April 1, 2005 4:00 AM PST
Perspective: Want to prevent ID theft? Get back to basics
See all Perspectives
First it was a security breach that left ChoicePoint's treasure chest of personal information (145,000 accounts) vulnerable to prying eyes. Less than a fortnight later, Bank of America backup tapes containing data on 1.2 million accounts went missing. More recently, someone hacked into a confidential database containing as many as 32,000 records at Seisint, a company owned by LexisNexis.
Bad guys are targeting corporate databases because, obviously, that's where the money is. But the bigger concern is that many of these confidential "bet the business" databases (and other critical systems) still remain woefully insecure.
The Enterprise Strategy Group recently surveyed 229 U.S.-based security professionals from organizations with more than 1,000 employees. The majority of respondents (52 percent) came from organizations with more than $1 billion in annual revenue. Our goal was to get an objective metric of just how bad the internal security threat really is.
The results paint a frightening picture. For example, 23 percent of respondents reported their organization had suffered an internal security breach in the past 12 months, while 27 percent didn't know if it had or not. Note to self: Make sure the people you do business with know whether they've been hacked or not.
Regarding the damage caused by these internal security events, 40 percent of respondents said that an internal breach led to an interruption of a critical system or service, 38 percent indicated that an internal breach led to data corruption or loss, and 17 percent said that the internal breach led to the theft of intellectual property.
Are you ready to cut up your credit cards yet? It gets worse.
To understand the scope of the problem, we asked respondents to identify the types of network vulnerabilities they'd discovered in the past year. The list is too long to go through, but suffice it to say that a number of users reported many security no-no's, including active accounts for ex-employees, equipment configured with default passwords, rogue servers or devices, and unauthorized personnel with root (or administrator) access to critical systems.
Perhaps the most worrisome data point: 16 percent of respondents believed they had some of these network vulnerabilities, but hadn't taken the time to do an audit.
Finding an angle
This unacceptable situation is fueling a new type of zeal about data security. U.S. citizens are rightfully upset and demand action. Of course, politicians can't resist a passionate topic, so calls for new regulations can be heard all over. Security technology companies are licking their chops, hoping to turn privacy phobia and bad publicity into product sales. Everyone has an angle.
So here's the problem with all of this activity: The downside of security becoming more mainstream is that everyone has an agenda or opinion, and the default behavior is overt overreaction. Yes, something must be done, but it's important to get back to basics first.
Most bad guys aren't mad scientists looking for a technical challenge. A more accurate profile might be that of a con artist who scams country bumpkins and foreign tourists. Smart cybercriminals "case the joint," looking for the equivalent of open doors and windows.
Sometimes these doors and windows are technology-based. At LexisNexis, for example, the hackers got into the system by stealing passwords from legitimate users. This is the technical equivalent of buying liquor with your older brother's ID. With Bank of America, a box of tapes was stolen from the cargo bay of a commercial airplane. See the pattern?
Before anyone panics, the logical first step in any security process is an audit. No sexy technology here, just smart security professionals looking for weaknesses in every component of a technology system and every step of a process.
Take the aforementioned list of network vulnerabilities, for example. If the customer database server is configured with a default password and contains active user accounts of terminated employees, it's a sitting duck. Companies need to take the time to discover these types of vulnerabilities, rank and order them by priority and fix the riskiest ones first. It is truly as simple as that.
The other elementary security action item is user training. Employees need to know how to recognize and report threats, not act as a patsy. If I want to break into the payroll system, the easiest way to proceed is simply to ask someone in finance for their password. With a bit of "social engineering"--that is, flim-flam--you'd be surprised how many people will volunteer confidential information. Only 25 percent of companies provide employees with security training; I'd say this is a fundamental problem.
I'm not dismissing regulations and security technology. These are important steps to safeguard privacy and protect against identity theft. But we need to address this problem with good old-fashioned common sense rather than panic.
In life, you decrease personal risks with simple prevention techniques like locking doors or staying away from dark alleys. Before we sound the security alarms, we ought to do the same thing in our work environments.
Biography
Jon Oltsik is a senior analyst at the Enterprise Strategy Group.
