Entries tagged with “identity theft”.

A major national insurance company announced this week that its network had been compromised and more than 1 million customer records were stolen. Among the data included in the breach are “people’s names and a combination of Social Security numbers, driver’s license numbers, their date of birth, and possibly marital status, gender, and occupation, as well as the names and addresses of employers.”  A company spokesperson said that there is no evidence that credit card information or medical information was involved in the breach.  Affected individuals are being notified and offered free credit monitoring services.

It is interesting to note that this is the latest compromise in which sensitive personal information was stolen, while credit card data seems not have been involved.  A few months ago, South Carolina had a similar type of incident in which social security and banking information was compromised, while the encrypted cardholder data remained secure.  Now, I don’t have any details or knowledge of these events outside what is printed in the releases or articles, but it does leave me thinking of a very important reminder: PCI DSS only addresses cardholder data, not any other sensitive personal information.  Birth dates, routing numbers, social security numbers and other sensitive are left out in the cold with respect to PCI DSS, though they merit just as much, if not more, protection than cardholder data.

PCI DSS only applies to cardholder data.  It provides a baseline of protection for credit and debit card information.  Nowhere in its requirements does the PCI DSS require companies to protect social security numbers, bank routing information, birthdates or any other sensitive information.  Many companies take great pains to comply with PCI DSS and the standard has done a lot of positive things for an industry that desperately needed to implement strong security.  However, simply being PCI DSS compliant does not mean that all the sensitive data in an organization’s environment is protected.  A serious obstacle to overall security arises when companies believe that compliance with PCI DSS equates to security.

PCI DSS provides a good launching point for security initiatives.  Many of the requirements contained in the standards are best practices (if not requirements) for other types of data, as well.  It is tempting, particularly with so much focus on compliance, to focus on PCI DSS and cardholder data to the exclusion of everything else.  It’s important to remember, though, that companies have many types of data in their networks.  Companies would be well-served to conduct a data inventory, find out what they really need and what they don’t need to keep.  If it is needed, then it should be adequately protected. If it is not needed, it shouldn’t be stored.  Excess data is excess liability.

For those of us in the security space, it’s common to hear about crime rings based out of Eastern Europe that are targeting US companies and consumers.  Stealing the data and selling it to make a fast buck has been something that we prefer to identify as something that happens from abroad.  A recent report from ID Analytics, though, tells us that we have plenty of trouble with that particular crime here at home.

ID Analytics, a leader in consumer risk management, has undertaken a study to identify crime rings in the US that specialize in identity theft.  According to the report,  there are more than 10,000 separate crime rings operating in the United States.  Those rings appear to be most highly concentrated  in Washington D.C.; Detroit; Tampa, Fla.; Greenville, Miss., Macon, Georgia; and Montgomery, Ala.    Another unusual finding of the report was that a large number of these rings were comprised of friends and family working together.  You know what they say.  “The family that defrauds together…”

This report is interesting on a couple of levels.  First, there has been an assumption that Identity Theft is often the work of career criminals.  The report seems to contradict this, pointing out the almost communal nature of identity theft rings.  The individuals work together and even share identity information, like social security numbers, in an effort to get new lines of credits.  Secondly, while we do know that many breaches do originate from abroad, it is important that we not overlook the threat that we face here at home.   Another surprising revelation in the report is the genesis of the crimes.  Again, we tend to think of identity theft as an urban crime.  While most of the victims were city dwellers, the report shows that the crime rings originate largely in rural areas.

It would be interesting to see if longitudinal studies would uncover a relationship between the economic downturn, particularly as it hit these rural areas, and the increase in the formation and activity of identity theft rings.  It is sometimes easy to think of identity theft in the abstract, and that may entice people that wouldn’t be attracted to violent crime as a means of supporting themselves.

Pardon the pun, but it seems that another day brings us news of yet another data breach.  In this instance, Northwest Florida State College has suffered a network breach that resulted in the compromise of an estimated 200,000 student records dating from 2005-2007.  As first reported, the compromise was believed to have been isolated to college employees, with even the president of the school reporting identity theft.  What’s worse, is that it seems the data thieves are not being shy about parlaying the theft of data into all out identity theft and larceny.  In fact, more than 100 employees have reported withdrawals from their bank accounts.   According to college president Dr. Ty Handy, “The more common mechanism is to go through a loan company and to secure a loan and to have that loan payment come directly out of the bank account…That’s how I was hit.”

