Tuesday, October 11, 2005

How to Impact Fraud, Phishing and Financial Misdeeds

In the past couple of years, we have seen massive data intrusions. Here is one of many posts, I've done on this: Identity Theft at Large Corporations . Recently, I was reading an article in Wired, which makes a lot of sense. It was written by Bruce Schneider, a well-known security expert.

He makes a valid point, which is; laws that only address criminal activity are only part of the solution. The war against identity theft will never be won until businesses that are entrusted with people's personal information are held accountable for substandard security practices and (in some cases) selling people's personal information to criminals.

Let's face it, we are in the information age and personal information is routinely sold for a lot of money. Besides marketing, there is a booming spy (be your own detective) market that is largely unregulated. Just about anyone can sift personal information using these programs and even buy "keylogger" software. Keyloggers, which are marketed as a means to spy on your employees, boss, errant child or wife also can be used by identity thieves to steal personal and financial information.

Here is an excerpt from his article:

"Push the responsibility -- all of it -- for identity theft onto the financial institutions, and phishing will go away. This fraud will go away not because people will suddenly get smart and quit responding to phishing e-mails, because California has new criminal penalties for phishing, or because ISPs will recognize and delete the e-mails. It will go away because the information a criminal can get from a phishing attack won't be enough for him to commit fraud -- because the companies won't stand for all those losses. If there's one general precept of security policy that is universally true, it is that security works best when the entity that is in the best position to mitigate the risk is responsible for that risk. Making financial institutions responsible for losses due to phishing and identity theft is the only way to deal with the problem. And not just the direct financial losses -- they need to make it less painful to resolve identity theft issues, enabling people to truly clear their names and credit histories. Money to reimburse losses is cheap compared with the expense of redesigning their systems, but anything less won't work."

Many of these data intrusions were accomplished by simple theft involving deception, or unprotected data. As a result, many a person has been victimized due to lacks of diligence by entities, who were profiting monetarily. As long as these entities continue to get off "cheap" and the criminals have little to fear, this activity is going to flourish.

I think Bruce's observations are right on the money!

To read the article in "Wired" click on the title of this post.

No comments: