Credit card fraud, identity theft, and broader personal data theft are problems that plague our information-dependent society and predate the age of the Internet. Ironically, things such as automated processing of financial data that make your life easier and more convenient also make crime easier and more convenient. Moreover, the Internet allowed crime that only happened on a small scale to grow and spread globally, and the Internet’s scalability turned electronic-based crimes into a global concern.
Some crime was automated and changed from rare to widespread, for example, Nigerian e-mail or UK Lottery scams. Gone are the days where criminals need to be in the same location, country, or even continent to scam you out of your hard-earned cash. Nigerian e-mail scams started many years ago and are profitable for the scammers. They send out millions of e-mails claiming to be a relative of a Nigerian dignitary with frozen assets and want you to transfer the money for them. You give them your bank account information and/or send them “seed money” to get things moving and end up with nothing. UK Lottery scams aren’t much different with the same basic constructs to get you a cash prize.
Criminals have gone high-tech and have discovered that there is a significant amount of money to be made with very little risk. Hacking a company database or orchestrating a phishing attack while sitting in your pajamas and eating Extreme Doritos in the living room of your house has much more appeal than physically robbing banks or convenience stores. The advancement of automated exploit kits such as Metasploit has made couch-hacking more effective for even the slightly knowledgeable. Add to that the lower risk of a confrontation with firearms and electronic crime becomes even more attractive! Depending on the company being targeted, the sophistication of the attack, and sheer luck, sometimes the high-tech crime may also be significantly more lucrative than traditional armed robbery. Sadly, cross-border prosecution issues significantly fuel a cybercriminal’s activity. When a criminal physically robs a convenience store, he is probably caught on tape and there are witnesses. In addition, law enforcement will mobilize quickly to find and catch the criminal so he may be brought to justice. Cybercriminals have a couple of things working in their favor, the first of which is their ability to commit crime without ever stepping into the physical location of their victim(s). Couple that with lagging cybersecurity laws in most countries and the limited ability for the victim’s law enforcement bodies to prosecute outside their borders and you have an idea on why cybercrime is on the rise. In addition, the whole ecosystem of criminal outsourcing now allows other criminals to only focus on the activities they do best, such as creating malicious software or conducting crime through botnets.
Malicious software (malware) and cybercriminals are not the only threat. Sadly, the very companies and organizations that are entrusted with sensitive information are often to blame because of a lack of adequate controls to protect sensitive information. In some companies information security is treated with apathy; in others, a lack of effective controls enables an insider to commit fraud. Consumers and businesses are faced with a wide variety of threats to their data and personal information on any given day.
Spyware, phishing attacks, drive-by downloads, and botnets are all computer attacks that are on the rise and pose a significant threat to corporate and home users as they connect to the Internet from their computers. However, those threats pale in comparison with the amount of personally identifiable information and sensitive data available to be compromised due to carelessness or negligence by individuals and corporations.
Tools
Did you know that the Privacy Rights Clearinghouse has tracked all reported breaches since the ChoicePoint breach on February 15, 2005 (as well as including additional breaches disclosed prior)? To see all these breaches with an explanation and amount of records lost, point your browser at
www.privacyrights.org/data-breach.
DatalossDB at
http://datalossdb.org/ is another useful site for tracking the impact of data breaches. Despite its name, most of the recorded and analyzed data “loss” incidents are really data theft and abuse incidents. DatalossDB crew does an awesome job of tracking all publicly reported incidents and digs out the details on them.
As of today, over a 500 million various personal information records have been lost or stolen. Every year since the ChoicePoint breach, we’ve seen major companies fall victim to Payment Card Industry (PCI)-related security breaches. DSW Retail in 2005, The U.S. Department of Veteran’s Affairs in 2006 (and in later years), The TJX Companies in 2007, Hannaford Brothers in 2008, Heartland Payment Systems in 2009, Albrecht Discount in 2010, Sony in 2011, KT Corporation in 2012, and the various retailers in 2013–2014 that have reported breaches including Target and Nieman Marcus continue to demonstrate both the poor state of security and increasing sophistication and numbers of the bad guys (as more and more countries have growing populations on the Internet) who want this data and know how to profit from it.
In an “Information is King” era, when more consumers are using computers and the Internet to conduct business and make purchases, taking the proper steps to secure and protect personally identifiable information and other sensitive data has never been more important. It is bad for companies, individuals, and the economy at large if consumer confidence is eroded by having personal information exposed or compromised. Credit card brands are definitely not the only entities suffering from such possible loss of confidence.
Note
Take a step back from the text for a minute and adjust your mindset to think of yourself as a general consumer, Internet user, or citizen—not as a security or payment professional. What data do you hold dear? Think through the following list of scenarios:
What data or information about me can be considered sensitive and should not be disclosed, be corrupted, or be made permanently or temporarily unavailable? Think of a broad range of types of information—from a rare photo to your bank account number, medical history, or information about anything you’ve done that you are not proud of.
Think whether this information exists in any electronic form, on your computers or anywhere else? Is that picture on your “private” Facebook page—an oxymoron if there ever was one—or present in an e-mail spool somewhere?
Next, think whether this information exists on some system connected to the Internet (possibly indexed by a helpful engine). Sadly, the answer today would be “yes” for almost all (!!!) information people consider sensitive. For example:
Credit card information—check
Bank account information—check
Personal financial records—check
Tax records—check
Legal proceedings—check
Sensitive personal files—check
Health records—check.
Think what will happen if this information is seen, modified, or deleted by other people. Will it be an annoyance, a real problem, or a disaster for you? What if it’s just on a decommissioned hard drive that fell of the back of a truck?
Now, think about what protects that information from harm. Admittedly, in many cases, you don’t know for sure. We can assure you that sometimes your assumption that the information is secure will be just that—an assumption—with no basis.
Going through this list helps you not only understand data security rationally but also feel it in your “gut.”
Information technologists are affected by a number of laws and regulations designed to coax businesses into addressing their security problems. Depending on what industry a company serves, they may fall under Sarbanes–Oxley (SOX), the Gramm–Leach–Bliley Act of 1999, the Health Insurance Portability and Accountability Act (HIPAA), Federal Information Security Management Act, and other regulatory mandates that we mentioned in the very beginning of
Chapter 1. Maybe this confusing hodgepodge of alphabet soup—and that is without European and other regional mandates and regulations—makes for a tough job understanding how to comply with all these measures, as many organizations still fail to enforce adequate security. The Unified Compliance Framework that can be found at
www.unifiedcompliance.com tracks hundreds of IT-relevant regulations, and many commercially available e-Governance Risk and Compliance (eGRC) tools such as RSA’s Archer or IBM’s OpenPages can help build, manage, and reference a common control set to cover all of these...