|
IN THE DEAD OF
WINTER, the South Pole is one of the most crime-free
zones on Earth: refrigerator pilfering amid the 58 wintering
scientists may be the worst offense at this scientific resort
at the bottom of the world, where temperatures can drop to
58 below zero. But earlier this year, the South Pole server
belonging to the National Science Foundation (NSF) —
the standard-bearer for U.S. government data security —
received a disturbing email message that said, in effect,
“I’ve hacked into the server of your South Pole
Research Station. Pay me off, or I’ll sell the station’s
data to another country.”
Sometime in the night, working from a cybercafé
in Bucharest, two Romanian hackers had been busy at work,
nearly succeeding at their bold shakedown.
The intrusion at one of the world’s
most secure servers — due to its isolated location and
the fact that researchers can access it for only a few hours
every day as a satellite
passes overhead — reveals the dark side of the digital
Utopia, a world where pick-pockets and scalawags have taken
to the bandwidths like shoplifters to the Mall of America.
Although the two Romanians were nabbed in
May by the Federal Bureau of Investigation, they are in the
minority: only one in 700 Internet pirates is ever caught.
What’s more, many of the raiders go far beyond extortion,
grabbing treasure chests of data booty: Social Security numbers,
credit card data, photographs and, increasingly, personal
identification numbers (PINs) for debit cards. So far, only
about 8 percent of computer-using adults in the United States
have fallen victim to digital crime.Still, that means about
7 million Americans had their personas stolen last year. More
often than not, that “mugging ” took place inside
a server owned by an American company; 70 percent of the time,
victims initially didn ’t know their pockets had been
picked. And those figures are for the United States alone.
In the United Kingdom, the Fraud Advisor Panel, an independent
group that advises on fraud issues, reported in July that
identity thefts totaled 42,029 in 2002, and that the crime
costs the British economy 1.3 billion pounds annually.Magnify
this issue to a global scale, and you see the challenge international
enterprises now face.
In this time of living dangerously online,
however, a bevy of new privacy laws, both in the United States
and abroad, have been added to established technologies such
as strong authentication and virtual private networks (VPNs).
Together they offer new answers, challenges and direction
for global companies struggling with how to keep their critical
data under lock and key.
Top
Most companies “want to give the impression
that all’s well,” says Dan Clements, a security
analyst and the president of CardCops.com, a Malibu, California-based
company that alerts consumers to credit card fraud. “But
all is not well.”
To be sure,a growing number of banks, prodded
by the U.S.Department of Justice, are double-checking the
identities of their customers — and employing their own
hackers to guard their servers. But for other companies, especially
smaller firms, it's harder. They can’t afford to pay
salaries to an in-house hacking team, so they just run an
off-the-shelf virus-scanning package once a day. Many small
businesses are simply not staffed to be patching 24/7, as
most experts recommend.
As a result, cybercriminals break into systems
about once every hour, with results ranging from the innocuous
to the devastating. In 38 percent of the cases, the thieves
actually obtain money; the average loss to consumers alone
is $740.
Those cases are part of a greater security
picture faced by companies both abroad and stateside. Already,
identity theft from corporate computers is expected to cost
companies $74 billion this year alone in the United States
and more than $200 billion worldwide, according to Stamford,
Connecticut-based Gartner, Inc. At the same time, corporations
are becoming increasingly accountable for protecting their
customers’ personal information. Under proposed new banking
legislation in the United States, banks would be liable for
ensuring consumers’ identities, and the U.S. Federal
Trade Commission (FTC) is drawing up new requirements and
guidelines for companies to report when personal information
has been stolen from their servers. In California, SB 1386,
which took effect in July, allows financial penalties and
the ability for victims to sue companies over unannounced
security breaches.
“Identity theft is our third priority
right now,” says Bill Murray, a spokesman for the FBI
’s Cyber Division in Washington, D.C. “It’s
right behind counterterrorism and counterintelligence.”
Top
Meanwhile, corporate safeguards seem to
be crumbling. Following are some recent examples illustrating
the problems created by online theft:
- In August 2003, a major credit card server based offshore
had an intrusion of unknown proportions. The news stories
read like an episode of “The X-Files,” with a
suspect being held in Michigan and the company refusing
to reveal the extent of the hack, including how many, if
any, records were stolen.
- At a leading print and copy shop in New York, a sly college
kid found a way to capture debit card information through
the company’s in-store server; he returned every few
days to collect new numbers. He was arrested and pleaded
guilty to fraud, though total losses — or,in his case,
winnings —were never determined.
- A Nebraska bank recently found that thousands of its customers’
names and PINs were stolen from a server. Meanwhile, some
gas station employees have been known to rip off PINs by
cutting into the short cord that runs between the countertop
PIN keypad and the cash register.
The gas station heists are just one example
of the audacity of a new breed of digital pirate, often at
odds with themselves ethically and often working at the very
companies they’re ripping off. “Corrupt insiders
is what we call them,” says Betsy Broder, an assistant
director at the FTC, which regulates Internet transactions
in the United States. In other cases, outsiders commit the
crimes. Among them are teenage script kiddies who torment
major corporations by rewriting their online press releases
and otherwise vandalizing their Web sites. Then there are
the international thieves,who deal worldwide in stolen credit
cards.
“We ’re looking at a digital age,
but we’re dealing with the same snake-oil salesmen that
we ’ve traditionally dealt with,” says Murray. “But
the criminals are going to get more and more savvy and will
continue to exploit the technology to their gain.”
