Introduction
Identity fraud allows criminals to conceal their true identities from the community and authorities, leaving them free to pursue illicit activities without arousing suspicion. It provides financial support, in the form of fraudulent loans and credit card purchases. Identity fraud also makes it more difficult to identify the perpetrator and prosecute a crime after the fact.
For all these reasons, identity theft has become a best practice among criminals and terrorists. Identity information is most often used to commit a string of financial crimes in the victim’s name. This may include financing foreign travel, purchasing luxury goods (which can be used or sold for cash), leasing a car or obtaining a mortgage and stealing the funds – obligations that will never be repaid.
Identity theft also allows criminals to commit more serious offenses and deflect blame to the person whose identity has been stolen. Terrorists use identity crimes to ‘hide in plain sight’ and finance their global operations. It also facilitates other online crimes including industrial espionage, computer hacking, cyber-terrorism, large-scale network attacks and, yes, the theft of identity information.
Back in 2003, worldwide identity theft and related crimes were estimated to cost billion. Last year it topped an estimated trillion, thanks to a 300 percent compound annual growth rate. However, identity theft is not simply one category of crime. It is the foundation for many crimes and it offers the perpetrator a rather remarkable set of benefits.
Passwords: The Main Culprit
One of the main culprits is the widespread practice of using passwords as the sole means of establishing and authenticating an individual’s online identity. New, fast-spreading worms, Trojans, and keystroke loggers amplify the risks posed by passwords.
Notoriously easy to steal or guess, passwords enable an intruder to access any resources the legitimate user is entitled to see and to probe the entry points to more secure resources – all with little fear of being detected. For example, in Australia, a disgruntled consultant spent two months working his way through network defenses for a waste management control system, until he succeeded in releasing 800,000 liters of raw effluent – on his 46th attempt.
Identity theft is a complex phenomenon that calls for vision and leadership across all sectors. A multi-level response is required, one that addresses the various dimensions of the issue: laws and public policy, business practices in key industries, IT security practices, procedures for helping victims restore their good name, the response by law enforcement and the criminal justice system, and changes in consumer behavior.
Thanks to heightened awareness around identity theft, there is much activity in all these areas. However, I’d like to focus on two critical and closely related aspects of the problem – protecting online identity data from being stolen or otherwise compromised, and preventing the fraudulent use of online identities for the purpose of committing other crimes.
Certain industries tend to be at the nexus of identity-related crimes and, for this reason, require even greater vigilance. These include:
- Credit reporting agencies, which hold extensive data on individual consumers and are thus an inviting target for identity thieves.
- Credit issuers, who, in some cases, do not carefully vet consumer identities and, as a result, repeatedly issue credit to fraudulent parties.
- Wireless phone companies, banks, retail estate firms and government departments that manage the registration of motor vehicles – all of which often unwittingly facilitate the early stages of identity fraud. To quickly establish a local identity, thieves will do business with all these sectors under the stolen identity – unchallenged by any of these parties – and then move on to larger crimes.
For organisations that are committed to fighting identity theft, a key step is to examine how consumer and employee identity information is currently collected, stored, and used across the enterprise. For example:
- What identity information is routinely gathered? Is it actually used for business purposes or just stored and forgotten? If sensitive information is being used, such as Social Security numbers, could the same business purpose be achieved using a less sensitive data point?
- How many different places is identity data stored and what kind of risk does that pose? What protections have been put in place? Is the data encrypted in transit and at rest?
- Who, among your employees and partners, has access to the information? How carefully are they screened and trained? What authentication methods do they use – passwords, or more secure methods? How are users’ access privileges managed and tracked? Are your partners’ security measures as rigorous as your own?
In addition to understanding where identity data is vulnerable, organisations need to assess their potential exposure to the fraudulent use of online identities. How many of your mission-critical resources – networks, applications and data sources – are only protected by passwords?
How easy would it be for a hacker or other intruder to steal, guess, or crack a legitimate user’s online identity? What kinds of resources could they access simply by gaining entry to your intranet? How likely would it be that such an intruder would be detected and caught? How much damage might they do before drawing attention? How easy would it be for a legitimate user – such as an employee or partner – to commit illicit acts and escape detection?
Through this assessment process, an enterprise gains a baseline understanding of their current environment and vulnerabilities and can begin to redesign business and IT security practices to reduce their risk of identity theft and online identity fraud.
Identity and Access Management, and Encryption
Organisations that profess to take identity fraud seriously need to ‘walk the talk’, safeguarding customer information with the same high level of protection that is applied to sensitive proprietary information or high-value transactions. This means employing best security practices, such as the latest firewall and anti-virus measures. There are also two other critical areas:
- With identity and access management solutions, organisations can create trusted online identities, making it easier to reliably verify with whom they are doing business and allowing them to efficiently manage users’ access to protected resources
- Encryption solutions make data unintelligible to unauthorised users and, in the process, protect identity data from being compromised while at rest or in transit
The concept of ‘trusted identity’ is at the very heart of e-business, yet trust in the online environment is dismally low. Identity and access management (I&AM) solutions enable organisations to create, manage, authenticate and authorise trusted identities, which can then be applied to any and all applications, data sources, and transactions within the extended enterprise.
