Identity theft has been the fastest growing crime in this countryand many othersfor many years. Studies by the Federal Trade Commision (FTC) indicate that the rate of identity theft growth has slowed, but that the volume of identity crimes continues so that one out of every three families has been affectedand identity theft wasnt even considered a federal crime until 1998!¹

In a case of identity theft, an imposter steals or otherwise obtains key pieces of others personal or financial information, such as Social Security number, drivers license or bank account information, in order to impersonate the victim(s). The stolen information is used to create a phony persona and commit various fraudulent activities, resulting in personal financial gain at the expense of the victim.

One of the scariest things about identity theft and its derivative crimes is that it can be committed from anywhere in the world. There is no face-to-face confrontation between victims and perpetrators. But, the good news is that some progress is being made: Individuals, employers, and federal, state, and local governments have finally become aware of the seriousness of these crimes and our vulnerability to them.

This article focuses on both the individual and the employer as victimsbut, national security should not be overlooked when it comes to understanding the seriousness of the threats to, and possible compromise of, our information systems.

Personal Concerns

ID theft can be committed through sophisticated or unsophisticated methods. Despite your best efforts to protect your personal information, thieves still have a wide arsenal of methods to gain access to your data.

Here are a few scenarios on how your information may be stolen through identity theft:

They get information from businesses or other institutions by stealing company records or information, bribing an employee who has access to these records, hacking into company systems or by conning information out of employees.

Thieves may steal your mailincluding bank and credit card statements, credit card offers, new checks and tax information. They may rummage through your trash, your offices trash, or public trash dumps, in a practice known as dumpster diving.

They may obtain your credit reports by abusing their companys authorized access to them, or by posing as a landlord, employer, or another person who has a legal right to access your report.

They may steal your credit or debit card numbers by capturing the information in a data storage device, in a practice known as skimming. They may swipe your card for an actual purchase, or attach the device to an ATM machine or gas pump where you need to swipe your card.

Or, identity thieves may take a different route. They may steal your wallet or purse. They may steal personal information they find in your home. They may steal personal information from you through e-mail or phone by posing as legitimate companies and claiming that you have a problem with your account. This practice is known online as phishing, or pretexting by phone.

They may call your credit card issuer to change the billing address on your credit card account, in order to run up a charge without your being aware of it. Because your bills are then sent to a different address, it may be some time before you realize theres a problem.

They may open new credit card accounts in your name. When they use the credit cards and dont pay the bills, the delinquent accounts are reported on your credit report, lowering your score and ruining your credit. (In an attempt to restrict such illegal actions, many, if not all, credit card companies and banks now utilize security features such as additional passwords and security questions to verify the identity of the person requesting account information or modification.)

Or, they may establish phone or wireless services in your name. They may open a bank account and write bad checks on itall in your name. They may counterfeit checks or credit or debit cards or authorize electronic transfers, and drain your bank account. They may file for bankruptcy under your name to avoid paying the debts theyve incurred or to avoid eviction.

Where to Go for Help The Federal Trade Commission (FTC) produces a booklet, available online, to help remedy the effects of identity theft. It describes what steps you can take, your legal rights, how to handle specific problems you may encounter on the way to clearing your name, and what to watch out for in the future. Otherwise, here are a few Web sites that provide information and resourcesboth for the victims of identity theft and for those who want to prevent it. The Identity Theft Task Force: www.idtheft.gov The Identity Theft Resource Center: www.idtheftcenter.org The Federal Trade Commissions ID Theft Web site: www.ftc.gov/bcp/edu/microsites/idtheft/ The Privacy Rights Clearinghouse: www.privacyrights.org/identity.htm   Identity Theft and Your Social Security Number, Social Security Administration: www.ssa.gov/pubs/10064.html

They may buy a car by taking out an auto loan. They may get identification, such as a drivers license, issued with their picture but your name. They may get a job or file fraudulent tax returns in your name.

They may give your name to the police during an arrest. And, if they dont show up for their court date, a warrant for arrest is issued in your name.

Employer Concerns

Not too many years ago, an employee of the Illinois Human Services Department stole personnel data, including Social Security numbers, from thousands of state workers and used the information to open credit card accounts. Hundreds of thousands of dollars were charged in employees names. This scenario, sadly, is becoming more and more common.

Large corporations and government agencies are often the victims, but small employers need to be just as alert. Personal records and other proprietary information can be profitable to employees and others who cant resist temptation and have been allowed easy access to this sensitive information.

The single best preventive recommendation I can give to employers: Know whom you hire. If potential employees job responsibilities will grant them access to your assets, do a thorough background check before hiring them. (See How to Deal with Sticky-Fingered Staff, February 15, 2008.)

Many identity theft experts have suggested for years that identity theft was being committed more often by employees than by outsiders, especially when identity information comes from computer files.