See more CNET content tagged:
respondent, breach, LexisNexis, security technology, identity theft
I could not agree more; however, not everyone has the ability or education to recognize a threat. With the emphasis on being a 'team' player in todays work environment merely introducing the issue of a potential threat begins to question someone judgement in identifying the threat. Unfortunately security awareness programs are not a high priority (until a financial loss is incurred).
cracking and other thefts will probably still occur but it will be with less frequency than now.
br3n
The system must be set up that limit what
areas a person can access
Accessing to sensitive parts of a building or to
sensitive information?
For Consumer protection the Solution is
Simple:
CARD READER WITH PIN PAD (SENSITIVE
INFORMATION IS ENCRYPTED WITHIN THE
SECURE DEVICE) which creates a Card
Present Transaction (CPT), combined with
SINGLE USE CREDIT CARD NUMBER
technology.
1. Eliminate credit or debit card number
transmitted over the Internet.
2. Eliminates Keylogging.
3. Eliminates third party storage of your
information.
4. 4. Eliminate need to educate because your
Information never leave your person... Simple
not complex.
I just learn of a big security breach and this one deals with Hughes Sattlite company. Ones that owns Directway and Dish Tv. well there tech support work overseas. and had to call them one night about my Sattlelite not working. And ask where he was from cause he sadi Egypt so thinking he was here I ask can speak someone who can speak english better. and He said no we all from Egypt. So I try to explain my problem and we talk for hours. Then he said I see the problem your accounbt was change. I say how. He said oh it problem here. some employies steal accounts and sell them on the black market here. So he fix the problem. change my pass word/ and thne it got me thinking how much Information do these Employies steal over there. cause they have acess to millions of internet logs and can view lots of transmission. So next time You think You are on secure web page Your not somebody setting at a desk on a hop watching you. waiting to make a buck. Bad thing this company oversea and nobody to complain about it here cause I try contacting Huges people and when I got no responce I look at there website. Look at who owns it all Arabians and Egyptians. http://www.hns.com/HNS/Rooms/DisplayPages/LayoutInitial?Container=com.webridge.entity.Entity%5BOID%5B5628EFC664CF734FA8FD049D38C89A87%5D%5D Use to have pics of the CEos and management on it but Look like since the war they took them down .Make You wonder. Hhhhhmmmmmm. Who spy on who here.
Thank you
Blade
We live in an increasingly virtual world. For more and more of us, our workplace is not a factory or even an office but a computer desktop, an electronic environment where complex software applications and communications tools have become our main drivers of efficiency and effectiveness. Our home life, too, is ever more digitized ? the Internet has become our single most important resource for information, shopping, paying bills, doing schoolwork. Forget what science fiction tells us about the frontiers of tomorrow; we are living in a virtual reality today.
For all the benefits of this computerized environment, however, there are dangers. Some we are already aware of ? viruses, worms, identity theft, data loss ? and some we can only imagine. Regardless of the threat, though, the response has been meager. The most frequently used levels of encryption can be cracked. Firewalls can be circumvented. Data can be accessed surreptitiously from outside and inside even the most carefully protected systems. Yet corporations, software manufacturers and Internet service providers persist under the impression that their systems are secure. The facts tell a different story. PricewaterhouseCoopers, for example, determined from a series of surveys that in the year 2000, more than $1.5 trillion were lost due to security breaches. That?s trillion with a ?t.?
We don?t believe that it has to be that way. We?re Jabcast Technologies, and our mission is to create secure, stable electronic environments where businesses, foundations, institutions and individuals can interact in the virtual world with complete confidence ? and without having to compromise their personal privacy.
Security is Key
It may be surprising to the uninitiated, but our response to security issues hasn?t changed much since the earliest days of civilization. The ancient Chinese, Greeks and Romans protected information with codes, and they prevented access to unauthorized areas with keys. The technology we use today may be different, but the methods we use ? even on the electronic frontier ? are still a matter of codes and keys. When information is exchanged between computers, for example, whether they?re located in the same room or on the other side of the world, encryption is the strategy of choice. It?s nothing more than the process of turning data into a code, and it?s essential every day for national security, online commerce and communications integrity. Unfortunately, it?s also susceptible to attack.