Authentication – the ability to reliably verify user identities – must be the foundation for online services and business practices. Unless you know who is on the other end of a network connection, all other protections are illusory. Organisations must also recognise that weak passwords are simply inadequate to the task. Strong authentication is required to provide a high degree of certainty that online users are, in fact, who they claim to be.
There are diverse solutions that can be flexibly combined to meet differing requirements for security, scalability, user convenience, mobility and total cost of ownership. These include:
- Hardware and software tokens that create a barrier to unauthorised access through two-factor authentication – that is, requiring physical possession of a device that generates frequently changing access codes, combined with an individual’s unique PIN code
- One-time-use access codes delivered to mobile devices such as Personal Digital Assistants (PDAs) and cell phones leverage existing mobile infrastructure, enabling enterprises to more securely extend popular web applications while reducing the risk of fraud
- Smart cards that combine the functionality of physical and network access into a device, securing access to all corporate resources in a convenient and cost effective manner
- Digital certificate management solutions offer scalable and portable authentication for legally binding electronic communications and transactions
- Web access management software that provides advanced capabilities for creating, managing, and authenticating passwords
Once users are authenticated, the next requirement is to manage their access privileges. This helps ensure that users can tap all the resources that are relevant to their relationship (customer, employee, and partner, for instance) and role (purchasing manager, HR specialist, and software engineer, for example) or specific attribute (sch as account status or clearance). At the same time, it bars users from accessing resources they are not entitled to use.
In addition to enhancing security in these ways, access management applications increase user convenience, enabling secure, single sign-on (SSO) across multiple applications and domains.
Centralised access management is particularly valuable in establishing accountability for individuals who are entitled to be inside the firewall – including employees, partners, and suppliers. By establishing an audit trail for all access attempts, enterprises are able to hold both users and administrators accountable for their actions.
Delegated administration capabilities further enhance security by allowing internal business units and third parties to administer their own users. Moving administration closer to the user allows for more fine-grained control of user privileges and also results in a larger community of administrators that are alert to possible wrongdoing.
Digital signatures, which utilise digital certificate technology, are an effective method for authenticating online transactions and interactions that have traditionally required written signatures. These applications enable organisations to capture binding signatures within end-to-end electronic processes, thus eliminating the delays, inefficiencies and lost opportunities that result when hand-written signatures must be obtained.
Look for a digital certificate application that can implement digital signature capabilities for online forms and e-mail. For example, secure e-mail solutions enable users to encrypt and digitally sign e-mail messages and attachments so that only the intended recipient can access the contents and any attempts to tamper with the message in transit will be evident.
This transforms e-mail, which is notoriously insecure, into a trusted medium for communicating sensitive information (including identity information) and for conducting legally binding transactions online. Wide adoption of secure e-mail could also help undermine certain types of online fraud such as phishing scams that entail e-mail messages purportedly sent by legitimate companies.
Encryption: Protecting Identity Data at Rest and in Motion
It is common for enterprises to store thousands or even millions of sensitive identity records in a single database – making it an inviting target for thieves. Implementing strong authentication and/or web access management significantly strengthens protection for the consumer information held in such databases. However, encrypting the contents of a database will further deter misdeeds by making data unintelligible to unauthorised users and extremely difficult to decipher when attacked.
The identity management system of the future will integrate today’s proven solutions onto a single platform that delivers a common set of services across the enterprise, including:
- User management services
- Identity authority services
- Access authority services
- System services
- Network and application integration services
It is important for these services to integrate seamlessly with existing e-business capabilities and emerging web services in order to improve the user experience and reduce costs associated with identity management.
Confronted as they are with many competing agendas and priorities, enterprises may well ask, “Why respond now to the crisis of identity fraud? Why not wait and see how things evolve and then leverage the solutions that others develop?”
There are three compelling reasons to address this challenge now:
- Accountability: first, it is the ethical thing to do. Individuals have entrusted their personal information to large organisations and are extremely vulnerable as a result. Enterprises, which benefit greatly from such information, need to take responsibility for better protecting that information. They also need to recognise that doing little or nothing is, in fact, an irresponsible practice that puts consumers in harm’s way.
- Risk Management: by failing to safeguard against identity-related crimes, organisations increase the likelihood of security breaches and all the resulting costs such as bad publicity, customer defections, lost business opportunities, remedial costs, and legal liability. With the accelerating pace of online incidents, this risk appears to increase almost daily.
- Opportunity: the security measures that are most effective in thwarting identity-related crimes have a much wider strategic benefit. By creating an e-business environment that is viewed by consumers and businesses as being truly trustworthy, such practices accelerate the growth of e-business. In turn, this creates new opportunities to increase revenues, reduce costs, and deliver innovative services that confer a competitive advantage.
 Ross Wilson, the Managing Director of RSA Security of South Asia and India, is responsible for managing strategic direction, expanding and strengthening business relationships, growing the customer base, and increasing the company’s presence in existing and new markets.
|
