Saturday, March 18, 2006

Information Breaches, the Human Factor

According to the Privacy Rights Clearinghouse, millions of identities have been compromised recently. In fact, it's impossible to quote an exact figure anymore because new reports of breaches are surfacing weekly. In their chronology, they list several occurrences as being caused by a dishonest insider, but in reality how much more of this could be happening?

One of the recent stories was about Ernst and Young getting some laptops stolen. Several other breaches are listed as a result of stolen computers. The question is how did the people, who stole them determine which ones to steal and what information would be on them?

Many other breaches are listed as a result of "hacking." Hacking is a big word and brings visions of teenagers breaking into systems from afar. BUT is it possible, that some of the hacking occurring today might be the result of insider information obtained by the hackers?

A recent study by Taleo research found that background screening at many companies is inadequate. The results of this study are pretty interesting:

27 percent of organizations experienced a major problem, workplace fraud (10%), employee theft (10%) or workplace violence, with an employee who was screened in, but ended up having a criminal record that was not found.

57 percent of survey respondents believe that their organization should be doing a better job of screening employees prior to being hired.

Only 19 percent consider their current background check process very effective at weeding out candidates that do not meet the criteria for employment at their company.

Two-thirds of organizations do not conduct ongoing background checks on employees.

Only 29 percent have ever run an audit of their current screening provider to determine the quality of their screenings.

Of course, in the real world of data breaches, it seems that those, who have been breached, are extremely reluctant to reveal very many details.

AND there is another problem, which is the number of illegal immigrants out there in the work force. Depending on who you quote, they number in the millions and the trafficking is done by organized criminal gangs. Many of these immigrants owe lots of money to these gang members and already use fake, or stolen identities to work. How many of them might be repaying their debts by stealing information?

Here is a document from CERT, which shows the implications of organized cyber crime:

Organized Crime and Cyber-Crime: Implications for Business

There is no doubt this is trend is growing and will continue to be a problem. Whether these organizations approach insiders for information, or plant them from within with fake identities; they can steal a lot of what is a very profitable commodity in the world marketplace, or information.

Another potential problem is outsourcing financial and computer services to other countries, where the security standards are not up to par. In fact, this might even make some of these firms more attractive targets for the criminal element. I wrote about this in a previous post:

What are the Security Implications of Outsourcing

Until some of the organizations, who have been breached are held more accountable, we will probably never know the true scope of "insider involvement."

Friday, March 17, 2006

Communication is a Key Factor in the Fight Against Financial Crimes

Technology seems to outpace laws and enforcement efforts in the world of financial crimes. Communication and awareness are two ways to keep up with technology.

In fact, Robert Mueller (FBI Director) recently called for the same thing. I wrote about this in a previous post: Cyber Criminals Love a Lack of Communication.

Monica Hatcher of the Miami Herald reports about another effort to better coordinate resources in the fight against financial crimes:

Until recently, law enforcement had few ways to keep track of consumer scams which seem to multiply daily, often duplicating investigative efforts and missing out on valuable information gathered by government counterparts.

The Center for the Study of Economic Crimes, a joint project of St. Thomas University School of Law and Florida State University College of Criminology, was established about a year ago to address the problem.

The center will host today its first national conference, drawing more than 300 government officials, law enforcement agents and corporate leaders to discuss emerging trends in white collar crime and consumer fraud.

The conference complements the center's main tasks of hosting and developing, a national clearing house for information on fraud-related topics, and producing scholarly reports on trends.

Here is the full story:

University hosts national conference on crime, fraud trends

Link to FraudUpdate for more information.

Law enforcement, security experts and the corporate world need to join hands to combat an alarming increase in financial crimes. Financial crimes, inspired primarily by the internet, are quickly becoming a major threat to the well being of the economy.

In my opinion, this is a step in the right direction.

Wednesday, March 15, 2006

Are the Arrests in the Debit Card Case the Beginning of More to Come

Greg Sandoval of CNet is reporting:

Law enforcement officials in New Jersey have arrested 14 people in connection with a crime spree that has forced banks across the nation to replace hundreds of thousands of debit cards.

The suspects, all U.S. citizens, are accused of using stolen credit and debit card information to produce counterfeit cards that were used to make fraudulent purchases and withdrawals from card-holder accounts, Hudson County Prosecutor Edward DeFazio said. Most of the arrests were made during the past two weeks."

Some of the stolen credit card information came from the office-supply chain OfficeMax and other businesses, DeFazio told CNET on Monday. "We had cooperation from the security people from many victimized businesses," he said.

Credit-card issuers Visa and MasterCard have blamed a growing number of thefts from debit-card holder accounts--in areas ranging from San Francisco to Boston--on a security breach suffered by a merchant, but they've refused to identify the company.

Here is the full story from CNet:

Prosecutor: Debit card crime ring busted

This might be good news, but it's being announced by local authorities. This case has ties from coast to coast and the cloned cards have been used worldwide. I would speculate that there is more to come, or that one part of a group has been caught.

All through this case, it seems that many of the companies, who were breached were slow to notify their customers. There is likely to be a political backlash. Reuters reported recently that:

House panel to consider data security bill

The bottom line is that the common person needs to be taken into consideration when corporations lose their personal information.

Based on what I have been reading, there are a lot of frustrated people out there affected in this breach. From the beginning, the notifications to victims were slow in coming and even today, no one is admitting where the actual point of compromise was.

Boing Boing and the Consumerist have done an excellent job of getting out the view of the victim in many of their posts. For some personal views of how people are feeling out there, I highly recommend reading their material.

Here is a previous post, I did on Debit Card Breaches, A Growing Problem.

Some arrests have been made, but I doubt the issue has been resolved.