Slashdot Mirror
Data Theft Soars to Unprecedented Levels
A Wired article reports on data loss in 2007, and the numbers aren't good. Credit card and social security theft was at an all-time high, with even more losses expected in 2008. Information thieves, it seems, are just one step ahead of IT security. "While companies, government agencies, schools and other institutions are spending more to protect ever-increasing volumes of data with more sophisticated firewalls and encryption, the investment often is too little too late. 'More of them are experiencing data breaches, and they're responding to them in a reactive way, rather than proactively looking at the company's security and seeing where the holes might be,' said Linda Foley, who founded the San Diego-based Identity Theft Resource Center after becoming an identity theft victim herself."
Just provide your credit card number to me and I will make sure no one steals it.
Another MyMiniCity link. Don't click. You know the drill.
This seems like a consequence of being able to carry gigabytes of data around in your pocket. It is probably all too easy for the odd database to duplicate into an employee's thumbdrive these days I suspect.
"I bless every day that I continue to live, for every day is pure profit."
Is data theft at an all-time high because of hackers or just dumb companies not encrypting their backup data that gets lost in transit?
I don't know what the trouble is with the 'myminicity' thing, so I'll just comment on the synopsis.
It has to be noted that since much data these days appears to be stored unencrypted, or removed from the premises by 'interns,' that much of the populace is 'one step ahead.' The advantage the bad guys have, beyond institutional stupidity and negligence, is that there's so many of them willing to exchange the data once acquired.
We hear about CC theft a lot and I am sure it does occur, but most of the time its embarrassment which is the real culprit.
...
"darling, the CC company says we owe them $2400 dollars."
"thats nonsense, I barely use my CC"
"it says there were hookers, gallons of gin and a blackjack tableset ordered to an address in Nevada."
"OMG it must have been the waiter in the diner I went in on the way to the 'conference' with work! (pray you are saying it with a straight face)"
liqbase
Irresponsible data handling by employees at retail stores probably contributes quite a bit.
One of my friends went dumpster diving at Compusa. On top of finding almost every cable you'd ever need to hook anything up, he found over 70 pages of daily reports disclosing full credit card numbers, expiration dates, first/last names, and card company. Personal checks that were used during that day listed the account #, routing #, first/last name, birthdate, drivers license #, address, phone number, and probably some other stuff. He found this on two separate occasions, with over 300 cards listed total. None of the papers were shredded/torn either. He didn't intend to find this stuff - Imagine how easy it must be for somebody who actually wants the information!
The majority of the population doesn't understand how seriously security needs to be taken when venturing online to make purchases. If people understood going onto unsecured networks/etc was pretty much the same as leaving your credit card/checkbook in the front seat of your car, leaving the doors unlocked, and parking it in a bad neighborhood they might take security more seriously.
Sure - Most of the time if you leave stuff in your car unsecured, it'll be there when you get back. But there's always that small chance it'll get stolen.
has itself grown in size to unprecidented levels, I suppose it shouldn't be too surprising that data THEFT has also grown to unprecidented levels. The real question is, when normalized for how much data is "out there", is data theft getting more or less rampant?
The more you regulate a company, the worse its products become.
Knowingly having an unsecure system or not doing basic security due-diligence causes penalties, a second offense and you lose your business license.
The post states that "Information thieves, it seems, are just one step ahead of IT security.". I disagree with this, but it all depends on your definition of IT security, mine being more on the tech side in relation to protection, countermeasures and network forensics. The article really does not make any claim that IT security is at fault, but rather that counter measures to known threats are not being empyloyed. In relation to the quoted statement above, I would say that information theives are five steps ahead of those of don't take measures to protect against threats, rather than being ahead of IT security. I guess it could be argued that IT security is indirectly responsible, or failing, as user education and policy are major parts of protecting corporate networks and data. The failure in these cases seems to be more related to a lack of user knowledge or failure to adhere to policy / weak policy, rather than a complete inability of IT security to protect information. Everyone knows that the internet is a dangerous place (TM), even my grandma. For those in government, schools etc to have data stolen and claim that they didn't know about the risks posed of using online data systems is just plain stupid. According to TFA, the biggest theft of information occurred due to the use of a wireless network. "What! Wireless isn't secure? I had no idea!" Only if you had your head firmly wedged up your own back passage could you as a security professional, or even semi professional ;) claim that you had no idea of the many vulnerabilities of wireless networks...
