Identity Fraud, an associated offence, has attracted less media attention. It can take two forms
Most commonly, it involves an individual 'massaging' data: adding a degree or two, deleting a conviction or a divorce, adding a few years of age (popular among teenagers facing age-based access restrictions) or taking a few years off once the individual reaches a certain age.
As such it is popular among all classes, from highschool kids enhancing ID passes to get into nightclubs through to company directors and members of parliament buffing their profiles.
More rarely, some individuals have created a new identity altogether - one that is sometimes used to live an otherwise law-abiding existence rather than as the basis for theft. Self reinvention is arguably a central theme of US culture, where - like people in the rest of the world - many have dreamed of shucking off an inconvenient past and starting afresh, often with the aid of a glossier resume and fewer wrinkles.
As discussed later in this profile, statistics about theft/fraud are problematical. In 1985 the US Congress for example noted indications that up to 500,000 false tertiary degrees are in 'use' in the USA (eg were cited for employment purposes), that 10,000 false medical degrees are in use and that 30% of employees were hired with 'massaged' credentials.
The shape of identity crime means that impacts encompass -
-the deeply personal (parents of dead children discovering that someone has appropriated their child's identity)
-erosion of someone's good name (use of an email address for spam) without direct economic impact
-evasion of behavioural restrictions (using a doctored ID card to enter a nightclub while underage)
illegal receipt of welfare benefits
-scams against consumers and businesses (eg a forged cheque or stolen credit card) that result in direct financial loss
-erosion of someone's profile, with theft of identity resulting an individual losing a good credit rating or even employment opportunities
-evasion of surveillance and law enforcement (eg fake identities for terrorists and other criminals)
-exploitation of 'credentialism' for economic or other benefit.
Yes, identity theft. And I'm not talking about this petty nonsense either. I'm talking big time, purchases made in my name with my debit card number--which is tied directly to my checking account. Shady purchases like a telephone forwarding service. This thief wasn't planning on having the best prom ever.
I was balancing my checkbook last night and came across two charges from within the last two weeks that, after a little head scratching, I determined I did not make. Neither were especially significant in dollar amount but I lost almost an entire business day to cleaning up the mess and talking to authorities. The card was cancelled and another issued, fraud alerts were placed on my credit reports with the Big Three (Experian, TransUnion and Equifax), and a police report was filed. I can't imagine how someone acquired my card number. Being a web designer/developer I'm savvy enough to sniff out a phishing hole and I keep all of my receipts. Thankfully, I don't think my Social Security number is out there but we'll see what my credit reports turn up.
I did receive some small consolation--actually, I'm stoked!--when I found out that ShaunInman.com was today's pick over at Web Standards Awards. The site is in excellent company (The League needs to stick together, right?) so it will be interesting to see which one walks away with the first Site of the Month.
Fingers are crossed that it's me--and not just somebody claiming to be me.
ALways ask "What harm could it do?" Being constantly aware of where your ID is and what information-in the wrong hands-could hurt you is your best defenses against social engineering.
Shred all of your mail no matter how innocuos it may look to you. Be ever-vigilant for where your SS# is in print (You'll be amazed how public it is)
I advise cutting up those creidt cards that are "key chain-sized" that banks send automatically now as we all lose our cards.
Keep your eyes open for your own ID, listen to your gut and don't ever be afraid to double check when in doubt.
Do you think that searchable websites that display 'public records' (like unlisted phone numbers, actual addresses) should be illegal? Don't these types of 'public data' servers help out committers of theft identity?
BEWARE, search engines/portals are listing your private data (it is definitely unethical to post peoples addresses and other personal data), people can attain this data to assist them with IDENTITY THEM (stollen identities).
People do not know that if you even simply register to vote or request to join the army/military in USA, you name/address/telephone are made public information (multi billion dollar industry selling our private info) without you having to sign a consent form or without asking permission! Even where you buy a internet domain name (lease actually, no single person actually owns a domain name, even Bill Gates does not own Microsoft.com), your address, name and telephone number are added to public records that anyone with an internet connection can retrieve this data to harrass you or even SPAM you (don't forget that deranged cyberstalkers can find you now)!
Got employees? Then you have information that could be used for identity theft, and nothing will help as much as just being good at your job in the first place. We're talking data hygiene 101: firewalls, background checks and security policies. "The reason that a CSO should be concerned over identity theft is because it fits in with so many other elements of a good security program," says Richard Lefler, the former vice president of worldwide security for American Express.