The problem lies in what?s called ?Public Key Infrastructure,? or ?PKI.? When a user wants to establish a secure electronic transaction with another user, their computers exchange information about how to encode the information securely. This exchange takes place right out in the open ? anyone who knows how can eavesdrop on the data exchange ? which explains the ?public? part of ?PKI.? However, because of the way the information is transmitted, even with this knowledge, the third party still can?t break the code. At least that?s how it?s supposed to work.
The trouble is, the level of encryption that?s most commonly used today can be cracked. It takes time and knowledge ? not the sort of investment of resources that someone is likely to expend if you?re just sharing your favorite cookie recipes online. But when you?re exchanging financial information or trade secrets or medical data, prying eyes may be very interested indeed. More troubling is that, as the general understanding of PKI increases, it?s becoming easier and easier for code breakers to do their work. What may seem secure right now may not be next year or even next month. Those cookie recipes ? or your daughter?s instant messages or your email history ? may be the next to go.
Jabcast Technologies has developed proprietary systems that effectively shut down that opening. By using an encryption method that?s orders of magnitude beyond what most systems employ ? 2,048-bit encryption versus 128-bit encryption ? even a bank of supercomputers working for years to unravel our code will come up short. Best of all, our encryption doesn?t require users to update their operating systems or their Internet browsers; it works seamlessly, effortlessly, with the most commonplace of today?s technology. To the typical user at a company that makes use of Jabcast?s PKI software, its business as usual. To individuals doing school work or looking for companionship on the web, it?s as easy as ever. But to hackers on the outside, it?s an impenetrable fortress.
That?s only the beginning. Jabcast Technologies is introducing a complete security solution ? a Virtual Security Network ? that encompasses the entire electronic environment, ensuring total protection, confidentiality and confidence from the moment users log on to the time they log off. It shelters financial transactions, information exchanges, sensitive data, personal records, private communications and more from hackers, thieves and others who would do harm to our businesses, our families and ourselves.
The Ring of Protection
You are a unique individual. Proving it in most real world situations isn?t that difficult. You show a driver?s license, a social security card, a fingerprint ? there are dozens of ways to verify that you are who you say you are. Electronically, though, it?s a little more challenging, and that?s where the trouble begins.
WHY BANKS?
There are a number of reasons why banks make ideal escrow houses for our electronic signatures. Foremost among these is that banks are already in the escrow business, so they understand the importance of keeping things secure. They?re also excellent clearinghouses for personal- and credit-related information, they?re protected by federal and state laws that make pursuit of thieves easier and more effective than other institutions and they often already have a robust electronic infrastructure in place that makes establishing escrow services a relatively straightforward process.
There are benefits to Jabcast
Technologies, as well. Because we
anticipate that a significant portion of our ongoing business will be related to the financial industry, establishing a relationship with these institutions gives us a competitive advantage
when it comes to marketing our
complete suite of services.
Escrow accounts can also be revenue generators for both Jabcast Technologies as well as the institutions that house them, because banks that recognize the potential of our technology will be willing to pay for the opportunity to participate, and because fees can be assessed to recover and replace lost signatures.
It?s almost impossible to conceive of just how much information is stolen, how much data is destroyed and how much illegal activity is conducted online by those pretending to be somebody they aren?t. Bank accounts are wiped out. Children are lured by sexual predators. Corporate funds are embezzled. User authentication remains one of the most significant challenges standing in the face of genuinely secure transactions, and Jabcast Technology has the solution.
Entry into our Virtual Security Network requires all users to participate in our unique authentication process, a process that can be tailored to the specific needs of the individual or business seeking entry, but which will, in all cases, ensure 100% accuracy. Users must first register their personal information ? name, age, corporate position where applicable ? and have that information verified through traditional channels (by checking against public records, for example). This information is held in escrow by participating banks (see the sidebar for more information about why banks make great sense for this task). It?s stored in the form of an electronic signature, a unique identifier tied to each individual that not only enables access to the VSN but that also establishes a framework under which all users can safely navigate the network.