"They looked deep into my soul and assigned me a number based on the order in which I joined"
The feds could initiate a program under which all citizens are issued key fobs similar to RSA Secure IDs with verification similar to that required for a passport. Without this fob, one could not open any sort of bank account or acquire a credit card or loan... The program could allow one to specify various levels of rigor beyond this basic minimum, such as pin+fob key verification to complete any sort of electronic monetary transaction.
It works for managing access to top secret material, hundreds of billions in monetary instruments and the most vital systems of companies in every industry worldwide... I suppose that on an individual basis, any person's assets, credit and livelihood just aren't as important. Or, perhaps the very industries that protect themselves with this system just don't give a fuck about their consumers.
If these folks were landlords, they'd tell every criminal they could find who you are and were you live, and they'd refuse to install a lock on your door.
What amazes me about "identity" (financial, blog or otherwise) in the Internet age is how similar it is starting to feel to the concept of identity in fantasy fiction (such as the Earthsea books) where people have disposable day-to-day common names, but also truenames that hold the real power of identity, shared only with the most trusted of companions.
Real identity theft would be taking over someone's identity (probably with some lame face exchange technology) so that the rightful owner can no longer utilize it.
I've seen interviews of people who say they no longer can utilize their identity to do the things they expect to be able to do, buy a house, open a credit account, and have their previous credit rating.
So they feel their identity has been stolen.
rd
Studies have shown that auto theft reached unprecedented levels in 1911. In future news; flying car theft will reach unprecedented levels in 2057.
More and more common thieves are learning the value of data. So more of it is being stolen. I bet MP3 player and cell phone theft rates are reaching "unprecedented" levels as well.
There are some people that if they don't know, you can't tell 'em.
At $DAYJOB, we insert fake data in two ways: First, fake data that is in the database with known markers, second, more fake data generated each time a user logs in and present only during that log in for that user. In this way, we know if the data theift occured via authintication (and by whom, from where, and when), or via some hole in the app.
The way to make this more effective requres a huge amount of work: Longer CC numbers and SSNs. It's the same problem IT has had with users FOREVER. Users expect the moon, stars, and all the oort cloud between, yet do not want to provide the least effort. There's no "buy in" from Soc Sec and the CC companies. As long as they get to pass along the cost to someone else, then the current system is "good enough". No need to expend any of THEIR effort to find, track, and plug up problems.
But make THEM accountable in a tangable way, and I think we'll start to see effective measures to stop this nonsense. And no few RSG and 419'ers in jail to boot.
Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
And one that too many companies are willing to put gamble with. Many IT shops haven't got the experience in house to maintain security so they shop around for the doitallforyousecuritygizmo to do it for them. These gizmos are usually 90% snake oil with a hefty support contract. There is also a big lapse in education and awareness across all facets of the security realm. Programmers think security is up to Layer 1 and that they are free to break all the rules at layer 7. Windows admins think security means that if Bitdefender doesn't complain, everything must be peachy and that having software installed through ActiveX by a remote website is just a prank. Management is made up more of bean counters than technically savvy personnel. In the end, it seems management views a spin-of-the-wheel as being more cost effective than re-training a bunch of people that can't see past the Whack-a-Monkey javascript they just got in their inbox.
boycott slashdot February 10th - 17th check out: altSlashdot.org
It continues to astonish me that people think of "data theft" as the cause of identity theft.
