Wednesday, May 10, 2006

Are We Addressing Cyber Crime from the Wrong End

Deb Radcliff is a noted author on cybercrime and it's implications. Recently, Deb did a very enlightening post suggesting that our current problems with cybercrime are caused by approaching security "Ass Backwards."

Please note that she got this perspective from someone, who knew little or nothing about the world of cyber crime or fraud. Although fraud has been around since the beginning of time, there is little doubt that technology is enabling it to grow more quickly than ever before. There is also little doubt that the Internet, which provides a lot of anonymity is a enabling factor, also.

Here is the "thought process" Deb and her friend came to:

Oh I see what you're saying! It's like we've got two ends of the same business working against each other," I said as I grabbed a notepad and started writing things down. "On the back end, we've got all these information security experts working their tails off trying to close the vulnerabilities. But on the front end, we've got systems that are laying bare our financial identities."

For example, why, after all these years in not-present mediums, are the credit card issuers unable or unwilling to unequivocally vet new applicants to ensure they're issuing the card to a real person with a legitimate identity? Why, at the very least, is the application not tied to a customer phone number for verification?

So now I'm looking at the bigger financial identity framework and I'm seeing all kinds of gaps.

Let's start with the credit reporting agencies who are responsible for our credit ratings and yet they prevent us from getting the information we need to protect our ratings by not alerting us to new accounts opening under our identities. The reporting agencies have the system in place to do this. But they've made it so hard for consumers to order this service (and when they do, they can only get it for 90 days unless they can prove fraud). Why? Because they make much more money processing our financial identities in real-time than they would if they imposed wait times to get approvals.
For the rest of the post on Deb's blog (On line Crime Bytes), link here.

For more on Deb and where you can read her articles, link here.

When we look at too good to be true Internet crime schemes, greed is always one of the factors a fraudster uses to hook a victim. Could it be possible that it isn't only individual(s), who are guilty of letting greed cause a large part of the problem with cybercrime?

To take this thought process further, could the criminals be taking advantage of "corporate greed," which values profit over the people being victimized? After all, up until now, these companies have been able to pass the cost of fraud on to their customers and make a tidy profit.

Forget the "zero liability" public relations programs, we are being sold. The fact is fraud losses are being added into the "cost of the product." These companies are in the business of making a profit and wouldn't be operating otherwise. They are even trying to add to their income streams by pushing "identity theft products," which some consider a little "questionable," also.

I'm always amazed to note that many of the same companies, who have lost massive amounts of information are marketing identity theft insurance. Some of them probably helped create the need for this service.

Until the financial, information and now even retail sectors are forced to take action, I fear the criminals will continue to take advantage of an "Ass Backward" approach to protecting information.

Bruce Schneier, another well-known security expert echoes this sentiment and has an interesting perspective on what is needed to address cyber crime. He recently wrote:

Push the responsibility -- all of it -- for identity theft onto the financial institutions, and phishing will go away. This fraud will go away not because people will suddenly get smart and quit responding to phishing e-mails, because California has new criminal penalties for phishing, or because ISPs will recognize and delete the e-mails. It will go away because the information a criminal can get from a phishing attack won't be enough for him to commit fraud -- because the companies won't stand for all those losses. If there's one general precept of security policy that is universally true, it is that security works best when the entity that is in the best position to mitigate the risk is responsible for that risk. Making financial institutions responsible for losses due to phishing and identity theft is the only way to deal with the problem. And not just the direct financial losses -- they need to make it less painful to resolve identity theft issues, enabling people to truly clear their names and credit histories. Money to reimburse losses is cheap compared with the expense of redesigning their systems, but anything less won't work.

For more on Bruce Schneier and his work, link here.

Let's face it, cybercrime by all estimates continues to grow. The criminal element seems to be very adept at beating current security systems and are beating new measures, daily.

Until some "forward thinking" is applied to address this problem, we will never find an effective solution.

1 comment:

Tom Fragala said...

Ed,

A fantastiic, detailed article (yet again).

However I disagree with what Deb says in the quote:

"Let's start with the credit reporting agencies who are responsible for our credit ratings and yet they prevent us from getting the information we need to protect our ratings by not alerting us to new accounts opening under our identities. The reporting agencies have the system in place to do this. But they've made it so hard for consumers to order this service (and when they do, they can only get it for 90 days unless they can prove fraud)."

She's talking abotu fraud alerts on our credit files. There is no "system" for alerting consumers, despite some companies claming fraud alerts are foolproof ID theft protection. Why? Because there is no law that requires creditors to pay attention to any fraud alert on your file. Fraud alerts are not effective. More specifically, credit issuers only pay heed around 50-70% of the time as best we can determine (ask Jay Foley at the ITRC). So, CRC's are NOT required to alert you and financial institutions are not either. A fraud alert is just a flag and, if you choose, a victim statement that is a bunch of words on your credit file. There is no technology in place to "alert" anyone or anything. A credit issuer has to pull your report (not required either, believe it or not) and READ the credit disclosure. It might not even be legible when printed!!

I do agree that the CRC's would not be excited about putting an alert mechanism into place to slow the credit process themselves. And neither would FIs. But let's not confuse the issue. THEY ARE NOT REQUIRED TO. Change the law (FCRA) if you want effective consumer fraud alerts (good luck).

Fraud alerts are not a "system" and they don't really work. If anyone thinks fraud alerts provide a "guarantee" of protection from ID theft, think again.

Sorry for the rant, Ed.

Tom