Subscribe
Blog / Podcast Readers
NEWSGATOR YAHOO
BLOGLINES ITUNES
DEL.ICIO.US DIRECT RSS

Are we too scared of ID theft?

by Shannon Kellogg on 10/18/2006
Topics: E-Security | Government Policy | Identity Protection | Online Fraud, Fraudsters

There was an interesting op-ed in the October 14th edition of The Washington Post entitled "The Identity Theft Scare" by Fred Cate of Indiana University. Professor Cate argues that while identity theft is receiving lots of attention these days, "...The happy ending to the VA [U.S. Veterans Administration] saga should have come as no surprise. The fact is that few if any such breaches lead to identity theft or other consumer injuries."

I sincerely hope Professor Cate is right because, in addition to the plethora of "data breaches" that have already been announced since the ChoicePoint debacle in early 2005, the House Government Reform Committee just last week released its findings on specific data losses across the U.S. federal government during the last three years. The news is not good for federal agencies. The AP reports that "...Federal workers at 19 agencies have lost personal information affecting thousands of employees and the public, raising fresh concerns about the government's ability to protect sensitive information." The House Committee's report cited 788 incidents involving "the loss or compromise" of sensitive personal information since January 1, 2003.

It is unknown how much of this information is being used to conduct identity theft. And, while I agree with Professor Cate that there is a fair amount of speculation about the extent to which identity theft is actually being committed, it is also very difficult to discern just who is at risk and when they are at risk after that information is compromised. How can Professor Cate -- or anyone, for that matter -- know just how long a criminal might wait to exploit stolen sensitive information such as a social security number, or how many times that information could change hands before it is actually used?

In his October 14th op-ed, Professor Cate closed with this statement: "The danger of the security breach frenzy is not merely that it exaggerates the risk of identity theft and the role that security breaches play but it ignores greater threats, such as the involvement of organized crime and the emergence of new and harder-to-detect frauds, that menace our increasingly information-dependent society."

Could he be talking about cyber-crime?

Perhaps some of these additional articles from the past week in U.S. and UK press will help shed some additional light on the complexity of the subject:

SEC warns online brokerages of cyber-fraud
October 14, 2006
MSNBC.com

Cybercrime flourishes in online hacker forums
October 12, 2006
USA Today

Finally, I will say this. The term "identity theft" is often not properly cited when discussing data breaches or some type of compromise of sensitive information that could be used for nefarious purposes. Sometimes personal information is used to conduct identity theft and other times it is used to commit other types of fraud such as account hijacking or to use an individual's e-mail account to rip someone else off. It's not just about identity theft, and various methods are used in both the online and offline worlds to get a hold of someone's personal information that can somehow be turned into a profit for the criminal stealing it.

However, one key aspect of the overall issue that was missing from Professor Cate's op-ed was that the Internet is being utilized quite effectively to steal sensitive information that can result in profit -- and this is by no means a domestic U.S. challenge only. Last week, in a story titled "Thousands of Brits fall victim to data theft," published on News.com, it was reported that "...a computer seized in the U.S. had been found to contain personal information from around 2,300 PCs based in Britain. This included e-mail addresses, passwords, credit card numbers and details on online transactions." According to the News.com story, British law enforcement indicated that the data was stolen via a piece of malicious code that was installed on the victims' machines without their knowledge.

What do you think about Professor Cate's article? Do we use the right terminology to describe the evolving threats to our personal information? Is ID theft as big a concern as emerging threats such as organized cybercrime? Or do the two go hand-in-hand?

Comments
Serious Concern

This is indeed a serious concern. I myself was a victim of Identity Theft 3 months back. However, i managed to escape from the situation by taking some positive steps towards protecting my identity. Bills.com offers something really interesting on Preventing Identity Fraud. Really worth a read one time. Regards, Steven

- Steven James: stevenjames1308@yahoo.com
In response to comments by David Kearns' in The Virtual Quill

Kearns wrote:

Well, I'm no director of security policy, nor am I an identity thief, but even I could hazard a guess that the best time to use stolen identity information is ASAP - before the victim discovers the loss and reports it to the authorities! If it were jewelry that was stolen, say, then it makes sense to sit on it for as long as possible - until the heat is off on the burglary. But stolen identity info goes on automated electronic watch lists - it's not subject to some pawn shop owner reading through volumes of lists of stolen items.

Dave, there was actually a different point in this statement that you quoted from my blog posting: How can Professor Cate--or anyone, for that matter--know just how long a criminal might wait to exploit stolen sensitive information such as a social security number...

You are correct. If someone grabs credit card information, they are likely to try to use that as soon as possible, although I have been informed by law enforcement experts that even credit card information can sometimes be sold multiple times over a period of weeks and months before it is actually used, depending on how it was stolen and if the holder of that information actually realized that it had been exposed electronically or otherwise. But, the reason that I highlighted "information such as a social security number" is this: if a database of sensitive personal information is hacked, for example, but there is no immediate indication that that information will be used to hijack the victim's identity, this does not mean that the victim is off the hook. The criminal may sit on that information for a while or sell it to another criminal to be used at another time. It is a lot more difficult--and inconvenient--for a consumer to change their Social Security Number than it is to cancel a credit card; and, unlike credit card fraud, it can also take months and sometimes years to undo the damage done when someone runs amok with an SSN for nefarious purposes.

If you want to call me a "Chicken Luddle" for challenging those that imply that there is no threat of ID theft -- and believe me, there are plenty of them in Washington, DC, where I work -- then so be it! But I believe the overall point I was making is one worth communicating, responsibly, to the industry and its end-users. The sky is not falling, certainly, but that is no reason to be complacent.

- Shannon Kellogg

Post A Comment

Your Name
Your Email Publish email?: Yes No
Your Blog
Subject
Comment
Verification Word
© 2010 RSA Security. All rights reserved | Privacy | Legal | Site Map

RSA, The Security Division of EMC, provides Secure Data, Compliance, SIM, SEM, SIEM, PCI, Consumer Identity, Two-Factor Authentication, Custom Applications, Consulting, Assessment, and other security solutions and services to over 90% of the Fortune 500.
 
Access Control |  Authentication and Identity Assurance |  Credential Management |  Data Loss Prevention |  Data Encryption and Key Management |  Fraud Prevention |  Security Information and Event Management |  Log Management |  IT Compliance |  ISO 27002 Compliance |  Information Risk Management for Financial Services |  Payment Card Industry Data Security Standard | 
 
RSA Access Manager
RSA BSAFE
RSA eFraudNetwork
 RSA Data Loss Prevention
RSA Consumer Solutions
RSA FraudAction
 RSA Digital Certificate Solutions
RSA Encryption/Key Management
RSA Enterprise Data Security
 RSA enVision
RSA SecurID
RSA Smart Cards

 RSA Federated Identity Manager
RSA Adaptive Authentication