TechnoFile: Identity Crisis
By now, you've heard that identity theft is among America's fastest-growing crimes, with nearly 10 million cases last year alone, and you're probably already taking measures to prevent yourself from becoming a victim.
For instance, you use a paper shredder to convert old bills, receipts, and bank documents into confetti. You review your credit-card statements monthly, looking for mystery charges; you obtain your overall reports from the three major credit-reporting agencies annually, looking for accounts you never authorized. You don't leave personal mail -- incoming or outgoing, opened or sealed -- sitting in the open where someone could walk off with it. Your best friend couldn't guess your PIN. You guard your Social Security number like a jealous lover.
Congratulations. You've taken some big steps toward shielding your own identity. Now how about doing the same for everyone whose personal information is sitting in your company's computers?
After all, an ID hijacker needs only a Social Security number, a birth date, and a few other details to open bank and credit-card accounts in somebody else's name. Chances are you've collected all kinds of confidential data about your employees, contractors, and customers. If you've stored it on your systems, it's vulnerable to theft.
Obviously, standard security measures, such as firewalls, provide some protection against cyberthieves. So do commonsense practices. "You can do a lot by just not storing that information" in the first place, says Phebe Waterfield, security analyst for the Yankee Group, a Boston-based technology research and consulting firm. She recommends using something other than Social Security numbers for identifying employee records or customer accounts. And, of course, you should never store confidential data on laptop computers, floppy disks, or CD-ROMs -- all easily lost or stolen.
But given how quickly ID theft is growing (80% in one year, according to a Gartner Inc. survey, those precautions aren't enough to safeguard sensitive information. Besides, you may not want to wall off your systems; you probably need to share some information with employees, contractors, clients, partners, and others.
Instead, consider developing a comprehensive identity- and access-management campaign. Translated, that means that you provide information access on a "need-to-know" basis. You monitor who's looking at what. And you verify that all users are who they say they are.
Among the technologies used in identity and access management are:
Authentication. These tools verify that the user logged on as Webster J. Parker is, in fact, Webster J. Parker. The most common version, the lowly personal password used again and again, won't deter serious thieves, who can quickly crack the code. More sophisticated options include handheld "keys," such as smart cards, and "two-factor" solutions, which require both a password and a physical device, such as a token, for access.
Single sign-on (SSO). Generally, these solutions let companies provide each authorized user with one secure identity -- often a user name paired with a smart card or token -- for accessing all company systems. That prevents the out-of-control proliferation of log-in names and passwords that can compromise security.
Biometrics. These devices identify users based on unique physical characteristics, such as handprints, retinas, facial features, or voices. Fingerprint and thumbprint readers that can be attached to individual computers are already on the market for less than $100 apiece. However, keep in mind that even legitimate users may object to providing prints or consider a retina scan invasive. And voice and facial-recognition technology are far from foolproof; currently, variables such as laryngitis or eyeglasses can distort the results.
Account administration. This practice, often called "provisioning," refers to managing users' system-access accounts. That's far more important than it sounds. Dormant accounts -- for instance, those previously assigned to former contractors or ex-employees -- can provide loopholes for thieves seeking access to private information. While small businesses can manually add and delete accounts, fast-growing companies may need technology that automates the process.
Digital signatures. These e-signatures verify who's sent a message or signed a document. Because they're encrypted and include a time stamp, they're difficult to fake.
At this point, it's impossible to guarantee that any technology can shield people's identities. Recently, consumer activists and reporters demonstrated just how easily anyone in the know can buy supposedly private information -- they effortlessly purchased public officials' Social Security numbers and personal credit reports from online vendors.
Even so, businesses are increasingly being expected to safeguard their customers' private information -- and being held accountable if they don't. California recently passed a tough new law that, among other things, requires companies to seek customer permission before sharing their financial information and to print only the final few digits of credit-card numbers on purchase receipts. Congress is considering related requirements in its proposed amendments to the 33-year-old Fair Credit Reporting Act.
Ultimately, then, taking action to protect your customers may be the best way to protect yourself.
America's Fastest-Growing Crime
In September 2003, the Federal Trade Commission released a survey showing that 27.3 million Americans have been victims of identity theft in the last five years, including 9.9 million in the previous year alone. ID theft cost financial institutions, businesses, and consumers nearly $53 billion last year alone, according to the survey. Average loss to businesses was $4,800; the average loss to consumers, $500 -- and untold hours trying to recoup their reputations.
The Three Major Credit Reporting Agencies
Following are the three major U.S. credit-reporting agencies. All sell consumers copies of their personal credit reports. You may be entitled to receive reports at no charge if you've been denied credit, if you suspect fraud, or if you live in states that require the agencies to provide you one free copy annually. All three agencies' Web sites contain extensive information on preventing and responding to personal ID theft.
Join the Fresh Inc. discussion on identity theft.
Information on preventing, detecting, and responding to personal identity theft:
"What's Next: They've Got Your Number," column by Robert X. Cringley (Inc., August 2003).
CSO magazine: Executive-level articles, white papers, research summaries, and other information.
Information Security magazine: Articles, buyers' guides, e-mail newsletters.
Internet Fraud Complaint Center: FBI and White Collar Crime Center's site providing information for spotting scams and filing compliants.
National Infrastructure Protection Center: Computer-related wing of the U.S. Department of Homeland Security.
U.S. Department of Justice: Identity Theft and Fraud site: Offers advice on preventing and responding to ID theft.
101-identitytheft.com: Resources, advice, and links for more information and assistance.
American Privacy Consultants PrivacyToday.com offers headlines and information.
Computer Security Institute: Conferences, courses, materials, and information on corporate ID theft and other information-security topics.
Electronic Privacy Information Center: News, information, and links on privacy-related issues.
Fightidentitytheft.com: Resources, advice, and links.
Human Firewall Council: Security and ID-management related resources for managers.
Identity Theft University-Business Partnership: Michigan State University School of Criminal Justice project to help businesses secure competitive and personal information.
Internet ScamBusters: Tracks and reports on online crime and fraud, include ID-theft schemes.
Vendors of identity access and management solutions include:
BMC Software Inc.
RSA Security Inc.
SystemTools Software Inc. (Hyena Total System Administration)
Vasco Data Security International Inc.