• Home
• News, Press, & Events
• News Articles
• Identities: The New Black Market Currency

Identities: The New Black Market Currency

July 1, 2006 - ISSA Journal, Andrew Stern

It's a public relations nightmare happening to organizations around the globe-the public disclosure of exposed or stolen customer information. Early 2005 saw many prominent companies publicly disgraced by these exposures , including: Lexis-Nexis, whose database was hacked and 310,000 personal records accessed; PayMax, which exposed the W-2 tax information forms for 25,000 of its account holders through a Web application vulnerability; and-most famously-ChoicePoint, which lost 145,000 full identities to social engineers who set up 50 dummy accounts and simply requested the information.

These types of breaches are not new. Insiders will tell you that hackers extract customer identities all the time. What is new is that 16 state data protection laws, spawned by California's CA-1386 effective in July '03, are forcing public disclosure when there's an exposure of consumer data, including addresses, telephone numbers, driver's license numbers, Social Security numbers, medical data, tax IDs, and credit/bank account information. Federal and international laws mandating such reporting can't be far behind, particularly in the European Union and Japan, who have strong data privacy laws in place already.

As organizations are forced to go public with data loss and exposure, identity theft is no longer just a consumer issue. It's now a top business priority because reporting a single breach or exposure could cost your organization its loyal customers and shareholder confidence. For example, ChoicePoint's stock dropped 15% in the months following the social engineering attack on its systems.

Organizations handling any type of consumer identity information should secure that data as if it were their own money. Otherwise, your organization could join Victoria's Secret, the State of Minnesota, Gateway Computer, Petco, FTD.com, Tiffany.com, Abbey National Bank, and dozens of other brand names in sending notifications to affected customers in compliance with these laws.

Customer Revolt

Identity theft can cost more than bad PR, of course. The volume of media reports resulting from these state measures has unsettled users enough to document a steady decline in consumer confidence in online commerce.

More than half of 655 people surveyed by Cyota (www.cyota.com) said they're afraid to do any form of e-commerce due to fears of phishing identity theft; and 92% of U.S. consumers are reluctant to share information online because of identity theft concerns, while 61% are less likely to use a credit card online, and 50% don't trust financial institutions to protect their data, according to a Forrester survey

Identity theft concerns are also causing existing online customers to withdraw from online transactions at a rate that's far outpacing new consumers entering into online commerce. Because of identity theft fears, 13% of 1,486 international respondents to Entrust's June '05 Internet Security Survey have decreased or outright ceased banking online, while 12% have decreased or stopped all forms of e-commerce in the last twelve months. Meanwhile, according to the report, only 4% of those surveyed were new to getting online.

"Identity theft is impacting global e-commerce," says Bill Conner, CEO of Entrust during the unveiling of survey findings. "The message from consumers is clear-secure our identities and we will vote with our wallets."

The problem is not unique to e-commerce, of course. Identity theft occurs anywhere personal information exists-in mail boxes, ATM machines, garbage cans, point of sale terminals, and elsewhere; but with so many places data can get compromised, consumers are confused as to how their identities get stolen. They just know that their lives have been turned upside down and they're looking for someone to blame. Most commonly, based on these and other statistics, they're pointing fingers at the financial institutions who've invested more in consumer data protection than any other industry, and which stand the most to lose.

One such person is a retiree in Santa Rosa, Calif., whose identity was stolen by a social engineer who tricked 17 credit card companies into opening 17 bogus credit accounts and charging up more than $70,000 in her name. Ultimately, her meticulous record keeping helped put the perpetrator behind bars. But even today, she vents her anger at the credit agencies that allowed this to happen to her

"Two years of my life were consumed with getting back my credit and it's still not over. Collection agents call me almost every day and I refer them to the district attorney," says the woman. "If you ask me, it's the credit card companies that are criminal for allowing this to happen."

Clearly, the psychological consequences for consumers are enormous. According to the Federal Trade Commission, 3.2 million consumers are victims of identity theft each year, with combined losses of $5 billion. The costs to consumer victims is mostly in legal fees and time spent trying to reclaim their good names and good credit-an average 600 hours to restore each stolen identity, which translates to $16,000 in lost potential revenue, according to the Identity Theft Resource Center.

More than reputation and customer loss, businesses and organizations touched by identity theft are also shouldering $50 billion a year in direct costs-or ten times that of consumer costs-to deal with identity theft's aftermath, according to the FTC.

For example, a hospital is denied payment for services rendered against a fake medical identity, or a store is out the value of the merchandise that's been purchased on a fraudulent transaction after the issuing banks catch onto the fraud and reverse the charges. Merchants also pay an additional "charge back" fee (usually $25) to cover the issuing bank's administrative costs in reversing the charges.

