As the information security market matures, and we rely more and more on traditional access-control based technology, organizations are becoming increasingly exposed to double risks.
Firstly, failing to correctly establish an individual's real identity, and secondly – more critically – failing to prevent or even detect when their own customer records are being abused.
How prevalent is identity theft?
There is just one fundamental difference between conducting business in the real world and conducting business online. In both cases, goods and services are exchanged for cash within a legal framework, and any failure to meet obligations can be pursued through the courts. When trading online, however, there is an increased likelihood that our trading partner is someone we have not dealt with before, and indeed we may never have met. How do we seek compensation from someone whose identity we have never really confirmed?
Surprisingly, in the U.K., identity theft in itself is not yet a crime. Currently, a crime is only said to exist when a stolen identity is used to obtain goods or services by deception.
Identity theft is not a new phenomenon – it is traditionally perpetrated through the use of stolen or forged identity documents, such as passports, driving licenses and birth certificates. However, we are at much greater risk than we have been in the past because the credential used to confirm identity is information – and often information that can be readily obtained – rather than possession of a document.
CIFAS (the U.K.'s not-for-profit Credit Information Fraud Avoidance System) reports that, in the third quarter of 2002 false identity fraud was up 59 percent and impersonation fraud was up 25 percent, and that these are the most rapidly growing types of fraud in the U.K. Other countries are similarly affected.
How might identity be verified in the future?
One of the initiatives being taken by the U.K. government to address this problem is to standardize on four levels of confidence in a real-world identity, namely 'no assurance,' 'balance of probabilities,' 'substantial assurance' and 'beyond reasonable doubt.' With each of these comes the requirement to provide increasing volumes of evidence, which must be validated prior to an electronic identity being provided. In return, the user will be given greater trust and provided access to more online services. The Office of the E-Envoy is working towards a future where any doubt in these real-world or electronic credentials will trigger the withdrawal of access privileges and the requirement for revalidation.
Interestingly, and almost uniquely in the world, the U.K. government's thinking on this issue must take heed of a strong resistance within the population to carrying identity cards, or any form of compulsory official electronic identity. The proposed work-around to this is for government departments and other co-operating organizations to share information. This would mean that in the case of a user's identity being challenged, they would provide information about life events and their transaction history with an organization, which can (with user permission) be corroborated independently, so that the required level of assurance can be obtained.
But even this approach is problematic, and is just an attempt to manage, rather than eliminate fraud. The most organized identity fraud criminals will manage large numbers of stolen and falsified identities simultaneously, each with an apparently legitimate life history.
Stealing personal information is easy
All significant research into internal fraud indicates that the greatest source of threats to corporate assets comes from management and employees rather than third parties. This is backed up by the City of London police fraud squad, which points out that one of the fastest-growing criminal trends is placing people in positions of trust which give them access to sensitive customer information. The criminals do not need to be technical experts; they simply need a normal login account on a company system.
We must not lose sight of the basic rule that information security is only as strong as its weakest link – investments in preventive measures such as electronic perimeter security, encrypted communications or sophisticated access control systems are only worthwhile if they are deployed alongside detection-based controls. These address the vulnerabilities inherent in day-to-day life, such as our natural human tendencies to try to please anyone who rings us up asking for information, to browse whatever files and databases we have access to, or to instinctively trust everyone else in our organization, particularly those more senior to us or those claiming to be from helpdesk.
Even in an organization with a strong culture of security, it can be quite difficult to raise the alarm about a colleague, particularly where there is no direct evidence of wrongdoing. In most organizations today we are focused on our own work so much that we would have no idea whether our office neighbor was committing fraud.
How does a company protect itself?
To protect itself, an organization must be able to spot anomalous and suspicious activity, even though it looks at first glance to be legitimate. This is a daunting task – as any system manager knows. There are already enough direct breaches of security policy that require investigation without having to keep track of activity which is much more difficult to define, such as long-term strange patterns of behavior, unusual transactions with third parties, lack of delegation or the unexplained copying of data.
Analytical techniques available for detecting fraud include knowledge-based reasoning and neural networks. Several software vendors promote tools to support each of these approaches. A key issue is the ease with which models of potentially suspicious behavior can be specified. Often they can be specified quite adequately using conventional knowledge analysis techniques – in other words determine what the latest scams are and build in a rule based or statistical model to reflect them. Complementary tools such as unsupervised neural networks do not require the suspicious behavior to be specified at all: they can be left to find patterns in whatever data is presented, and the fraud team is then able to focus on only the few anomalies and assure themselves that these do not require a more targeted investigation.
It is critical that the fraud team does not include operational system managers, as this position will generally give more access privileges than anyone else, while the expertise of ops managers enables them to cover their tracks. Furthermore, the fraud team must have a direct report to the non-executive members of the Board.
The theft of identity information by individuals who have deliberately sought employment with a company holding a large number of customer records is one of the fastest-growing criminal trends in the U.K. today.
Companies are extremely vulnerable to this kind of attack because traditional security technologies are based around the assumption that employees who have been granted access to information are trusted to use it legitimately and not to defraud us.
While the value of an individual customer record may not seem to be high, the threat of reputation damage from a series of identity thefts will soon focus the attention of the executive. Some organizations have already successfully deployed analytical tools to monitor system activity for behavioral patterns and anomalous user activity, and have therefore moved from reactive to proactive fraud management.
It is no surprise that the vast majority of internal fraud goes undetected and is only discovered by accident or by whistle-blowing. For most organizations understanding internal fraud is largely uncharted territory. However, it can no longer be ignored. Recent well-publicized cases show that in addition to direct financial loss and reputation damage, a well-executed fraud can severely damage or even destroy the largest company.
Simon Foster is associate director of Detica (www.detica.com).