 |
 |
 |
 |
March 2006 • Volume 11 Number 3
|
 |
|
Feature of the Month Top Identity Topics: Identity Theft--When You Don't Own Your Identity! An individual's identity is defined most simply by the set of characteristics that enable a person to be recognized or known. There are three ways of thinking about identity:
This article discusses one of the top identity topics - identity theft - and offers perspectives on how the problem can be addressed with policy, process, and technology solutions. What is Identity Theft? Identity theft is the appropriation of another person's personal information without permission in order to commit fraud, to steal the person's assets, or to pretend to be the other person. Identity theft is the fastest-growing crime in the United States, according to the U.S. Federal Trade Commission (FTC). Between January and December 2004, Consumer Sentinel, the complaint database developed and maintained by the FTC, received over 635,000 consumer fraud and identity theft complaints. Consumers reported losses from fraud of more than $547 million. There are many types of identity theft, and many stakeholders besides the perpetrator and the victim are involved in identity theft. Identity theft affects all of society. How Does Identity Theft Occur? To prevent identity theft, it is essential to understand who commits identity theft and how identity theft occurs. Typically, three types of people commit identity theft:
There are many ways to commit identity theft, some simple and some very sophisticated. Simple methods are used mostly by persons close to the victim and by amateurs. The most common simple methods are dumpster diving and social engineering. Dumpster diving is the practice of rummaging through garbage for a consumer's personal information. Dumpster divers rely on the fact that people are not aware of the value of the information they possess and are careless about protecting and discarding it. Social engineering methods generally use techniques that rely on human interaction to trick people. A perpetrator might try to gain the confidence of a colleague and then ask to "borrow" their user ID and password to access a secure network, or they might impersonate a utility representative and call an unsuspecting customer to "verify" the Social Security number associated with the account. There are countless examples of these simple methods, and even in today's environment, they remain very successful. Professionals use both simple and sophisticated methods to steal identities but tend to focus on methods that can be automated since such methods can be less time-consuming and more profitable. These automated methods are usually technology-driven and include techniques such as skimming, hacking, phishing, and pharming. -Skimming is the practice of stealing credit card information by capturing it in some form of card reader. The thief employs methods such as swiping the credit card a second time during an actual purchase or attaching a reader to an ATM machine where the card is swiped. Skimming occurs infrequently because of the technology required, but when it does occur, damages can be substantial. -Hacking is the act of gaining illegal or unauthorized access to a computer system or network. Hacking is the most commonly used method for stealing an identity. Spyware on a computer can be considered hacking, even though the user may have authorized installation of the spyware. Spyware is defined as programs such as keystroke loggers and screen capture utilities, installed by a third party to monitor and observe online behavior or capture passwords and other information. Applications such as adware install themselves surreptitiously through "drive by" downloads or by piggybacking on other applications. They track users' behaviors and take advantage of their Internet connection. Users often unknowingly authorize spyware to be installed by clicking on the "Yes" button at the bottom of an end user license agreement. -Phishing is a cyber attack that directs people to a fraudulent website to collect personal information. A common phishing scam is to send an email message asking a user to update an account. The perpetrator uses an attractive lure--protecting privacy--and then asks users to verify their accounts by clicking on a convenient hyperlink. A phishing scam may also lure an individual by sending an alarming message stating that a desired service is about to be terminated. Phishers often use the services of spammers to reach the widest number of possible targets. There have been literally thousands of phishing scams on the Internet. -Pharming is a cyber attack that involves a combination of ploys such as phishing, viruses, spyware, and domain name system (DNS) server cache-poisoning or spoofing. Pharming directs people to a fraudulent website by poisoning the DNS server so that web requests are redirected. Victims think they are entering personal information on a legitimate site when in fact they are not. A pharming site will often forward the web request on to the legitimate site so users see their real data. By monitoring the traffic between the user and the intended site, a pharmer can eavesdrop on personal information and even manipulate transactions. What Actions