.

Synthetic identity theft is invisible to victim-based tracking because individuals whose information was used may never become aware of the crime. The “fabricated identities” are typically based on a real Social Security number, but with a fake name and address. As a result, because “the combination of the name, address and Social Security number do not correspond to one particular consumer, the fraud is unreported [by a victim to a bank] and often goes undetected…financial losses stemming from synthetic identity fraud are difficult for organizations to label as fraud when the approved account becomes delinquent and eventually charges-off as a loss.

According to ID Analytics, synthetic fraud is quickly becoming the more common type of identity fraud, surpassing “true-name” identity fraud, which corresponds to actual consumers. In 2005, ID Analytics reported that synthetic identity fraud accounted for 74 percent of the total dollars lost by U.S. businesses to ID fraud and 88 percent of all identity fraud “events” — for example, new account openings and address changes.

“True-name identity fraud was the prevalent identity theft mode about five years ago,” says Steve Coggeshall, chief technology officer of ID Analytics. “Synthetic identity fraud is the dominant mode now.”

More on Medical Identity Theft - New California Law Requires Breach Notification

Can you tell I got behind on my hardcopy reading? I just caught Rebecca Herold’s fine article in the Computer Security Alert of 2/2008 (a CSI monthly newsletter well worth getting, bye the bye, for the quality of the articles) concerning one of the aspects of medical identity theft: breach notification.

California is the first state in the nation to include “medical information” AND “health insurance information” in their updated state law on privacy breach notification. Since California was also the first state to implement a privacy breach requirement in state law, we can hope that other states will follow suit in this as well. The updated law, S.B. 1298, came into effect in January 2008. Here’s the relevant section:

(e)For purposes of this section, “personal information” means an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
(1) Social security number.
(2) Driver’s license number or California Identification Card number.
(3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
(4) Medical information.
(5) Health insurance information.

(f) (1) For purposes of this section, “personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
(2) For purposes of this section, “medical information” means any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.
(3) For purposes of this section, “health insurance information” means an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records.

This law will have an impact on any entity doing business in the state of California, and addresses the fact that HIPAA regulations contain no requirement for breach notification. “Ooops, we lost your medical information, but whew, we don’t have to tell you!”

These regulations also affect health care technology companies, including companies like Google, or Microsoft (think Health Vault) who want to hold your information for you:

This bill would apply the prohibitions of the Confidentiality of Medical Information Act to any business organized for the purpose of maintaining medical information to allow an individual to manage his
or her information, or for the treatment or diagnosis of the individual.

You can read the full legislative act here.

The bill does exempt organizations that encrypt their Personally Identifiable Information. And I suspect this bill will have a bigger impact on health care in terms of compliance .

“Medical” Identity Theft - New (to me) and Scary

A recent story in Government Technology magazine educated me on exactly what “medical identity theft” is and what the risks are. Although the article focused on Medicaid and Medicare fraud, the statistics and risks made for scary reading. And it started me thinking about MY medical data.

In a nutshell, medical identity theft involves the use of patient identification numbers and/or physician identification numbers, both used to bill for services and obtain payment.

The FTC estimated, based on overall identity theft statistics, that medical identity theft cases numbered 3 percent of all identity theft cases. That’s about 250,000 cases a year, at a conservative estimate.

The FTC is not responsible for addressing medical identity theft, the Department of Health and Human Services is. Nor is there an ability to use FACTA (Fair Credit Reporting Act) to remove fraudulent medical records.

According to the World Privacy Forum and Blue Cross Blue Shield Association, at least 1 percent of fraud is estimated to be medical identity theft: that’s $600 million per year. Ouch.

For individual patients, the theft of their medical identification numbers presents an even more difficult scenario to resolve than “regular” identity theft. Their medical history gets changed, along with erroneous information about allergies, medications and procedures done. With HIPAA protecting medical records, it is much harder to change the records that list the “bad” information.

And imagine trying to get insurance with a false “pre-existing condition” created by fraud? Not to mention dealing with hospitals and other medical organizations trying to get payment.

Another interesting (and scary) statistic from the WPF:
Cost, on the street, for a stolen Social Security number? $1.
Cost, on the street, for stolen medical ID information? $50.

Medical identity data sitting in our HR databases is more valuable than Social Security numbers. Has it occurred to anyone else besides me that our medical ID numbers are often our Social Security numbers?

Bankrate has noted that since HIPAA has no enforcement mechanism, data security is not a high priority issue for health care facilities. The penalties are there in the legislation, but there is no inspection or reporting mechanism to ensure compliance. We are, in essence, trusting our medical providers and billers to keep our personal information secured.

Given the state of security in the majority of our business networks today, would that give you a warm fuzzy?

Me neither.

Next: “Synthetic” Identity Theft

Identity Theft: A BIG issue for IT Auditors and DBAs

The year 2007 was a banner one for personal data theft, especially credit card info (think TJMaxx) and individual personal data being lost all over the place. Big and small, the number is in the millions. The Identity Theft Resource Center estimates the number of lost or stolen personal information records to be 79 million, up from 20 million in 2006.

The bad guys are getting data off of laptops, phishing emails etc, but that’s petty numbers. The real motherlode of data is inside databases.

Where do you think the TJMaxx thieves got their 90 million credit card records? Not from sniffing wireless transactions. Oh no. They got into the network, then into the servers, then into the database(s) holding that data, which were, I betcha, unencrypted. And the only reason they got caught was because the “mules” for the thieves got sloppy about purchasing large amounts of products in stores to exchange for cash. TJMaxx wasn’t watching their databases (or anything else, seemingly).

So when people ask me why I care about database security during an IT Audit, there’s my answer. And the fact that internal data theft is a significant percentage of the overall numbers.

Who has access to your HR, payroll and client information? The temp? The CEO’s secretary? The guy in accounting? If you were losing data, how would you know? Those bad guys don’t want to be found.

Is your payroll database on the same server as the database accessed by your web server? (Saw that one last year)They’ll get your client data and all your employee information, too.

If I had to choose between the network engineer and the DBA to guard my personal data, I’d be choosing the DBA.

Next: Medical Identity Theft