Judith Collins, Ph.D., a Michigan State professor in the department of criminal justice, estimated that as much as 70% of all identity theft starts with theft of personal data from a company by an employee.² In the 1,037 cases studied, Dr. Collins traced the crime back to its origins and found that a company employee pilfered the victims identity in at least 50% of cases. And, her evidence strongly suggested the involvement of an insider in another 20% of the cases studied.

Dr. Collins suggested that the theft of information could become (if its not already) the third largest expense to the employer after payroll and health care.

Companies and employers must examine or create policies to deal with identity theft. One only needs to read the headlines over the past couple of years to find cases in which employees have sued corporations for negligence after personal information was lost because of weak security efforts on the part of the employer.

Fortunately, identity theft problems and risks in the workplace are starting to get more attention by governing bodies as well. Georgia and Wisconsin, among other states, have passed laws requiring employers to destroy documents containing personal employee data if its collection is not justifiable. California has passed legislation barring private firms from using Social Security numbers as identification numbers. Agencies, organizations, institutions and other groups that possess your personal information are now required to notify you as soon as they become aware of any incident that might compromise your data. Laws vary by state regarding what you can or must do if your business becomes aware of compromised records that contain personal information of employees, patients or customers.

One great resource for employers concerning insider threat and the protection of computerized systems is given at the U.S. Secret Service Web site. In August 2004, the U.S. Secret Services National Threat Assessment Center and Carnegie Mellon University Software Engineering Institutes CERT Coordination Center announced the findings of the first Insider Threat Study report, a collaborative effort to better understand insider activities that affect information systems and data in critical infrastructure sectors.^3,4

This report focuses on those people who have had access to and have perpetrated harm by using information systems in the banking and finance sector, which includes credit unions and financial institutions. It identifies the physical and online behaviors and communications that insiders engaged in before such incidents, as well as how the incidents were eventually executed, detected, and the insider identified.

The study was designed to develop information to help private industry, government and law enforcement better understand, detect and ultimately prevent harmful insider activity. Various proactive practices are among the suggestions offered by the report.

 

A "Red Flag to Pay Attention To You may be a creditor. If so, you may have to institute identity theft programs in your practice. Then again, you have a few months to find out and do something about it. The Fair and Accurate Credit Transactions Act (FACTA) defines creditors to be any entity that regularly extends, renews or continues credit; any entity that regularly arranges for the extension, renewal or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew or continue credit.1 And, it defines credit as the right granted to defer payment for any purchase. So, the act claims, Any person that provides a product or service for which the consumer pays after delivery is a creditor.1 However, the Federal Trade Commission (FTC) has since delayed enforcement of compliance with the acts Red Flags Rule until May 1, 2009. The new regulations, originally thought to apply to banks and financial institutions that offer credit in a more traditional sense, were only explained to apply to health care in fall of 2008, shortly before the deadline was to be enacted.2 This caught practitioners by surprise, prompting the American Medical Association and other groups to challenge the FTCs broad interpretation of creditor, resulting in the delay of enforcement by six months.1,2 Under the Red Flags Rule, certain businesses must be aware of possible signs of identity theft, and they may even need to create and implement a program to protect against this threat in four steps: identification of red flags, detection of red flags, prevention and mitigation of identity theft, and periodic program update.3 To determine if you fall under the FTCs definition of creditor, or for more information, visit www.ftc.gov/bcp/edu/pubs/articles/art10.shtm or e-mail RedFlags@ftc.gov. The text of the Red Flags Rule is available in the November 9, 2007, Federal Register: www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf (The guidelines are on pages 63773 and 63774). 1. Federal Trade Commission. FTC will grant six-month delay of enforcement of Red Flags Rule requiring creditors and financial institutions to have identity theft prevention programs. Available at: www.ftc.gov/opa/2008/10/redflags.shtm (Accessed December 12, 2008). 2. Sorrel AM. Caught unaware, doctors get delay in FTC enforcement of ID theft rules. Amer Med News 2008 Nov 3; 51(41):1-2. 3. George T, Singh P. Federal Trade Commission. The Red Flags Rule: are you complying with new requirements for fighting identity theft? Available at: www.ftc.gov/bcp/edu/pubs/articles/art10.shtm (Accessed December 16, 2008).

What the Employer Can Do

The Insider Threat Study report states that insider attacks can only be prevented through a layered defense strategy consisting of policies, procedures, and technical controls.

Organizations should provide training programs that create a culture of security that is appropriate for them and that includes all personnel. Each must train its members about malicious employee actions on customer data and service, including a confidential means of reporting security issues with appropriate follow-up to security reports.

Separation of duties and remote access monitoring should be explained. While employee alertness is key to detecting many insider attacks, several cases have been detected because of abnormal system activity (including changes in system configuration and illicitly escalated user privileges).

Employees should be notified that system activity is monitored, especially system administration, privileged and remote activity.

