|
| How big a problem is Identity theft? An insightful report published by the GAO – whose 11 page summary is worth a read - states some of the following facts: Credit card fraud losses associated with Identity-theft, went up from $700M in 1996 to over $1.0B in 2000. The number of Fraud Alerts on customers files at the three Credit Reporting agencies went from 84,900 in 1999 to over 210,000 in 2000. The number of cases reported by the SSA went from 11,000 in 1998 to over 65,000 in 2001.
Identity-theft represents one of the fastest growing crimes in the USA. With increasing reliance on computers for every activity and the growth of e-commerce, the problem promises to become western civilization's biggest headache pretty quickly. The simple answer to the title question, is - with the way things are today, its impossible to prevent identity theft! What are some of the reasons that make identity-theft possible and relatively easy? - Inappropriate use of technology. Almost all businesses, with the exception of some Department of Defense agencies in the US Government, and some sophisticated corporations, use secret-keys and a single-factor authentication schemes for authentication. The Username and the Password, invented during a time when computers were standalone monoliths, is still the most widely used form of authentication, even in a world where the Internet connects more than half-a-billion computers. The problem? More than 99% of passwords can be cracked by commonly available attack tools, in less than 30 minutes.
- Business processes are rendered vulnerable due to the use of another form of “secret-key” based authentication – asking for a mother's maiden name, your high school name, etc., all of which can be obtained without too much difficulty by a determined identity-thief.
- Inappropriate use of information. The Social Security number, or the Drivers License, is used to identify an individual for business transactions, even when the transaction has nothing to do with your taxes or your driving record.
- Inadequate protection of data. While attacks on the Internet have risen dramatically over the last five years (www.cert.org/stats ), the only things businesses have done to protect sensitive data is added firewalls and virus scanners at the perimeter of their network. The problem? The misplaced assumption that everything is coming through the firewall; and that everything inside the firewall is automatically considered trustworthy.
- Another example is that of printing full account numbers on statements and transaction records, which are easily stolen from mailboxes. No, e-mailing such records is not a solution, since no business uses encrypted e-mail to the best of our knowledge.
- Inadequate investment. A reluctance to invest in better identity protection solutions that have existed for nearly two (2) decades! Most technology vendors continue to use single-factor, secret-key based authentication, despite recognizing the risks of such technology. To make things worse, there are efforts underway in the industry currently, that could compound the problem – Single Sign-On using an username and password! When deployed in the form that has been standardized today, it will compromise somebody's identity on every system the username is linked to. The angst that today's identity-theft victims feel, will be trivial compared to what tomorrow's victims will experience, when this technology is deployed.
What prevents businesses and the government from investing in better technologies and solutions? - Inertia. Due to the dramatic rate of change brought on by new technology, needed changes to the security infrastructure do not have a high-priority. Firewalls and Virus Scanners have an impact on a business' and its employees' ability to function; as such they get deployed. However, identity theft affects specific individuals rather than an entire company, so the priority doesn't bubble up.
Secondly, in today's competitive environment, a business constantly depends on having some new capability in their software to meet a business need. Given that some technology (Usernames and Passwords) exists to address the authentication issue, most companies consider this adequate and ignore this issue.
- Ignorance. A lack of awareness of increasing risk, on the part of business managers. While the benefits of Personal Computers, Networks, Databases, the Internet and the World Wide Web were made readily apparent to business-people, their weaknesses and risks were downplayed by vendors. Security professionals recognize the risks and attempt to make their businesses aware of them; however they're generally given short-shrift – security spending is a non-revenue-producing expense that must be, generally, minimized! As such, there is a great disparity between the perception and reality of risk today.
- Cost. Determining how to pay for it. In a highly competitive global environment, anything that adds to the cost of doing business is immediately rejected, unless a law mandates it. What we have, consequently, is a classic conundrum – businesses will not invest in an improved security infrastructure, unless it removes the “competitive disadvantage” for them; at the same time, they're reluctant to allow the government to mandate anything that increases their costs.
 Solutions
We'll address the solutions to these individual problems in the next few newsletters. While it may appear that this is a a very hard nut to crack, there are solutions. However, the stakeholders in the issue – Consumers, Businesses, Technology Vendors and Government – have to make a concerted, and cooperative, effort to solve it. It isn't enough to wait for the best solution to rise to the top, as is typical of American philosophy. The whole mess with the cellular phone service in the US (GSM everywhere vs. USA's alphabet-soup mess) has shown us, that sometimes its better to mandate a single standard and compete on implementations and services, rather than wait for the right standard to show up. Until the new year, a very happy holiday to all of you!  Resources
Government Accounting Office (GAO)'s report on identity-theft. Federal Trade Commission (FTC)'s identity-theft website. US Department of Justice (DOJ)'s identity-theft website. |
|
