Home
 Vendors
 Publications
 Ceritfications
 Associations
 IT Strategy Center
 Open Directory
 Other
Regulatory Resource   Threat Intelligence      Resilient IT      Boardroom Strategies      
Regulatory Resource / Tactics

Identity Theft Measures

By Laura Roe Stevens

Identity theft has increased 100 percent in the past two years, according to the Federal Trade Commission. In particular, "phishing", a highly sophisticated new phenomenon allowing criminals to steal personal information via e-mail scams, took $500 million from victims last year, according to a joint study by Ponemon Institute, a Tucson, Arizona-based research company, and TRUSTe, a nonprofit organization based in San Francisco.

"Phishing" perpetrators have grown ever more skillful in their ability to fool the public with e-mails resembling companies' own. Some "phishing" scams have even tricked individuals working within IT departments into giving away company passwords. Typically, however, "phishers" target online bankers. A customer may receive an e-mail that appears to be from his or her bank requesting updated password information, or requesting credit card verification information. The link in the e-mail appears to direct customers to their bank, but in fact sends them to a copycat site created by thieves waiting to access the client's bank accounts or credit card information. The site, while appearing the same, has a different URL address and delivers the sensitive information directly into criminal hands.

It has never been more critical for organizations to bolster their information system protections; increase awareness for employees and customers; and focus executive-level attention on IT security.

The government has stepped in to help, with two laws aimed at making identity theft an expensive and criminal act. This summer, the Identity Theft Penalty Enhancement Act was passed following the Fair and Accurate Credit Transactions Act (FACT Act), passed last December. Each provides protections against identity theft, but vary in the effects on the targeting of criminals and management of data.

Identity Theft Penalty Enhancement Act: Signed into law July, 2004, this act heightens punishment for identity thieves who utilize the Internet:

  • Provides tougher penalties for thieves, including adding two years to prison terms in cases where criminals are convicted of using stolen credit card numbers and other personal data to commit crimes. Those who use that data for "terrorist offences" could get five more years added to their sentences.


  • Increases penalties for employees who steal sensitive data from their own companies.


  • Mandates collaboration among law enforcement agencies through an online clearinghouse that tracks and monitors Internet-based identity fraud schemes.

The Fair and Accurate Credit Transactions (FACT) Act:  Amends the Fair Credit Reporting Act, enacted in 1970 to provide privacy and accuracy assurances to consumers regarding their credit history:

  • Restricts the use of credit report information by companies for marketing purposes. CIOs must ensure that credit report data not be available to those persons in an organization who are involved in marketing and promotions.


  • Requires companies to destroy all electronic records of information from credit reports in a way that renders them "unrecoverable." Therefore, CIOs must be aware of which systems house that information in order to plan for securing and destroying those records.


  • Allows consumers one free credit report annually from any of the three credit reporting agencies.

While these laws are a step in the right direction, most experts don't think they'll do enough to stop phishing attacks, especially since many phishing criminals are located beyond U.S. jurisdiction, in Eastern Europe and Russia, according to Ferris Research estimates. What's more, the FACT Act's emphasis on the physical destruction of documents may reduce identity theft that occurs when people rifle through trashcans, or from employers who stumble upon electronic records -- but this step does little to prevent e-mail scams.

"Industry must react faster than the government. Financial institutions that become victims of phishing crimes -- instead of placing all their hopes on protocols -- need to do things today to minimize attacks," says Scott Chasin, CIO of MX Logic, Inc., an e-mail defense solution company based in Denver, Colorado. MX Logic provides advanced e-mail defense services, such as software to filter URLs to determine whether links within e-mails go to reputable Web sites -- or phishing sites. Software from companies like MX Logic can also track links clicked from within an e-mail. If a consumer clicks on a questionable link, a warning message could appear or the link could be blocked.

CIOs can take one step toward defending their companies from identity theft attacks by separating sensitive customer data from other company data. The customer data may also be tagged to notice unusual activity.

CIOs must ensure that electronic credit card information is destroyed and not sent with marketing solicitations, since the FACT Act makes it illegal. Such a measure will contribute to preventing identity theft attacks because it will limit the distribution of sensitive customer data.

Not least, a key layer of protection is awareness through education. An education program for employees and customers must have top priority within the organization, as it could save millions of dollars in thwarted phishing attacks and head off bad press and credibility issues.

The potential devastation wrought by phishing must be communicated to other members of the boardroom so that C-level peers relay the significance of counter-phishing policies with their own staffs. Since many departments within an organization send e-mail campaigns, a CIO must enforce this across the entire company, with the CEO's blessing. Phishers are growing increasingly sophisticated, with new forms of phishing occurring every quarter, or even every month. CIOs must keep abreast of the latest phishing tactics by reading current analyst reports on the topic, such as those by Ferris Research or Gartner in order to warn customers and employees who may fall for the latest schemes.

Phishing has been described as one of the most insidious forms of attacks to date, as the schemes trick customers into unwittingly giving away sensitive, private data. As phishing grows in sophistication, companies may not rely on laws created by the good will of the government. In phishing, where the motivation of attacks is financial, companies are largely on their own. It is up to the CIO to protect companies and their customers.

Laura Roe Stevens is an Atlanta-based freelance writer who has covered business and technology for The New York Times, Los Angeles Times, and the Atlanta Business Chronicle.

IT Strategy Center is a daily editorial resource offering innovative insights and strategies for building an integrated, secure and resilient IT infrastructure.

Articles by Topic
Sectors
Law
Tactics
Related Content

Features

View More


Metrics

View More

Fast Fact

Identity theft has risen 100 percent in the past two years.

--FTC
Sponsor Tools

Resources

White Papers

View More


Podcast Audio Content

CIO Strategy Center is now available in audio format.

This week's feature topic is:


Preparing for a Disaster
Playtime: 8 min 07 sec



Download | Subscribe

Copyright © 2009 Studio One Networks. All rights reserved.