This compromise is, in many ways, worse than having one’s credit card compromised.  In this instance, stolen data included social security numbers, banking information, and birth dates.  This is not just enough information to max out a credit card, but to access bank accounts and even to establish new lines of credit.  The question that comes top of mind as a result is, how should consumers (or even businesses) protect themselves against this type of attack.  There are a few ways to do so, some of them more onerous than others.

1) Monitor financial accounts - this step is something that is, surprisingly, often overlooked.  However, keeping an eye out for odd looking transactions can help to identify this type of theft and allow you to take action quickly.  Thieves and fraudsters bank (often literally) on the idea that their victims aren’t paying close attention.  So they run “test” transactions to see if they can get away with it.  Sometimes, thieves will hold data for more than a year before testing it, just to lull the victim into a sense of security.

2) Place a credit freeze - a credit freeze allows you to control third party access to your credit.  If a lender cannot access your credit history, then they cannot extend a line of credit.  If you are concerned about whether you might be a victim of a data compromise, or identity theft, this can be beneficial.  There are downsides, though.  Most notably. this can make it more difficult for you to open new lines of credit should you want or need to do so.  The credit freeze, which must be placed with each of the credit reporting agencies, remains in effect until you lift it.

For more information on how to detect and respond to identity or financial fraud, check out the Federal Trade Commission’s Identity Theft website.

Last week, federal authorities announced the arrest of 19 individual associated with a data and identity theft ring.  This group, associated with an online forum at carders.su, specialized in stealing personally identifiable information and then offering it for resale.  The group, which was based in Las Vegas, also offered counterfeit cards for sale.  The arrests are part of a long-term operation called Operation Open Market, which targeted fraudsters and data thieves that were selling information.  While these 19 arrests are the most recent, the federal authorities report that there have been 50 individuals indicted during the course of the operation, which took place across several states.  The 19 arrested last week were described as employees or associates of the Carder.su identity theft ring.

“The actions of computer hackers and identity thieves not only harm countless innocent Americans, but the threat they pose to our financial system and global commerce cannot be understated,” said James Dinkins, executive associate director of ICE Homeland Security Investigations. “The criminals involved in such schemes may think they can escape detection by hiding behind their computer screens here and overseas, but as this case shows, cyberspace is not a refuge from justice.”

These arrests serve as an important reminder that identity thieves and so-called “carders” are not slowing their work.  While the media may have turned its attention to issues of hacktivism and state-sponsored corporate espionage, the carders continue to infiltrate companies and steal individual credit card details in order to counterfeit and resale the information.  If anything, the increased attention on the more sensational types of attacks have offered cover to carders to continue their “more mundane” crimes with little scrutiny.

The arrests highlight the need for companies to maintain their vigilance with respect to the protection of their customers’ data.  While the threat landscape has changed quite a bit, the threat posed by carders and identity thieves has not abated.   According to the Verizon 2011 Investigative Response (IR) Caseload Review,  personally identifiable information and financial information were the top targets of data thieves, followed by trade secrets and authentication credentials.  Clearly, the need to protect sensitive data of all kinds is still of paramount importance.

How can companies help mitigate their risk of exposure?  One of the most important steps that companies can take is to take inventory of the data currently being stored and make a business decision as to whether the company really needs to maintain that data.  If you don’t need it, don’t store it.  Often, companies continue to store data “just in case.”  Storing this data, though, can increase the liability associated with a compromise of customer information.  Additionally, there are a number of services, including ProPay’s ProtectPay®, that allow companies to process payments without processing, storing, or transmitting sensitive payment data.   Understanding the data that is being stored, and working to minimize the sensitive data kept onsite can help to reduce the consequences of a data breach, not to mention can significantly reduce the burden of complying with the PCI DSS.

