THE VAST majority of identity fraud victims (68 per cent) incur no out of-pocket expenses. This points out that businesses are victims of fraud. The aim of this paper is to provide some clarity to the real losses sustained by organisations whose customers experience identity theft. This fraudulent behaviour by criminals erodes the reputation and profits of institutions, which I am calling ’institutional identity theft’. I also want to offer to the reader some of the best policies, procedures, and solutions to reduce your risk to institutional identity theft. Identity theft is a catch-all term for crimes involving illegal usage of another individual’s identity. The most common form of identity theft is credit card fraud.
Identity theft is often looked at as an individual’s problem. You know, something that consumers have to worry about. However, organisations often spend a lot of time, effort, and money trying to prevent their customers from experiencing it. The reason for this is because if customers of these organisations experience identity theft sometimes due to negligence or lack of proper security controls, and other times at no fault of their own, the organisation has to face several consequences. These consequences often include loss of customers, reduced client loyalty and trust, reparation costs including credit repair and monitoring fees, as well as hard costs (reissue fees, account reimbursements, insurance fees). In 2007, 9.4 million American citizens were victims of identity fraud with loses totaling more than 49.3 billion.
Nearly a quarter of a million identity theft complaints were made to the Federal Trade Commission during 2007 (32 per cent of all fraud complaints). Credit card fraud was the most common form of identity theft reported (23 per cent), while bank fraud wasn’t far behind at 13 per cent. Additionally, there were 221,226 complaints of Internet related fraud, which constituted 40 per cent of all fraud complaints.
While there are many types of identity theft, the landscape is changing in the preferred methods
criminals use. For example, the general movement towards consumers using online bill payment, and
receiving electronic statements as opposed to paper statement has decreased the effectiveness of
dumpster diving (stealing mail or rummaging through garbage for statements or electronics that might have personal data stored). While this is true for consumers, dumpster diving at a financial institution such as a bank or credit union can still pay off for bad guys. Internet databases, government registers, and public records remain a target, but significant improvements around the security of these systems has reduced the frequency they are used in identity theft and fraud cases. Eavesdropping on public transactions to obtain personal information (shoulder surfing), stealing credit cards or other identification cards by pick pocketing or surreptitiously by skimming through a compromised card reader will always exist while we continue to use plastic cards. The fastest growing and most preferred method criminals use to collect sensitive customer information is where more of our efforts should be spent. This includes more ’high tech’ methods using malware, browsing, spam, phishing, pharming, trojan horses, and other hacking techniques.
Changing Criminal Methodologies
For example, a loan officer in your branch opens his Internet browser and goes to a site Msnbc to get the latest news. Most organisations allow this as part of their Internet use policy. However, if this user goes to Msnbc on St Patrick’s Day 2008 and had a vulnerable browser, the site would have opened up as iFrame (hidden window on the website) that loads malicious code in the background. Malware, once installed, is virtually unlimited in what it can do. Often, these malicious. A combination of high tech fraud methods, such as malware, phishing, pharming, key-loggers, and trojan horse programmes, combined with various social engineering techniques (a collection of techniques used to manipulate people into performing actions or divulging confidential information) has led to a lucrative practice for many criminals. But even searching on Google or any other search engine can lead to system compromise.
Anyone who has done a fair bit of searching on the Internet will often run across ’Spam pages’. These web pages are filled with the most commonly searched keywords on the Internet. They will have strings of words and phrases like ’tribadism fight scenes, free tribadism porn video Britney Spears, make money fast terrorism Iran Election 2008, primaries, Obama, Clinton,’ etc. They seed these pages with ’statistically improbably phrases’ (phrases that are usually unique to the most legitimate or desirable search results), which rank much higher than other sites. Then the criminals will distribute these pages across hundreds of compromised, legitimate websites. Malicious code (viruses, worms, Trojan programmes, Bot net software and the like) is then injected into these pages so when someone simply browses them, they are immediately infected. So when one of your users simply goes to Google and types in some search string, several of the pages that are listed as top results may be these infected pages that could compromise that system, which can lead to an entire network compromise. In fact, in many cases, five out of six results are infected ’Spam pages’. Remember, they don’t have to open an attachment. They don’t have to execute a programme. All they have to do is click on a search result link in Google, like you and I do many times a day.
Most companies use an outsourced firm or third party to host their website. Because these companies use a single, common platform, if a vulnerability is found in the third parties hosting platform, it has the potential of being able to compromise every website hosted by that provider. In one study, one person or group had infected hundreds and hundreds of legitimate websites all hosted by the same ISP in Eastern Europe. Most of the sites had redirectors to a site with a ’virus dropper’ (website that injects a virus into the computer that has accessed the web page). In other words, we have seen evidence that someone has figured out how to penetrate websites hosted by a hosting company at will, and has all at once placed web pages on all of them, which intercept popular Google keyword searches and redirect them to virus droppers. This company boasts over 700,000 websites.
Epilogue
While the Internet is not the culprit, it has become a tool that identity that thieves have embraced and abuse to find victims and commit fraudulent activities. A layered security approach that combines policy, procedures, training, and a variety of technologies managed and monitored centrally is the best way
to combat institutional identity theft. Many managed service providers can offer you a solution that mitigates a single threat or risk within your environment. With this approach, many companies are already finding it difficult to manage the various vendors and technologies. With Perimeter eSecurity, you get all the benefits of outsourced security management and monitoring while maintaining the visibility and control through our client portal ’Viewpoint’. Only Perimeter eSecurity can offer your organisation the complete solution that can protect your institutions profits and identity.
By Ramesh Manghirmalani
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment