This is how ID theft arrives at your door: When John N. Stewart tried to buy his wife a motorcycle, things did not go well. He had trouble getting credit and, to be honest, he had expected to, since he himself had issued a fraud alert with the credit bureaus warning creditors to be leery of anyone claiming to be John N. Stewart. He had no choice. Someone had forged a California driver's license in his name and used it to take out $3,500 of instant credit at an automotive repair shop in which he, the real John N. Stewart, had never set foot.
The motorcycle shop that his real feet eventually walked into needed to confirm that John N. Stewart was indeed creditworthy.
But they couldn't.
"When you say to a person from whom you're buying something, 'When you call to check, they might deny my credit,' cynicism sets in at the other side of the desk," says Stewart, director of corporate security programs for Cisco and former CSO for the Cable & Wireless subsidiary Digital Island. "They look at you like you're just a deadbeat that can't manage your credit."
For 16 months, Stewart worked to prove he wasn't a deadbeat. He pored over copies of his credit report, made explanatory phone calls and filled out legal documents. Still, when he walked down the street, he had the strange feeling that everyone he saw thought he had bad credit. It didn't matter that eventually he got the motorcycle. He felt angry and on edge all the time. "It becomes a very personal experience," he says, "and it's almost embarrassing. OK, it is very embarrassing."
What's more valuable than your own good name? Hardly anything, if the millions of dollars' worth of preapproved credit offers that litter Americans' mailboxes annually are any measure. That's why tales such as Stewart's strike fear in the hearts of the bill-paying populace. Identity theft is, after all, the fastest growing white-collar crime in the country.
A recent Federal Trade Commission study suggests that nearly 10 million Americans discovered in the past year that they had been the victim of some kind of identity fraud, ranging from simple credit card fraud to complicated cases of identity takeover. This type of crime costs individual victims an average of $500 each and businesses an estimated $48 billion a year. The problem is so acute that, in December, President Bush signed the Fair and Accurate Credit Transactions (FACT) Act of 2003, which is intended to help consumers control and monitor their credit ratings.
Identity theft is difficult enough to prevent that even someone as security-savvy as a CSO can himself fall victim, as Stewart learned the hard way. But even if you don't work in the financial services industry, which is on the front line of preventing financial fraud, your customers and fellow employees are counting on you, the CSO, to keep it from happening to them.The More Perfect Crime People's identities, not pocket money, were the target of one sophisticated pickpocket ring busted by the New York City Police Department. Organizers quickly forged New York state driver's licenses using the names of women whose wallets had been stolen. Within hours of the purse-snatchings
"If I go and rob somebody, how much am I going to get? Maybe $100, $200," says Lt. John Otero, commanding officer of the NYPD's Computer Crime Squad, who worked on the case. "If I steal someone's identity, I can get from $4,000 to $10,000."
In the simplest instances of identity theft (which are more accurately described as identity fraud), criminals use a stolen credit card number, or perhaps a stolen PayPal or eBay account name and password, to purchase expensive items for personal use or resale. In more complicated cases of identity theft, thieves open new lines of credit or access bank accounts. And in the most serious cases of identity takeover, they use forged or even government-issued driver's licenses or passports to do all that and more
The weapon? Personal information, including the victim's name, address, mother's maiden name, date and place of birth, and the most coveted number of all
The Internet makes this type of crime even more efficient. With "phishing" scams, criminals send out bogus e-mails telling recipients that they need to confirm certain account details to reactivate their accounts or claim prizes. The messages appear to come from a reputable business and often include logos and text lifted from company e-mails and websites. But the links actually go to phony but convincing websites set up solely to gather information, whether it's ISP passwords or Social Security numbers.
"It's just so much easier and cheaper than going around to people's mailboxes and stealing credit card applications," says Dave Jevans, chairman of a new industry association called the Anti-Phishing Working Group and a marketing senior vice president at Tumbleweed Communications. "And it can be done long distance."
Consumers can protect themselves by staying informed about the latest Internet scams, by removing their Social Security numbers from their wallets, by shredding sensitive trash and the like.
But there's only so much one person can do. In another case Otero worked on, criminals took out second mortgages on victims' homes to the tune of $8 million. All the victims had purchased cars from the same auto dealership in the previous year, leading police to believe
"Most of the time, it's beyond the consumer's control," says Mari Frank, an attorney who made a name for herself as a consumer rights advocate after having her identity stolen in 1996. Her imposter ordered her credit report online, then used her good credit to take out new credit. More than seven years later, there's still an edge to her voice when she speaks of the incident. "People want to put the blame on the bad guy, but the bad guy can only do what he can do when it's facilitated by others," she says. "The companies that have our personal and financial information are the ones who are in the position to prevent this."
More specifically, the CSO is in the position to prevent this. Here are five ways any CSO can make a difference.
1 Practice good data hygiene. Got employees? Then you have information that could be used for identity theft, and nothing will help as much as just being good at your job in the first place. We're talking data hygiene 101: firewalls, background checks and security policies. "The reason that a CSO should be concerned over identity theft is because it fits in with so many other elements of a good security program," says Richard Lefler, the former vice president of worldwide security for American Express.
For instance, he says, background checks might help keep criminals from infiltrating your human resources department, where they could access employee records. Shredding policies could keep Dumpster divers from getting their mitts on sensitive customer data. And audit trails would help you determine the source of a possible problem if law enforcement spotted a trend that traced back to your company.
Sound paranoid? Perhaps. However, notes Lefler, although "criminal enterprises generally are small and loosely knit, they can be very large and very sophisticated.
"Other forms of white-collar crimes have become more difficult, so many of the criminals have migrated into doing identity takeover because they can increase their returns." In other words: Don't underestimate your enemy.
