Each year the Federal Trade Commission releases a report based on data from its Consumer Sentinel Network. Sentinel is a massive database of consumer complaints received directly by the FTC, as well as sent from state law enforcement organizations and the FBI’s Internet Crime Complaint Center. Unfortunately 2012 was a good year: the FTC saw a record two million incidents added to Sentinel.
Sentinel has been up and running since 1997 and has accumulated over eight million records. Complaints are classified into 30 different categories. With this latest report, identity theft was again the most popular complaint category for the 13th year with about 370,000 incidents. As I’ve recently written, 2012 was also a busy year for hackers breaching corporate networks to scoop up consumer personal data.
By the time an identity theft incident reaches the FTC, the consumer usually has discovered that some type of fraud has already been committed with their identity. The Sentinel database tracks fraud cases as well, and has valuable information as to how the stolen personal identifiers are used.
The largest category is theft of benefits—involving wages or taxes– and government document fraud, which accounts for about 46% of all cases. That’s followed by credit card fraud (13%), and phone or utility fraud (9%).
To make matters worse, identity thieves often create new accounts—new credit card, banking, or mortgage accounts—and as a result, consumers are likely not aware that other transactions are made on their behalf.
What’s being done about it?
In 2003, Congress responded to identify theft through a significant amendment to the Fair Credit Reporting Act by allowing consumers to place a fraud alert on their credit report files held by the credit reporting agencies (or CRAs). The alert typically stays in effect for 90 days, though it’s possible for the alert to remain active for several years.
The big three national CRAs—TransUnion, Experian, and Equifax— are required to inform each other when any one of them receives an alert. The larger point of course is that lenders and other financial companies who use these reports can then prevent additional fraud by denying credit to an identity thief.
How can consumers protect themselves?
Consumers have their role to play through filing a fraud alert, the CRAs do their part by maintaining centralized credit information, but what about businesses? The FTC has what are called Red Flag Rules that certain companies—mostly banks but really anyone that defers a payment to a customer— must follow to prevent or limit identity fraud.
Overall, the FTC suggests businesses take basic security measures such as deleting information that’s no longer necessary to reduce breach risks. The focus of the Red Flag Rule, though, is to help companies limit liabilities caused by identifiers that have already been stolen. They should of course look for alerts on a credit report, but just as importantly they must make reasonable efforts to authenticate customers– asking for social security number, date of birth, or mother’s maiden name are poor authenticators because that’s the kind of information that’s often stolen.
If you’re looking for more guidance on how to strengthen authentication, the FTC recommends this best-practices document from the Federal Financial Institutions Examination Council.
What a great video about what schools should teach. The guys from Facebook, Twitter, Microsoft etc explain the idea of computer programming, interest and thought creating.
LEAP MOTION WANTS TO MAKE MOTION CONTROL YOUR NEXT MOUSE. HERE’S A LOOK AT WHAT THE DEVELOPERS OF THE TO-DO APP CLEAR HAVE DONE WITH THE SDK.
This video documentary by Microsoft explores how digital and specifically, Interaction Design, is and will change our lives in an ever connect world. It’s 18 minutes long but well worth a watch. I thought I’d paraphrase a few of the most thought provoking comments from the documentary below:
“‘Without humans there’s nothing interesting to talk about.”
“We are in the phase where we are a little confused about what’s important in life.”
“It’s about understanding that ecosystem where the human is at the centre.”
“It’s about getting more of the physical world connected with the digital world.”
“What we design as a man-made object is only complete when there are people using it”
U.S. Cyber Command (CYBERCOM), the military command responsible for the bulk of America’s defensive and offensive cyberwar efforts, is receiving a 500% manpower increase. Between 2014 and 2016, the Pentagon expects to add thousands of new billets–the exact number is still unknown–to the 900 service members currently assigned to CYBERCOM. CYBERCOM is tasked with a staggering array of tasks designed to secure America’s online infrastructure; this ranges in real life from detecting and patching security holes in critical infrastructure such as banking and utilities to creating new network defenses for the military’s sprawling computer systems.
Some really interesting videos that look at the issues that not only the US but we all face in the future. The significant increase in the amount of manpower being recruited by the US military to address cyber crime highlights how serious they are taking the threat. However, it is important for all companies to look at cyber crime, anti-virus and anti-spam solutions do not protect you from all cyber crime and now is the time to examine what can be achieved with limited budgets.
Thanks to fastcompany.com for the videos
The jarring sound of an iPhone vibrating against a mahogany nightstand at 3:15am. This can’t be good. Server down? Much worse: 50,000 sensitive files have been stolen from a poorly permissioned file server. First, damage control. Next, investigation.
Problem: 50,000 files were stolen.
Why? The files were accessible to everyone in the company, even guests.
Why? The folder’s access control list was configured incorrectly.
Why? Chuck the intern configured that file server in 2007 and it hasn’t been reviewed since.
Why? We don’t have a process to review file system permissions.
Why? Because manually reviewing every folder’s ACL for problems is like searching for a needle in a haystack…and THERE’S ONLY THREE OF US AND A THOUSAND FILE SERVERS! SHEESH!
This fun little question-asking technique is called The 5 Whys. It was developed by Sakichi Toyoda at Toyota to determine the root cause—and solution—to any given problem in the manufacturing process. The technique has been borrowed by coders, sysadmins, and startup founders alike.
See, behind every technical problem is usually a human problem.
On the surface, it seems like the above fictional security incident was technical in nature – the ACL was configured incorrectly. Deep down, however, the problem was the company’s non-existent entitlement review policy.
The 5 Whys technique encourages us to address the problem on multiple levels: fix the ACL, stop letting interns configure important systems by themselves, and institute a system for performing periodic entitlement reviews.
Sometimes it’s not feasible to immediately address every single problem uncovered, but 5 Whys suggests that if you make a proportional investment in the solution every time an incident occurs, you’ll eventually get to a point where you have an optimal level of protection against a given problem. In our example, maybe you’d start by piloting entitlement reviews with a small business unit, or review just the super sensitive data sets.
The 5 Whys is an excellent technique for determining root cause so you can take reactive steps to ensure a problem doesn’t happen twice. In my next post I’m going to talk about a new model for holistically evaluating your company’s risk profile so you can make proactive improvements.
Inside Counsel magazine recently reported that data security is the top issue cited by more than half of in-house lawyers. This was reflected in a conversation yesterday at the IACCM Board Meeting, where both lawyers and non-lawyers highlighted its growing importance.
The Inside Counsel article focuses on the need to understand the nature of the data possessed within a business and then to take steps for its protection. It concentrates largely on worries over regulatory compliance and reporting, so various forms of personal data lie at the forefront of concerns. Since some level of hacking appears inevitable, the advice relates largely to the steps needed to limit potential fines and to eliminate the need for reporting. Much of this revolves around encryption, but also the need to analyze data flows to ensure weak spots are identified.
At the IACCM meeting, perhaps because more of the companies represented are b2b, the focus was somewhat different. For them, data security was also about critical business data – product development, strategic plans, customer records. The concern is more around the exposure that arises from links with trading partners – the extent to which shared systems or information access creates a gateway to wider data loss. The implications of this force companies to consider a wider array of solutions. This includes terms and conditions that commit trading partners to appropriate steps and contain penalties for failure. It often incorporates some right of audit or validation.
But ultimately, terms and conditions are a relatively weak form of protection because the most likely reasons for data security breach are either because a trading partner lacks size and sophistication, or because it lacks integrity. And these issues will typically be fixed only one of two ways – that is, do the work in-house or select top quality partners who cannot afford reputational damage.