For example, businesses that want certain employees to have access to select information can tag each new user with a code that allows him or her to reach only appropriate files. Parents who want to prevent their children from visiting certain websites can apply a setting that ensures child-friendly web surfing. Online chat rooms that are for teenagers only can effectively lock out those who are too old ? or too young ? to be visiting. There will be no more employees sabotaging sensitive data. No more pedophiles prowling kids? forums. No more illegal online credit card transactions. Just how does the system ensure that the electronic signature remains in the possession of the individual to whom it was assigned? That?s where the technology gets really exciting. Jabcast Technologies has created a suite of sophisticated security tools that verify users? identities quickly, easily and affordably.
Private Key Ring
Our Private Key Ring is a proprietary device that puts powerful security software in a compact, convenient and clever package. It?s a sleek plastic case no bigger than your thumb, but the information it contains is more identifying than your thumbprint. Simply slip it into a USB slot in the back of any computer anywhere, and it opens up the world of the VSN instantly, without the user having to remember a single password. In fact, the lack of passwords is one of the greatest advantages of the Private Key Ring.
Passwords function like electronic counterparts of physical keys, enabling the person who holds them to access a system or a site. But just like physical keys, having too many of them is incredibly cumbersome. With the possible exception of janitors and security guards, who wants a massive, jangling ring of keys hanging from their belts or stuffed in their purses? Just the same, who, with the possible exception of computer geeks or the pathologically paranoid, wants a Rolodex filled with different passwords for every protected site he or she visits? If you?ve ever struggled just to remember what password you set yesterday to access your systems today, you know just how frustrating it can be.
What?s more, password maintenance is one of the costliest and most time consuming tasks that any business?s IT department must administer. Complicating things is that many systems try to enhance security by requiring passwords to be changed on a routine basis ? and idea that, while in theory should work well, in practice is actually an enormous drain on resources, productivity and budgets.
The Private Key Ring does away with all that. When you hold your Private Key Ring, you are holding the one and only device you need to enter the Virtual Security Network. The moment you plug it into a computer, it brings up the VSN entry portal, and from there you can confidently navigate corporate systems, websites, communications media ? literally anything you?ve previously done electronically ? without concern about identity theft, data loss, viruses, worms, hackers or anything else that might cause you, your computer or your systems harm.
As we?ve discussed, authentication assures that users are who they say they are and provides a mechanism to grant or deny access to users based on the profile they?ve established.
Business enterprises, however, have an even more robust authentication technology at their disposal: the Jabcast Technologies ID Trust Card. The ID Trust Card operates in much the same way as the Private Key Ring, but with added security and profile features that have been designed with contemporary business needs in mind. The card itself is remarkably compact ? no larger than a credit card and only slightly thicker. What makes it truly special, however, is how it?s read.
The Private Key Ring attaches directly to any computer and grants access to the Virtual
Security Network. The ID Trust Card, however, has an added level of security that may at first seem redundant, but to a business that values the integrity of its transactions ? a stock brokerage, a bank or a medical institution, to name a few ? it?s a welcome step to provide total peace of mind. Best of all, that added level of protection is something that?s literally foolproof: biometrics. Biometric devices are used by the United States government, our armed forces and other institutions with a critical need to limit access to sensitive data and classified areas.
- by SincereY March 30, 2009 1:23 AM PDT
- People usually ask how can we prevent identity theft. There are many cases in which we can prevent this kind of destruction. In the digital age, identity theft has grown into a huge problem than ever before. Prior to the computer age, identity theft can be compared to "borrowing" your older brother's driver's license to get beer, but today it goes far deeper than that. A payday cash advance could not even begin to cover damages, such as loans taken out and cars, or even houses purchased in your name. Some companies are now offering an ID theft insurance, which in this day might be a worthy purchase, as you cannot afford to not protect yourself against identity theft. To read more visit
- Like this Reply to this comment
-
(15 Comments)http://personalmoneystore.com/moneyblog/2009/03/24/hang-id-someones-steal/