is Government Taking against Identity Theft? The Federal government and many state and local jurisdictions are passing laws and regulations requiring businesses to take certain actions against identity theft and to establish guidelines for notifying consumers when data breaches may have occurred. Governments are promoting consumer education and resources for preventing and, where necessary, recovering from identity theft. What are Businesses Doing to Prevent Identity Theft? Identity theft causes substantial financial harm to private industry. Businesses incur costs to implement identity theft prevention measures and to replace the losses suffered by the victims of identity theft. These costs are absorbed by the industry and by insurance companies, but eventually they are passed on to the consumer in the form of higher prices for products and services, higher fees, and higher interest rates. Different industry sectors are tackling this problem in the manner most appropriate for that industry and for the specific patterns of theft. Being proactive, staying ahead of the professionals, and being current and diligent in security and privacy protections are critical. How Can Technology Help to Prevent Identity Theft? Technology measures can prevent some types of identity theft. Businesses can require multi-factor authentication (two indisputable sources or elements that must be supplied to verify a person's identity). Smart card-based implementations can be adopted, such as subscriber identification modules, which prevent cloning of phones and have eliminated telephone theft/fraud, or smart card-based employee IDs, which provide strong authentication, are difficult to counterfeit, and are tamper-resistant. Human intervention and resistance are required to successfully attack non-technical methods of identity theft such as dumpster diving and social engineering. In the case of dumpster diving, for example, a paper shredder can be used to destroy paper bills. What Should Consumers Do to Protect Themselves? Consumers should be aware of their rights and responsibilities for protecting themselves and request a free copy of their credit report. In the U.S., a recent amendment to the Federal Fair Credit Reporting Act requires that the national consumer reporting companies (Equifax, Experian, and TransUnion) provide consumers with a free copy of their credit report, upon request, once every 12 months. Consumers need to make this request through the FTC website, as this is the only authorized online source. Consumers are urged to monitor their reports routinely for unusual activity. Consumers are also encouraged to be proactive:
About this Article This article is an extract from the Smart Card Alliance Identity Council white paper, "The Top 10 Hot Identity Topics," researched and written by the Identity Council and published in February 2006. This white paper was developed to provide a high-level discussion of the top 10 challenges associated with current identity systems. This paper covers a range of topics and offers perspectives on how the most critical identity issues can be addressed with policy, process, and technology solutions. Individuals from 15 organizations in the Identity Council collaborated on this white paper. Lead contributors included representatives from: Axalto, Booz Allen Hamilton, Datacard Group, Fargo Electronics, Hitachi America Ltd., IBM, International Biometrics Industry Association, Saflink, Texas Instruments, Viisage. The full white paper and additional information about smart cards and the role that they play in secure identification and other applications can be found on the Smart Card Alliance web site at www.smartcardalliance.org . About the Identity Council The Identity Council is one of several Smart Card Alliance Technology and Industry Councils, a new type of focused group within the overall structure of the Alliance. These councils have been created to foster increased industry collaboration within a specified industry or market segment and produce tangible results while raising public awareness to the value of smart card technology. The Identity Council is focused on promoting the need for technologies, legislation and usage solutions regarding human identity information to address the challenges of securing identity information, reducing identity fraud and increasing the usefulness that secure identity information delivers. The Council engages a broad set of participants and takes an industry perspective, bringing careful thought, joint planning and multiple organization resources to bear on addressing the challenges of securing identity information for proper use. The Council is currently working on projects to raise awareness of the issues that organizations and the public face in implementing and using identity systems and to promote the use of the appropriate technologies to solve these issues. The Identity Council includes participants from across a broad spectrum of identity technology providers. Identity Council participation is open to any Smart Card Alliance member who wishes to contribute to the Council projects. Additional information about the Identity Council can be found at http://www.smartcardalliance.org/about_alliance/councils_ic.cfm.
|
|