For instance, he says, background checks might help keep criminals from infiltrating your human resources department, where they could access employee records. Shredding policies could keep Dumpster divers from getting their mitts on sensitive customer data. And audit trails would help you determine the source of a possible problem if law enforcement spotted a trend that traced back to your company.
Sound paranoid? Perhaps. However, notes Lefler, although "criminal enterprises generally are small and loosely knit, they can be very large and very sophisticated.
"Other forms of white-collar crimes have become more difficult, so many of the criminals have migrated into doing identity takeover because they can increase their returns." In other words: Don't underestimate your enemy.
At first glance, it seems you can't do a lot if your company is targeted by a phishing scam, in which a phisher spoofs your company's identity in an effort to gather personal information about your customers. (See "Gone Phishing," right.) "It's pretty difficult" to deal with, admits the Anti-Phishing Working Group's Jevans. "You can say, we will never send you e-mail, or do not click on a URL in e-mail, but that makes it difficult to do any kind of e-commerce." What's more, when a bogus website is reported to law enforcement, Jevans says, it takes an average of 160 hours to get it shut down if it is hosted outside the United States--which applies to 40 percent of phishing sites. And by then the damage is done.
In this case, a little education can go a long way. Start by letting customers know that your company won't ever ask them by e-mail to divulge personal information, says Howard Schmidt, former vice chairman of President Bush's Critical Infrastructure Protection Board and CISO of eBay. Common targets such as Amazon, AOL and eBay have set up phishing tutorials on their websites to educate their customers about the scams.
At the same time, make sure employees who correspond with customers don't ask for this kind of information. You'll also need a mechanism for consumers to report the spoofed e-mails to you, and for your company to report the scams to law enforcement. Then, Schmidt says, "it becomes a policy issue."
The Internet makes this type of crime even more efficient. With "phishing" scams, criminals send out bogus e-mails telling recipients that they need to confirm certain account details to reactivate their accounts or claim prizes. The messages appear to come from a reputable business and often include logos and text lifted from company e-mails and websites. But the links actually go to phony but convincing websites set up solely to gather information, whether it's ISP passwords or Social Security numbers.
A couple of years ago, my personal credit card account number was compromised. Did this stop me from continuing online transactions? No way.
In my case, while an unauthorized party gained my account details, no transactions were made. The bank's fraud department were understandably hesitant in releasing details of the compromise, but they were very quick in taking action. I'm not even sure that the offending party was an online merchant, hacker or traditional retailer.
The media in general have fed the paranoia levels of the online consumer community regarding online transactions. Yes, credit card numbers are stolen and yes, there are victims who suffer financial loss. But submitting your credit card details online is no different to handing your card to a shop assistant that you don't know or a waiter you have never met before. There is very little stopping merchants we carry out transactions with on a face to face basis from gathering detailed lists of account numbers to be sold off on the black market. In fact, according to the 2005 Identity Fraud Survey Report, under 12 percent of ID fraud incidents originate online.
The media have also fed the xenophobic cold war attitudes of years gone by by focusing on certain countries. Credit card number hackers are "Russian", true. They are also American, Australian and English. Every country in the world has a community of identity thieves, scammers and spammers.
If you own a credit card and don't carry out online transactions, it doesn't mean you are safe. We need to remember that most of the world's information systems are now connected somehow to the Internet. All your vital details are now available online; regardless of whether or not you are a Internet user.
If you have ever collected a welfare payment, taken out an insurance policy or registered a vehicle - congratulations! You are now part of the World Wide Web, like it or not. You can now emerge from your privacy fortress as resistance is futile. That's the reality of our modern lives.
So, now after having blown away your misconceptions of your privacy, and your false security of being safe from identity theft, let's deal with reality!
Identity theft and credit card fraud is not uncommon, such is the nature of an online world.
How do we as netizens and webmasters protect ourselves and our clients as best as possible? It boils down to a number of simple guidelines.
This book fits the bill for me!!. And it is enjoyable
I have a number of other handbook style books - one that cost nearly six times more but was really a collection of articles written by a dozen different people (some with obviously conflicting views) bound under the same cover.
What I liked:
This book simply sets out the things I need to know about Organisations, Strategies and Audits then progresses into firewall design and security testing. And it is so funny - the cover is right this man does make security light going.
What could be better:
The guy is obviously technical so at the end some of it is a bit hard going - just I had to skip bits. But each chapter is laid out so that the chapter gets more complex at the end so this wasn't a problem.
I would have liked more on Virus technology and Wireless security - especially as after work on Google, I understand that the fat-bloke was a leading researcher in wireless security
Overall conclusion: Great.
