Respect, Prudence, and Combatting Identity Theft

From my recent posting on Computer World UK (here)

Whenever I hear the phrase “identity theft,” I can only imagine what the late, great Rodney Dangerfield would have made of it: “Some guy in Moldova stole my identity. The FBI said, ‘…and you want it back?’ No respect!”

Despite what seems to be a public fascination with identity theft as the latest innovation in cybercrime, it isn’t really new. Even before the Internet came along, criminals could steal and manipulate identity data by modifying the magnetic strip on the back of a credit card to access a different account than the one listed on the front of the card. This would allow the thief to present a credit card and identification that matched and hope that the employee didn’t actually look at the name on the receipt.

But this level of con was strictly small time compared to what a computerized identity thief can accomplish today with thousands of names, their financial information, and the Internet as a global playing field for fraudulent transactions. Not only does automation enable fantastic economies of scale—one thief can manipulate tens of thousands of identities and still have time for a leisurely lunch—but the probability of detection, arrest, and punishment are extremely low. Mass media news value tells the tale. Large-scale identity breaches have become back page news. The successful prosecution of a single cybercriminal makes the front page because it’s so rare.

Technology is certainly an important part of solving the identity theft equation but society will need to pursue a multi-pronged approach that includes policy changes, process improvements, increased awareness across the value chain (from consumers to business service providers).

The first change is for society to recognize that cybercrime is crime, pure and simple. There is nothing outlandish, exotic or incomprehensible about it. Criminal justice authorities should stop treating it as a discipline apart from suppressing traditional physical and white collar crimes, and integrate it into the mainstream of law enforcement.

It’s true that the world is flat when it comes to cybercrime and its perpetrators thrive in countries that cannot or are unwilling to control it. But there is a lot more that could be done in indicting and demanding extradition of cybercriminals from foreign shores, and putting pressure on countries who tacitly condone them. Here the situation is similar to the dirty money banking problem. Recently, the US Treasury Department and the EU have been quite effective in putting the screws to dubious offshore banks and the countries that host them.

Second, the law has a blind spot when it comes to assigning liability responsibilities to technology-based products and services. If a car has a manufacturing flaw, it triggers recalls and lawsuits. If a software package is riddled with functional and security gaps, the law shrugs and end users do the heavy lifting every patch Tuesday.

Likewise, if a restaurant poisons its patrons, health inspectors shut it down and aggrieved customers seek damages. But if a retailer exposes financial information on thousands of customers, a quick press release and a public apology usually smooth the round trip to business as usual.

To be fair to businesses, especially ones that sincerely do their best to protect sensitive data, there is no way to completely secure or totally eradicate all breaches. The goal of security is to limit the possibility of a successful compromise, and when one does occur, to limit its impact on the organization. This means that organizations must eliminate as many attack vectors as possible and have complete visibility into the operating state of all computing devices. This should enable them to can quickly respond to an emergency, contain it, reverse it, and return the environment to stable, secure operations.

Although there are highly sophisticated pieces of malware, hacking attacks and intrusion attempts, the majority of attacks exploit misconfigured, poorly administered and insecure computing environments. Even the most sophisticated burglar is going to rob the house with open windows and unlocked doors before moving on to the challenge of a more elaborate anti-intrusion defense.

The good news is that doing the basic things right goes a long way to reducing opportunities for a successful attack. Prompt and thorough approaches to patching, configuration management, enforcing policy controls, and maintaining the kind of visibility that assures organizations know their infrastructures better than their adversaries will generally put them on the right side of any IT security 80/20 rule. At the least, they can sleep better knowing they have made prudent and diligent efforts to lower security risks to a practicable minimum.

Users and consumers can do with a good dose of prudence, too. Stay off porn sites, resist offers of free computers, and remain confident that your teeth are white enough already. Try to be imaginative in formulating passwords, and view any message requesting information from you with suspicion, especially when it comes from people calling themselves a “team.” Also, don’t wait for companies to tell you when you’ve fallen into peril. Keep an eye on your online assets and immediately ask questions if you see something amiss.

On a larger scale, individuals can contribute to market forces that incent companies, governments, and other institutions to take security seriously. Avoid doing business with organizations that suffer security breaches. Patronize businesses that appear to be mindful of their security responsibilities. It may sound like boycotting sloppy or unlucky companies exacerbates their pain, but it is the best way for them—and their competitors—to learn that prudent security is good for business.