2 Limit the use of personal information. The best way for individuals to protect themselves from identity theft is by not carrying their Social Security numbers in their wallets. Yet many insurance cards, student IDs and drivers' licenses still use this unique number as an identifier. (Only California has passed legislation making it illegal.)
And even businesses that aren't guilty of putting Social Security numbers on cards in people's wallets routinely put it on monthly account statements, which travel through the mail, which means that they can theoretically pass through the hands of everyone from envelope stuffers to mail sorters to, eventually, the garbage collector.
The CSO can protect customers and employees
First, she worked with human resources to try to get Social Security numbers off of internal documents.
Then she turned her attention to the companies that insure IBM's half a million employees and dependents.
In early 2003, IBM asked all its 150 health insurance providers to stop using the Social Security number as an identifier. The 16 companies that did not immediately agree to the request received a letter from Pearson and the vice president in charge of health benefits "making the request a little more formal," Pearson says.
While they stopped short of making it a requirement, they did warn companies that compliance would be considered as part of the annual renewal process. By the deadline of Jan. 1, 2004, only Empire BlueCross BlueShield and two or three small HMOs had to request an extension.
Pearson understands that making the change can be an expensive and time-consuming process, but it's also one that your customers and employees will appreciate. "People notice that the SSN is not gone from the cards" of those carriers who have not yet complied, she says.
3 Consider address change confirmations. One popular tactic of identity fraudsters is opening a new account with the victim's real address, then immediately changing the address. That way, the victim never gets a single bill or finds out about the account
It's not free, of course. "You have to measure the expense against the loss," Lefler says, looking at how many of your customers have been victimized in the past year versus how much the additional mailings would cost. But identity theft is growing rapidly enough that the scales might have tipped in the past year.
And don't underestimate customer goodwill, either, says Frank, the consumer advocate. Even helping just a few people spot identity theft early on might be worth more than you think. "People do business with people they trust," she says.
4 Phight phishing. At first glance, it seems you can't do a lot if your company is targeted by a phishing scam, in which a phisher spoofs your company's identity in an effort to gather personal information about your customers. (See "Gone Phishing," Page 49.) "It's pretty difficult" to deal with, admits the Anti-Phishing Working Group's Jevans. "You can say, we will never send you e-mail, or do not click on a URL in e-mail, but that makes it difficult to do any kind of e-commerce." What's more, when a bogus website is reported to law enforcement, Jevans says, it takes an average of 160 hours to get it shut down if it is hosted outside the United States
In this case, a little education can go a long way. Start by letting customers know that your company won't ever ask them by e-mail to divulge personal information, says Howard Schmidt, former vice chairman of President Bush's Critical Infrastructure Protection Board and CISO of eBay. Common targets such as Amazon, AOL and eBay have set up phishing tutorials on their websites to educate their customers about the scams.
At the same time, make sure employees who correspond with customers don't ask for this kind of information. You'll also need a mechanism for consumers to report the spoofed e-mails to you, and for your company to report the scams to law enforcement. Then, Schmidt says, "it becomes a policy issue."
5 Explore new technical solutions. Schmidt blames the success of such phishing scams on the fact that websites are still using static IDs and passwords for authentication, instead of more sophisticated identity management tools. Schmidt hopes that technical solutions will help strengthen authentication and in the process dramatically reduce identity theft, since thieves won't be able to accomplish so much with so little personal information. "I don't like to make predictions, but I'll be surprised if within the next year, we don't start seeing some commercialization of digital identities as ways to prevent identity theft and online fraud," Schmidt says.
That could work any number of ways. Companies could require customers to download digital certificates that would give them secure access to their account information. Or customers could log on to websites using smart cards or USB thumb drives that hold digital identification. And there's the long-awaited promise of biometric technologies that would let customers log on with a fingertip. Prices are coming down enough that it's possible to imagine a day when every new computer comes with this type of hardware; thumb scanners now cost less than $100.
In the meantime, it might be enough to advocate that your company begin digitally signing all outgoing e-mails. You might be forced to do so: Some security-savvy customers are already trashing all e-mails from businesses that aren't digitally signed.A Stitch in TimeCSOs who don't protect customers and employees from identity theft may face a more onerous task: damage control. Just ask Bob Brand, security director for Cox Enterprises, who found himself in the unenviable position of trailblazing the role of the CSO in preventing and responding to the crime.
It started four years ago when some of the 80,000 employees of Cox Enterprises, an Atlanta-based media conglomerate, began getting notices from collection agencies about overdue store credit card accounts. The credit had been issued at Best Buy, Circuit City and Federated stores in the Atlanta area, but many employees were based in Ohio and Texas and had never even been to Atlanta. Gradually, through word of mouth, affected employees realized that it must be an internal problem. An investigation revealed that personal information about some employees had leaked through contractors working on a project.
Brand admits that Cox could have prevented the problem. "What happened with us happened with a lot of companies: We grew fast," he says. "You put the system in place and then you have to play catch up with some of the administrative issues."
And if it were partially his fault, the solution was also partially his. As security director, he took charge of helping victims restore their credit. "It wasn't pleasant," he says. Dispatchers didn't understand how to take down a report of identity theft because the issues cross state and even country lines. When the perpetrators were eventually convicted, Brand shared the victims' disappointment at the sentences
Brand discovered at the business level what John N. Stewart had discovered on a personal level: It's still a whole lot easier to keep identity theft from happening in the first place than to repair the damage after the fact.
"This crime can be just devastating," Brand says. "It's bad business not to protect to the best of our ability an individual's personal information. Why would you want to do business with a company that does not protect your information?"