Security isn't just something you "turn on". Security is a mindset, a set of systems and practices that affect all aspects of your work environment. And implementing security practices--especially in an organization devoid of such--is a daunting task. I found this to be an excellent book in that the author obviously understands security. He's dedicated his life keeping privileged information safe. More importantly, this book is laid out in such a way that it will lead the uninitiated, newly appointed security expert at any organization through the process of implementing a security framework.
Firewalls, Intrusion Detection Systems, and the like are only as good as the policies that govern them. The first step in implementing security is to define an information security policy. The author leads the reader through identifying business risks and creating an action plan to mitigate those risks.
In addition to the expected "what does a firewall do, and how should you use it" type of information, the author does an excellent job cutting to the chase on a wide variety of security issues. He provides examples of how find the right people to implement your security framework, what types of systems might be required in your environment, and how to perform periodic penetration testing, to see if your security framework keeps the bad guys out.
I really see this book being of great benefit to the newly appointed security expert, who is perhaps a bit overwhelmed with his/her new responsibilities. This book is an easy read, very interesting, and very useful for the individual responsible for all aspects of a company's security infrastructure.
Today, most business leaders currently pay as little attention to the issue of information security as they once did to technology. But just as technology now stands higher on the chief executive officer's agenda and gets a lot of attention in annual corporate strategic-planning reviews, so too will information security increasingly demand the attention of the top team. In a networked world, when hackers steal proprietary information and damage data, the companies at risk can no longer afford to dismiss such people as merely pesky trespassers who can be kept at bay by technological means alone.
who really cares of security? where does our emails go before coming to out inbox. You is tracing through them, or scanning its contents. Are you telling me that no one out there is monitoring information. Is it as secure as what they claim?
Like any good organisation, management plays a vital role in the development and sustainment of the organization in the new modern era. In the software world, good management systems play a more vital role. The book gives a good insight to MIS and for those who are unaware of the inner working of the MIS, this book is a good start.
I agree with the author's comment of systems administrator not doing much to protect the personal computers. Coming from an organization that values MIS, problems like virus attacks, spam, and frequent server problems often plague our systems. Why is this? Is it that the administrators are uncapable of achieving the minimum of what is required. I think they need to read this book and get some insight...what do you think. How is the MIS at your workplace??
Slashdot Mirror
Identity Fraud, an associated offence, has attracted less media attention. It can take two forms Most commonly, it involves an individual 'massaging' data: adding a degree or two, deleting a conviction or a divorce, adding a few years of age (popular among teenagers facing age-based access restrictions) or taking a few years off once the individual reaches a certain age. As such it is popular among all classes, from highschool kids enhancing ID passes to get into nightclubs through to company directors and members of parliament buffing their profiles. More rarely, some individuals have created a new identity altogether - one that is sometimes used to live an otherwise law-abiding existence rather than as the basis for theft. Self reinvention is arguably a central theme of US culture, where - like people in the rest of the world - many have dreamed of shucking off an inconvenient past and starting afresh, often with the aid of a glossier resume and fewer wrinkles. As discussed later in this profile, statistics about theft/fraud are problematical. In 1985 the US Congress for example noted indications that up to 500,000 false tertiary degrees are in 'use' in the USA (eg were cited for employment purposes), that 10,000 false medical degrees are in use and that 30% of employees were hired with 'massaged' credentials.
The shape of identity crime means that impacts encompass - -the deeply personal (parents of dead children discovering that someone has appropriated their child's identity) -erosion of someone's good name (use of an email address for spam) without direct economic impact -evasion of behavioural restrictions (using a doctored ID card to enter a nightclub while underage) illegal receipt of welfare benefits -scams against consumers and businesses (eg a forged cheque or stolen credit card) that result in direct financial loss -erosion of someone's profile, with theft of identity resulting an individual losing a good credit rating or even employment opportunities -evasion of surveillance and law enforcement (eg fake identities for terrorists and other criminals) -exploitation of 'credentialism' for economic or other benefit.