What online thieves want are the lists.Whether
they’re “black hat” IT guys stumbling on hidden
data files or Ukrainian computer urchins seeking Social Security
numbers for the local forger,they know there’s money
to be made off private information — as much as $50,000
per thief per week, according to the Software & Information
Industry Association. While many are thugs, others are the
often overworked and sometimes embittered low-rung employees.
Top
Compounding the problem for digital detectives,
most companies are loathe to acknowledge when identity theft
occurs because they don’t want to upset existing customers
or scare off potential new ones. Indeed, some critics say
that credit card companies report more than 70 percent of
such cases as simple losses, without mentioning online theft.
“One IT guy was 98 percent sure that
hackers had gotten all 50,000 credit cards from their servers,
and the response from management was, ‘Don’t tell
a soul, otherwise we go out of business,’” says
Clements, of CardCops.com. “Now, these new disclosure
laws are putting a lot of pressure on management to say, ‘Hey,
are we going to break the law, or are we going to disclose?’
And it actually takes the pressure off the IT guy, because
every breach puts his butt on the line. What you have are
a lot of conflicts of interest (within the
company itself).”
While the prognosis may seem grim for data
security (some analysts expect ID theft to grow by 300 percent
a year for the foreseeable future), the forces of good are
working to force online criminals into the open. In the United
States, cyber divisions of the FBI and the FTC are learning
techniques, especially as many divert their attention from
anti-pornography investigations to identity theft. In the
case of the Romanian hackers, the FBI Cyber Division used
IT detectives in its Washington, D.C., bureau and its Romanian
field office to locate, within hours, the Bucharest café
where the blackmailers had set up shop.
Moreover,many states and federal agencies
are taking a cue from California, putting greater pressure
on companies from banks to bicycle shops to improve security
or face sanctions.
In Japan, lawmakers last spring voted into
law a set of privacy protection bills that (1) give individuals
permission to obtain information companies have collected
about them, and (2) restrict businesses and government agencies
that use and share personal data. Violators of these new laws
can face penalties of up to $2,500 in fines or six months
in prison.
Experts also warn that companies must fight
a natural apathy toward security vigilance. Already,many are
doing just that: Oracle Corp.and other firms pay groups of
underground employees to try to hack into the company’s
computers, leading to some security improvements. Smaller
businesses are getting better at keeping up on software patches,
deploying stronger forms of authentication, using the latest
encryption technologies, exploring VPNs and bringing in security
auditors to locate weaknesses in their cyberdefenses.
Sure, two Romanian kids might have the wizardry
to break into one of the most remote servers on Earth. But
with a few precautions and the right tools, companies can
usually halt even the most audacious cyberthieves in mid-keystroke
(see “Three
Ways to Stop ID Thieves in Their Tracks”).
Today new technologies such as data splitting
— breaking up customer files and scattering the information
on different servers — and strong authentication, which
goes beyond the user ID/password setups of most e-commerce
sites, are making it easier for even small companies to build
a fortress around their virtual customers in the Internet
kingdom.
“It ’s been common practice to
put off thinking about security until after a…breach,”
says Art Coviello Jr., president and CEO of RSA Security Inc.
“Unfortunately, that’s too late … (and) companies
may be unnecessarily jeopardizing their customers’ privacy."
Top
|
The Web offers some good resources for learning
more about ID theft, including these:
THE FEDERAL TRADE COMMISSION (www.consumer.gov/sentinel):
The FTC’s public consumer site offers plenty
of materials on new laws and reporting requirements.
COMPLIANCE HEADQUARTERS (www.complianceheadquarters.com):
This site,aimed primarily at the financial-services
industry, also offers a wealth of general information
on ID theft and related federal and state legislation.
AMERICAN PRIVACY CONSULTANTS (www.privacytoday.com):
This site offers news, links, and resources about
ID theft and other privacy issues.
CSO (www.csoonline.com):
Both CSO and its sister publication, CIO (www.cio.com),
maintain web sites stocked with news, articles,
research, and more information on ID theft and
other cybercrimes.
RSA SECURITY INC. (www.rsasecurity.com):
The security specialist’s site offers a wealth
of white papers and other resources to learn more
about protecting digital environments.
|
|
Top
|
THREE WAYS TO STOP ID THIEVES IN THEIR TRACKS
1. PERSONAL SOLUTIONS
Corrupt insiders are the number one thieves in
the digital world — tech savvy but ethically
challenged types known as “black hats.”
To fight insider jobs, many companies are greatly
increasing screening of new hires, requiring,
for instance, comprehensive background checks.
Many firms also have set up new information infrastructures
that make it both harder for low-level employees
to access vital company information and easier
for managers to track the flow of sensitive data.
2. REPORTING
SOLUTIONS In the United States, the
Federal Trade Commission is formulating new ways
for merchants and banks to announce ID thefts
from their systems,including easy-to-use reporting
forms available from the agency’s Web site.
These methods — many of them mandatory —
help warn consumers while giving merchants a simple
answer to the ethical conundrum of whether to
report such breaches.
3. DIGITAL
SOLUTIONS Several new technologies
can make e-commerce more secure — and perhaps
even draw consumers to “safe sites.”
Many companies offer new authentication and encryption
programs that far exceed most current industry
standards. Among the leaders is RSA Security Inc.
For more on RSA Security solutions and services,
visit www.rsasecurity.com.
|
|
Top
— Patrik Jonsson
|