Dr. Heather Mark, PhD. SVP Market Strategy

When the discussion of identity theft arises, most people would naturally assume that the phenomenon is one that primarily impacts consumers.  However, the unfortunate fact of the matter is that merchant (or business) identity theft is a very real threat that often gets overlooked.  One reason for the lack of attention provided to business identity theft is that it is a relatively new trend.  According to the state of Colorado, which has established a Business Identity Theft Resource Guide, ” Business identity theft (also known as corporate or commercial identity theft) is a new development in the criminal enterprise of identity theft. In the case of a business, a criminal will hijack a business’s identity and use that identity to establish lines of credit with banks or retailers. ”  The thieves have the same goal in mind as those that target individuals, but can often get away with more from businesses.  Businesses typically have larger lines of credit and are sometimes less fastidious about checking statements.

Lisa Lee of Atlanta provides illustration of just what a thief can accomplish through the misuse of corporate credentials.  According to news reports, Ms.Lee would scour the state databases of corporations (which are public) and would select corporations that were inactive or otherwise defunct.  She would then bring these entities “back to life” by filing corporate documents, opening bank accounts and establishing email and other contact information.  Once that was accomplished, she would apply for business lines of credit in the companies’ names.  During the course of crimes, Ms. Lee applied for and received over $1 million in loans and credit.  Fortunately, Ms. Lee was caught and convicted and has been sentenced to 10 years in prison.

In 2010, 35 businesses in Colorado were victimized by a scam in which corporate identities were stolen and used to make purchases at big box retailers.  In that instance,  more than $750,000 in fraudulent purchases were made at just one store.  There were half a dozen stores at which fraudulent purchases were made, so one can just imagine what the ultimate tally might be.

The focus on consumer protection has certainly succeeded in making individuals more cautious about their information and more conscientious about checking their financial statements.  Unfortunately, businesses have not benefited from the same level of focus and education.  That leaves many businesses, particularly small businesses, vulnerable to predators and scams.  There are steps that companies can take to protect themselves, though.

Protect your business records – Business records contain a great deal of sensitive information.  This may include EIN or Tax ID numbers, Insurance information, financial account information and other sensitive data that can be used to establish or alter lines of credit or financial accounts belonging to the business.  It is important that these documents are stored securely, in a locked cabinet, drawer or file cabinet.  Documents that are no longer needed should be shredded.

Hide your merchant ID – It is very common for small merchants to have their merchant ID on a sticker that has been affixed to their PINpad or terminal.  Unfortunately, these devices are almost always in view of the customer.  That means that anyone that goes to the counter or desk can easily gain access to the merchant ID number and the name of the merchant service provider through which the company processes payment transactions.  From there, it is a short hop to compromising a merchant account, though social engineering or other means.   Imagine if you received a call from someone purporting to be from the merchant services company and was able to provide your merchant ID as proof.  You’d probably be inclined to believe it was a legitimate call and provide more sensitive information.  Your merchant ID should be considered as sensitive as any other financial account information and protected accordingly.

Check your corporate records – Often, thieves will try to alter the corporate records of existing entities.  Many states have public online databases of corporate entities, complete with filings, name reservations documents, corporate officers.  Identity thieves may try to alter the address of record or change the names of the corporate officers.  While most states will take some action to verify these changes, it is a good idea to periodically check your corporate records with the secretary of state in your state of incorporation.  If anything appears out of order notify the secretary of state at once.

Review financial accounts - Just as with your personal financial statements, it is helpful to review business account statements to identity any anomalous behavior.  Quickly identifying potential identity theft can significantly reduce the potential damage to the company.

Restrict access to “need to know”- In small businesses it is often tempting to keep everyone in the loop with respect to every aspect of the business.  While that may be laudable, the unfortunate fact is that the more people that know, the more that can disclose.  It is important to ensure that only those employees that have a need to know things like bank accounts and EINs have access to that information. Not only does that limit the number of people that can (intentionally or unintentionally) disclose or misuse data, it also provides a chain of accountability in the even that business identity information is misused.

Certainly this is not an exhaustive list of protective measures, but it does represent some good, commonsense steps that small businesses can take to protect against identity theft.   Most states have a webpage that offer more information and localized resources or tips on the prevention of identity theft.  If you suspect that your business has been the victim of identity theft, it is important to notify the secretary of state and appropriate law enforcement agencies as soon as possible.

Dr. Heather Mark, PhD; SVP Market Strategy