Yes, identity theft. And I'm not talking about this petty nonsense either. I'm talking big time, purchases made in my name with my debit card number--which is tied directly to my checking account. Shady purchases like a telephone forwarding service. This thief wasn't planning on having the best prom ever. I was balancing my checkbook last night and came across two charges from within the last two weeks that, after a little head scratching, I determined I did not make. Neither were especially significant in dollar amount but I lost almost an entire business day to cleaning up the mess and talking to authorities. The card was cancelled and another issued, fraud alerts were placed on my credit reports with the Big Three (Experian, TransUnion and Equifax), and a police report was filed. I can't imagine how someone acquired my card number. Being a web designer/developer I'm savvy enough to sniff out a phishing hole and I keep all of my receipts. Thankfully, I don't think my Social Security number is out there but we'll see what my credit reports turn up. I did receive some small consolation--actually, I'm stoked!--when I found out that ShaunInman.com was today's pick over at Web Standards Awards. The site is in excellent company (The League needs to stick together, right?) so it will be interesting to see which one walks away with the first Site of the Month. Fingers are crossed that it's me--and not just somebody claiming to be me.
ALways ask "What harm could it do?" Being constantly aware of where your ID is and what information-in the wrong hands-could hurt you is your best defenses against social engineering. Shred all of your mail no matter how innocuos it may look to you. Be ever-vigilant for where your SS# is in print (You'll be amazed how public it is) I advise cutting up those creidt cards that are "key chain-sized" that banks send automatically now as we all lose our cards. Keep your eyes open for your own ID, listen to your gut and don't ever be afraid to double check when in doubt. Do you think that searchable websites that display 'public records' (like unlisted phone numbers, actual addresses) should be illegal? Don't these types of 'public data' servers help out committers of theft identity? BEWARE, search engines/portals are listing your private data (it is definitely unethical to post peoples addresses and other personal data), people can attain this data to assist them with IDENTITY THEM (stollen identities). People do not know that if you even simply register to vote or request to join the army/military in USA, you name/address/telephone are made public information (multi billion dollar industry selling our private info) without you having to sign a consent form or without asking permission! Even where you buy a internet domain name (lease actually, no single person actually owns a domain name, even Bill Gates does not own Microsoft.com), your address, name and telephone number are added to public records that anyone with an internet connection can retrieve this data to harrass you or even SPAM you (don't forget that deranged cyberstalkers can find you now)!
Got employees? Then you have information that could be used for identity theft, and nothing will help as much as just being good at your job in the first place. We're talking data hygiene 101: firewalls, background checks and security policies. "The reason that a CSO should be concerned over identity theft is because it fits in with so many other elements of a good security program," says Richard Lefler, the former vice president of worldwide security for American Express. For instance, he says, background checks might help keep criminals from infiltrating your human resources department, where they could access employee records. Shredding policies could keep Dumpster divers from getting their mitts on sensitive customer data. And audit trails would help you determine the source of a possible problem if law enforcement spotted a trend that traced back to your company. Sound paranoid? Perhaps. However, notes Lefler, although "criminal enterprises generally are small and loosely knit, they can be very large and very sophisticated. "Other forms of white-collar crimes have become more difficult, so many of the criminals have migrated into doing identity takeover because they can increase their returns." In other words: Don't underestimate your enemy.
At first glance, it seems you can't do a lot if your company is targeted by a phishing scam, in which a phisher spoofs your company's identity in an effort to gather personal information about your customers. (See "Gone Phishing," right.) "It's pretty difficult" to deal with, admits the Anti-Phishing Working Group's Jevans. "You can say, we will never send you e-mail, or do not click on a URL in e-mail, but that makes it difficult to do any kind of e-commerce." What's more, when a bogus website is reported to law enforcement, Jevans says, it takes an average of 160 hours to get it shut down if it is hosted outside the United States--which applies to 40 percent of phishing sites. And by then the damage is done. In this case, a little education can go a long way. Start by letting customers know that your company won't ever ask them by e-mail to divulge personal information, says Howard Schmidt, former vice chairman of President Bush's Critical Infrastructure Protection Board and CISO of eBay. Common targets such as Amazon, AOL and eBay have set up phishing tutorials on their websites to educate their customers about the scams. At the same time, make sure employees who correspond with customers don't ask for this kind of information. You'll also need a mechanism for consumers to report the spoofed e-mails to you, and for your company to report the scams to law enforcement. Then, Schmidt says, "it becomes a policy issue."
The Internet makes this type of crime even more efficient. With "phishing" scams, criminals send out bogus e-mails telling recipients that they need to confirm certain account details to reactivate their accounts or claim prizes. The messages appear to come from a reputable business and often include logos and text lifted from company e-mails and websites. But the links actually go to phony but convincing websites set up solely to gather information, whether it's ISP passwords or Social Security numbers.