Data theft is not the problem. The problem is that financial organizations are willing to accept transactions without authentication, or with very weak authentication. Supplying a 9-digit number which is a matter of public record is not a form of authentication. It does not prove that the person speaking is the account holder. Anybody can walk into a store with a fake credit card and buy stuff in my name, no questions asked. People can write checks with my account number on them, and it will be charged to my account. At no point is the slightest attempt made to authenticate the identity of the person making the transaction and certify that they are allowed to post transactions to the account.
There is no way to "plug" these leaks; most of these names and numbers are a matter of public record and must be surrendered in order to make a transaction in the first place. The identity theft problem will not abate until account holders have enhanced authentication options, and the financial institutions are required to use them. Biometrics, physical security tokens, PINs, it doesn't really matter what solution we use. We just need to use something to verify the identify of the person making the transaction. It's the only solution.
The problem is that the organizations that lose the data, and the people who work there, are not the ones who bear the pain of the result. Furthermore, we usually have no choice in handing over the personal data, most of which is completely unnecessary (but very useful for marketing), in order to get things we need.
Unless and until that changes, all the hand-wringing in the world won't make a hill of beans of difference.
It will take something like Sarbanes-Oxley, making the officers of companies and non-profits, and government workers, who handle our data personally criminally liable for failure to take due care, before there is any change. As it is now, it is a simple cost calculation, and security is pure cost. The people in charge are betting that they can cash in their stock options or get promoted/transferred before the failure to protect data causes a problem.
Last, but by no means least, everything that the naysayers said about Social Security when it was first proposed have come true: the SSID is a national ID number, and is routinely abused; and the Ponzi Scheme has run afoul of demographics. It's time to end the charade: outlaw the use of SSIDs by anyone except the SSA, and to allow people to opt out of SS.
This information doesn't surprise me. I think the increase is do to the increasing ease of standing up a website. Anybody with minimal computer/coding/security experience can stand up a website that takes your credit card information. I've dealt with COUNTLESS sites that have horrible file permissions, no security apps (like mod_security), and their DB connection password is weak. It's unbelievable how little effort folks will put into securing their business operations. On top of that, customers who repeatedly get hacked won't be willing to go through the hassle of auditing their customers or upgrading their software, so the same vulnerabilities get exploited again.
Blaming the tech is a cop-out - firewalls and encryption mean nothing if these people are entering their details into any website that asks for it. Paper/card shredders are cheap now (even/especially for the home) and people have been told for years not to click on links in unsolicited emails, *especially* if they're from a bank/ebay/PayPal.
Instead of spending more on (company-side) tech there should be more spent on user-side education. Only those who've been a victim of identity theft and the paranoid (waves!) tend to realise exactly how much value there is in our personal information.
I quite regularly enter junk into websites that I feel ask for too much information - no, you don't need my full address and telephone number before I download that article. If there is a legitimate reason why they do need my information (delivery/billing) and the site looks okay then that's fine, but too many websites and for too much information before they'll let you do anything.
In the olden days (like 10+ years ago), if someone wrote a check in someone else's name, it was called "fraud". It is, in fact, a crime where someone steals money from the bank.
:(
At some point, someone changed the vocabulary, and now we call this "identify theft", and so we make the crime against the person who's name was forged. In fact, this person has nothing to do with this crime, and is an innocent bystander. The bank is charged with protecting my assets, and if they fail to do so, they should be liable, just as much as if someone walked into the bank with a gun and took it!
By convincing society at large that the crime is "identity theft" and not "fraud", the corporations, while not solving the problem of fraud, has made it someone else's problem; namely their customers. And the customers accept this, and direct their ire against the criminals, instead of against the company. (Admittedly the criminals are Bad People, so they do deserve to be feared and hated.)
In some ways, it is a stroke of genius by the corporate world. But not one that we should celebrate.
Information thieves, it seems, are just one step ahead of IT security.
No. IT security would be doing just fine if users and administrators protected themselves with existing security recommendations.
As long as people act like sheep they will be lambs to the slaughter.
Having to work for a living is the root of all evil.