It's the modus operandi for a growing band of criminals who steal and resell credit card, social security and other sensitive personal information every day in ever increasing volumes.
It's ironic that as many other types of crime are declining, identity theft is booming. By stealing enough information to impersonate consumers, hackers and the gangsters who employ them are defrauding businesses of many millions of euros a year. Identity theft is now the leading type of consumer fraud in the U.S., for example, with 162,000 cases last year alone.
Seven percent of adult online consumers surveyed by researcher Gartner in September 2002 had been victims of credit-card fraud, and one percent reported having their identity stolen. That may not sound a lot, but consider the numbers of people who use credit cards online and the money they spend - it's frightening. Gartner believes that a lot more than one percent of shoppers will be victims of identity theft.
Why is this happening? Several issues stand out. First, massive volumes of consumer and business information are being put online every day to meet the requirements of businesses competing in ultra-competitive environments. And for good reason - organizations of every size and description are automating the way they do business to cut costs, speed service, and reach their customers, suppliers and partners more easily. But in the wrong hands, this information is highly dangerous.
Second, despite the costs of fighting identity theft, the web is still the best friend businesses and consumers have ever had. We're not going to scrap the internet because of identity theft. But we do need to get much more serious about managing the problem.
Too many organizations are still in the dark ages compared to the identity thieves they are up against. The fact is that today's identity thieves, who often have inside experience, are outsmarting us at nearly every turn.
It's not hard to see why. Ask yourself: who is more likely to be successful - a determined hacker using powerful attack tools to search for a security hole in a company's systems, or a developer with a thousand other things to do besides plugging every conceivable security hole?
Yes, we have the security tools to manage the problem. But unfortunately it's not as simple as installing a software package.
The real issue is that most IT organizations are too stretched to devote the resources to keeping up with the thieves - let alone get ahead of them by designing systems that are so sophisticated the thieves can't get in. Organizations spend too much time reacting to security breaches, rather than preventing them from happening. They must change their culture and processes if they are to defeat the hackers.
The most effective deterrent to identity theft is to make your organization's IT architecture so airtight that thieves decide it's not worth it. After all, there is fundamentally nothing new about identity theft, which amounts to exploiting holes in existing technology. Instead of tapping telephone lines and rifling through rubbish bins for credit card receipts, today's thieves steal data using a mouse and keyboard, and they sell their booty to the highest bidder on the street. Some are also recruited by gangsters to steal specific information.
We must replace the patchwork of security systems currently in place with an integrated overall security architecture that plugs the holes inside and outside the enterprise. We must make sure that the right people have access to the systems, applications and data they need, and that everybody else stays out.
So here is a simple plan of attack to beat the identity thieves.
First, you must shut out all former employees and temporary employees, by canceling their company IDs and system passwords. With employee turnover running near 100 percent in parts of some industries, it's not unusual for 20 percent of company accounts to belong to employees who haven't worked for the organization for five years or longer. Some of accounts never expire, and may allow former employees to roam freely inside the enterprise.
An even bigger inside problem is current employees who have unrestricted access to systems and data that are not related to their job responsibility. You must create and enforce security policies that restrict employee access to information that is strictly relevant to their roles. Should a customer service agent have access to company inventory data? Maybe, but maybe not. And when employees gain access information unrelated to their job, you must have systems in place that alert you and prompt you to take appropriate action.
Second, you should recognize that many of today's legacy security systems are highly vulnerable to hacker attack. A hacker can often access a public web site linked to an internal distributed file system, and gain access to company and customer files. The fix is to replace patchwork security code with a sophisticated security architecture that closes the holes that get opened up between different parts of the business, thereby outsmarting the thieves at their own game. Security is no longer an optional bolt-on, and it's no longer something most companies can do well by themselves.
Third, you must manage your customer data in a way that completely protects individual customer identity and privacy. While customization of individual data is clearly here to stay, raw data must be kept under strict lock and key so that unauthorized people cannot use it to invade individual privacy. For example, does the marketing department need access to everyone's name and address, or should they only have access to macro trend data? You can easily extract macro data from individual customer information, which will protect individual customers' privacy rights and yield nearly the same business benefit.
Enhanced security doesn't have to be a business inhibitor. In fact, if implemented wisely, security is a business enabler. It's up to you to take preventive steps that will strengthen your business as well as defeat the bad guys before they strike. It can be done.
Peter Jopling is sales manager, Tivoli Security Solutions EMEA (www.tivoli.com).