A couple of years ago, my personal credit card account number was compromised. Did this stop me from continuing online transactions? No way. In my case, while an unauthorized party gained my account details, no transactions were made. The bank's fraud department were understandably hesitant in releasing details of the compromise, but they were very quick in taking action. I'm not even sure that the offending party was an online merchant, hacker or traditional retailer. The media in general have fed the paranoia levels of the online consumer community regarding online transactions. Yes, credit card numbers are stolen and yes, there are victims who suffer financial loss. But submitting your credit card details online is no different to handing your card to a shop assistant that you don't know or a waiter you have never met before. There is very little stopping merchants we carry out transactions with on a face to face basis from gathering detailed lists of account numbers to be sold off on the black market. In fact, according to the 2005 Identity Fraud Survey Report, under 12 percent of ID fraud incidents originate online. The media have also fed the xenophobic cold war attitudes of years gone by by focusing on certain countries. Credit card number hackers are "Russian", true. They are also American, Australian and English. Every country in the world has a community of identity thieves, scammers and spammers. If you own a credit card and don't carry out online transactions, it doesn't mean you are safe. We need to remember that most of the world's information systems are now connected somehow to the Internet. All your vital details are now available online; regardless of whether or not you are a Internet user. If you have ever collected a welfare payment, taken out an insurance policy or registered a vehicle - congratulations! You are now part of the World Wide Web, like it or not. You can now emerge from your privacy fortress as resistance is futile. That's the reality of our modern lives. So, now after having blown away your misconceptions of your privacy, and your false security of being safe from identity theft, let's deal with reality! Identity theft and credit card fraud is not uncommon, such is the nature of an online world. How do we as netizens and webmasters protect ourselves and our clients as best as possible? It boils down to a number of simple guidelines.
This book fits the bill for me!!. And it is enjoyable I have a number of other handbook style books - one that cost nearly six times more but was really a collection of articles written by a dozen different people (some with obviously conflicting views) bound under the same cover. What I liked: This book simply sets out the things I need to know about Organisations, Strategies and Audits then progresses into firewall design and security testing. And it is so funny - the cover is right this man does make security light going. What could be better: The guy is obviously technical so at the end some of it is a bit hard going - just I had to skip bits. But each chapter is laid out so that the chapter gets more complex at the end so this wasn't a problem. I would have liked more on Virus technology and Wireless security - especially as after work on Google, I understand that the fat-bloke was a leading researcher in wireless security Overall conclusion: Great.
Security isn't just something you "turn on". Security is a mindset, a set of systems and practices that affect all aspects of your work environment. And implementing security practices--especially in an organization devoid of such--is a daunting task. I found this to be an excellent book in that the author obviously understands security. He's dedicated his life keeping privileged information safe. More importantly, this book is laid out in such a way that it will lead the uninitiated, newly appointed security expert at any organization through the process of implementing a security framework. Firewalls, Intrusion Detection Systems, and the like are only as good as the policies that govern them. The first step in implementing security is to define an information security policy. The author leads the reader through identifying business risks and creating an action plan to mitigate those risks. In addition to the expected "what does a firewall do, and how should you use it" type of information, the author does an excellent job cutting to the chase on a wide variety of security issues. He provides examples of how find the right people to implement your security framework, what types of systems might be required in your environment, and how to perform periodic penetration testing, to see if your security framework keeps the bad guys out. I really see this book being of great benefit to the newly appointed security expert, who is perhaps a bit overwhelmed with his/her new responsibilities. This book is an easy read, very interesting, and very useful for the individual responsible for all aspects of a company's security infrastructure.
Today, most business leaders currently pay as little attention to the issue of information security as they once did to technology. But just as technology now stands higher on the chief executive officer's agenda and gets a lot of attention in annual corporate strategic-planning reviews, so too will information security increasingly demand the attention of the top team. In a networked world, when hackers steal proprietary information and damage data, the companies at risk can no longer afford to dismiss such people as merely pesky trespassers who can be kept at bay by technological means alone.
who really cares of security? where does our emails go before coming to out inbox. You is tracing through them, or scanning its contents. Are you telling me that no one out there is monitoring information. Is it as secure as what they claim?
Like any good organisation, management plays a vital role in the development and sustainment of the organization in the new modern era. In the software world, good management systems play a more vital role. The book gives a good insight to MIS and for those who are unaware of the inner working of the MIS, this book is a good start. I agree with the author's comment of systems administrator not doing much to protect the personal computers. Coming from an organization that values MIS, problems like virus attacks, spam, and frequent server problems often plague our systems. Why is this? Is it that the administrators are uncapable of achieving the minimum of what is required. I think they need to read this book and get some insight...what do you think. How is the MIS at your workplace??