"The cost of identity theft to financial institutions goes far beyond the identifiable funds not recovered. Their business is based on a strong sense of trust and confidence with their customers. If their customers do not trust them, they will not do business with them," explains John Pironti, Principal Security Consultant, Unisys Inc.

Humans and Information Systems

From an IT perspective, identity thieves count on weaknesses in the human or technical systems that process the data.

Human weakness can involve employee error or negligence, like when Bank of America misplaced its backup tapes with 2 million names and social security numbers of federal employees, including senators; and there's also so-called 'social engineering', which is how the retired woman's identity was stolen and how ChoicePoint's data was obtained. Social engineering is the use of deception to trick others into believing an unauthorized person has a right to privileged information.

Social engineering attacks can be prevented with better processes to check and crosscheck before disseminating information. Once processes are proven, then they should be enforced with strong employee policy, education and training about proper data handling procedures-particularly about how to be more suspect of possible scams aimed at getting identifying data from your systems.

Developing engaging training programs that non-technical users will remember is often time-consuming and expensive. But there are new commercial programs emerging, such as an online Security Awareness School developed by information security icon Winn Schwartau, that can bring employee awareness training into an organization through their browsers at a nominal cost per employee.

Attacks on the information systems themselves are more difficult to protect against because they can occur from anywhere within or outside of the organization over any kind of connection with or without authorized access. They can also be perpetrated through weak links to customers and business partners, which was the case when 13.9 million Visa and 22 million MasterCard holders were exposed to a data leakage when the card company's transaction processing partner, CardSystems Intl., held onto customer data it shouldn't have and got hacked in June '05.

Attacks from the outside-particularly through remote connections and Web application vulnerabilities-are increasingly being used to expose identity information. According to Symantec's Internet threat report, 54 percent of the top 50 malicious code samples in the last half of 2004 were aimed at exposing confidential information-up from 44 percent in the first half of '04 and 36 percent in the second half of '03.

Attacks against Web application vulnerabilities and mobile applications are on the rise. There were 21 known samples of malicious code for mobile applications at the end of 2004, up from one-the Cabir worm-in the first half of '04, according to the survey; and Web application attacks have become the number one vector for attackers.

Encrypt, Control and Monitor

To protect consumer data from insider abuse, and remote connection and Web application attacks, organizations should focus their security efforts on three essential areas: password-protected data encryption, secure access management, and Web application security.

Password-protected data encryption offers the most comprehensive protection, particularly if data is encrypted everywhere it travels and resides. Technologies exist now to selectively encrypt private data in the database; and SSL enhancement technologies make transport encryption plausible without adversely impacting application performance. Furthermore, password-protected encryption (in case data on the desktop gets compromised by an inadvertent user action) should also be deployed all the way out to remote service workers carrying customer data with them on any type of mobile device and even the home desktops of authorized data owners and consumers.

Because of the increasing mobile device threat, securing organizational applications against compromised machines trying to access over the VPN is also key in protecting applications where consumer data exists. To do this, access control systems must conduct integrity checks on each remote device trying to log on and stop compromised devices from accessing critical information until the machine is known to be free of malware and meets corporate security policy standards.

Identity thieves also go after the logical problems in a Web application to get at customer data. For instance, identity thieves can open a $10 checking account to get a valid username and password to attack the application as an authorized user. In this case, proper end-to-end encryption actually helps the hackers since nobody can see what they are doing inside the application. So, Web-based user applications need protection that recognizes the vulnerabilities in the application logic itself.

According to Symantec, 48 percent of all vulnerabilities exposed in the second half of 2004 were in web applications-up from 39 percent in the first half of '04. Typical attack methods include:

• SQL injections like those that were recently used to compromise the customer database at Tiffany.com and, in another case, to expose 500,000 Petco customer credit cards.
• Cross-site scripting vulnerabilities, as in the case when Google Gmail accounts were rendered accessible without authentication.
• Forceful browsing, used to expose the police files in the State of Minnesota; and to expose Paymaxx's customer tax identification.
• Cookie manipulation or cookie poisoning, as evidenced by Gateway Computer when customer order information was exposed, including credit card CVV and expire dates; FTD.com was affected similarly by the same attack method.
• URL parameter tampering, which Victoria's Secret and Morgan Stanley were vulnerable to in the recent past.

There are many other areas where identity information security can be improved on, particularly in the areas of employee and customer identity management, including two-factor authentication. But by comprehensively covering these three bases-sensitive data encryption, secure access, and Web application security-organizations will go a long way in protecting consumer identity information from criminals using this information as their new form of currency.

About the Author:

Andrew Stern is Director of Security Product Marketing at F5 Networks. He may be reached at a.stern@f5.com.