All employees should be trained in their personal responsibility, such as protection of their own passwords and work products.

Also, password protection and change policies should be instituted and enforced, in order to reduce the likelihood of another employee accessing a computer.3

Likewise, when an employee is let go from the company, his or her access to any of the systems, e-mail, or other accounts should be terminated immediately.3

A safe system through which employees can report any concerns or suspicious behavior could also be beneficial.

For example, if a coworker attempts to discover someones password, create an unnecessarily shared account, gain access to accounts and systems beyond the scope of their responsibilities, bypass technical safeguards or firewalls or disregard acceptable use policies, this behavior should be reported to a superior in a manner that is safe, anonymous and trustworthy.3

But, the trust in such an arrangement must go two waysone, it can not be abused by the superior who receives the report, and two, the employee making the report must not be doing so with malicious intent.

In 61% of cases studied by the Secret Service, the insider in a theft was detected by non-security personnel, including customers (35%), supervisors (13%) and other employees (13%).³

What You Can Do

As an employee, you can help reduce the rise of insider threat by honestly reporting any suspicious event without malicious intent.

The insider in an insider threat within a company has no real demographic profile. The ages of various perpetrators studied ranges from late teens to retirement and included both men and women.³ They were programmers, graphic artists, system and network administrators, managers and executives. They were currently employed or recently terminated employees, contractors and temporary employees.

Identify possible malicious insiders by behavior, not by stereotypical characteristics. For example, behaviors that should be a source of concern include making threats against the organization, bragging about the damage one could do to the organization, or discussing plans to work against the organization.

Also of concern are attempts to gain other employees passwords and to fraudulently obtain access through trickery or exploitation of a trusted relationship.

There are many ways that you can protect yourself against identity theft outside the professional sphere as well.

For example, ensuring that your computer is securely firewalled will prevent hackers from stealing information from your hard drive.

Or, when shopping online, verify that the retailer uses secure encryption to keep your credit card information private.

More guidelines on protecting yourself can be found at the Identity Theft Resource Centers Web site: www.idtheftcenter.org.

A Federal Response

In October 2008, the Presidents Identity Theft Task Force released a strategic plan. The plan recommends the use of all available tools, from enhanced consumer and business education, to better data security and consumer authentication, to expanded resources for victim recovery, to increased training and support for our foreign law enforcement partners, to more certain and stronger punishment for perpetrators.

Specifically, the strategic plan recommends that federal departments and agencies make improvements in four key areas:

• Protecting data by keeping consumer data out of the hands of criminals.
• Avoiding data misuse by making it harder for criminals to exploit consumer data.
• Assisting victims by making it easier for them to detect and recover from identity theft.
• Deterring future cases of identity theft by increasing prosecution and punishment of perpetrators.

The Task Force made a total of 31 recommendations in these four areas. Much of this work has been completed; some is still ongoing.

Some of the Task Force member agency initiatives are working to reduce the unnecessary collection and use of Social Security numbers (SSNs). The Social Security Administration is restricting release of SSNs and Freedom of Information Act-related correspondence on identification cards, internal records, etc.

There is no silver bullet to end the identity theft problem. The more aggressive proactive efforts become, the more creative perpetrators become. Any effective solution will require federal, state and local governments to work in conjunction with the private sector and consumers to form a united front.

The battle is a shared responsibility. Consumers, businesses and other organizations that collect consumer data; information technology and software providers that supply anti-fraud solutions; and federal, state and local governments are all impacted by identity theft and have roles to play in the fight against it. Will you do your part?

Mr. Walton is the Associate Dean of Student Services for Henley Putnam University, an online university specializing in intelligence, protection management, terrorism and counter-terrorism studies. He has 40 years of experience in law enforcement and training in security and other related topics. He retired from the United States Secret Service after a 21-year career. Post-retirement activity includes Chief of the Federal Law Enforcement Training Centers Management Institute, criminal justice instructor at Indiana University at Bloomington, a commissioned officer in the U. S. Marine Corps, and special agent with the Office of Naval Intelligence (now NCIS). He continues to instruct at the Federal Law Enforcement Training Center in the fields of physical and operations security.

1. United States Department of Justice. Identity Theft and Fraud. Available at: www.usdoj.gov/criminal/fraud/websites/idtheft.html (Accessed Dec 2008).

2. Collins, J., Investigating Identity Theft: A Guide for Businesses, Law Enforcement, and Victims, 2006.

3. Secret Service National Threat Assessment Center. Insider Threat Study, Illicit Cyber Activity in the Banking and Finance Sector. 2004 Aug. Available at: www.secretservice.gov/ntac.shtml (Accessed Dec 2008).

4. Secret Service National Threat Assessment Center.  Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors. 2005 Jun. Available at: www.secretservice.gov/ntac.shtml (Accessed Dec 2008).