On the Offensive over Identity Theft


Catch Me If You Can isn’t just a hit at the movies this winter.

It's also the modus operandi for a growing band of street criminals and their hacker allies who trade in consumer credit card information, social security numbers and other internal company data that wash across millions of web sites every day with increasing velocity.

It's ironic that as most other types of crime are declining, identity theft is booming - doubling in the U.S. to roughly 162,000 cases last year - which has made identity theft the leading consumer fraud, according to the Federal Trade Commission. The FTC reports that as many as 700,000 consumers may be victims of identity theft this year, costing each person an average of $1,000.

While the search for causes and cures is endless, several key facts stand out. First, more and more consumer and business data are online to meet the requirements of on-demand business, and for good reason - organizations of every size and description are automating the way they do business to cut costs, speed service and reach customers, suppliers and partners more easily.

Second, despite the costs of fighting identity theft, the web is still the best friend businesses and consumers ever had. We're not going to scrap the internet because of identity theft. But we do need to get much more serious about managing identity theft. Too many organizations are still in the dark ages compared to the identity thieves they are up against. The fact is, today's identity thieves, who often have inside experience, are outsmarting us at nearly every turn.

It's not hard to figure out why. Ask yourself, who is more likely to be successful - a full-time hacker searching for a security hole into a company's systems, applications and data - or a developer with a thousand other things to do besides plugging every conceivable security hole?

It's not that we don't have the security tools and knowledge to manage the problem. The real issue is that most IT organizations are too stretched to devote the resources to keeping up with the thieves - let alone get ahead of them by designing systems that are so sophisticated the thieves can't get in. Organizations spend too much time reacting to security breaches, rather than preventing them from happening. The most effective deterrent to identity theft is making an organization's IT architecture so airtight that thieves decide it's not worth it.

After all, there is fundamentally nothing new about identity theft, which amounts to exploiting holes in existing technology. Instead of rifling trash bins for credit card receipts and wiretapping phones, today's thieves steal data using a mouse and keyboard, and sell their booty to the highest bidder on the street. The hackers are also often recruited by thugs to steal information.

It follows that organizations need to get more serious about fighting this growing menace. Most important, they need to replace the patchwork of security systems currently in place with an overall security architecture that plugs the holes inside and outside the enterprise, makes sure the right people have access to the systems, applications and data they need, and keeps everybody else out.

Here is a plan of attack to get ahead of the identity thieves.

First, shut the door on former employees and temporary employees who maintain valid company IDs and passwords. With employee turnover running at 100 percent in industries like retail, it's not unusual for 20 percent of company accounts to belong to employees who haven't worked for the organization for five years or longer. These accounts never expire and allow former employees to roam freely inside the enterprise.

An even bigger inside problem is current employees who have unrestricted access to company systems and data unrelated to their job responsibility. Security policy should restrict employee access to pertinent areas of the business. Why should a customer service rep be allowed to access company inventory data? Moreover, if they're trying to gain access to areas unrelated to their job, the enterprise should be able to monitor this activity closely and take appropriate action.

Second, recognize that today's homegrown security code is highly vulnerable to hacker attack. A hacker can access a public web site linked to an internal distributed file system, and gain access to company and customer files. For example, many organizations now put customer best practices online so that other customers can gain insights. As this happens, hackers are finding ways to access applications that provide information on other users, which they can use to steal their identities.

The fix is to replace patchwork security code with a sophisticated security architecture that closes the holes between different parts of the business and outsmarts the thieves at their own game.

Third, organizations need to randomize data to protect individual customer identity and privacy. While customization of individual data is clearly here to stay, this raw data must be kept under strict lock and key so that others cannot use it to invade individual privacy. For example, does the marketing department need access to everyone's name and address, or just access to macro trend data? Companies can extract macro data from individual customer information, which will protect privacy rights and yield nearly the same business benefit.

The point to keep in mind with all of these steps to improve security is that enhanced security doesn't have to be a business inhibitor; in fact, if implemented wisely, security is a business enabler. It's up to organizations to take preventive steps that will strengthen the business as well as defeat the bad guys before they strike.

Jeff Drake is director of security strategy for IBM Tivoli Software ( He was a founding officer of identity management firm Access360, which was acquired by IBM in 2002.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.