Identity theft and strong opinions go hand in hand. ID theft is rampant and is causing millions of dollars of damage every year — or, it really isn’t such a big problem, and few people are really hurt financially by it. Why such wide disparity? More importantly, what can a business owner, an IT manager, a software developer, a consumer or a risk manager do about stopping ID theft when the problem seems so poorly understood?
This was the conundrum faced by attendees at a meeting in Chicago in June 2005. The FBI, Secret Service, Chicago Police Force, and the Identity Theft Prevention Special Interest Group (SIG), formed earlier in the year by members of the Liberty Alliance, met to discuss the topic of identity theft. The group quickly came to a realization that the term was being used quite loosely in the press and in industry.
“One of the big problems in trying to counter identity theft is the fact that the same term has been used to describe three very different types of crimes: taking over existing accounts, using one’s identity to open up new accounts, and criminal identity theft, where the stolen credentials, if presented to law enforcement, could result in a criminal record or arrest warrants,” explains Michael Barrett, co-chair of the Identity Theft Prevention SIG. “When we came to this conclusion, we decided we needed to work together to define the term more precisely.”
Like so many things in today’s complex world, taking a broad-brush approach to a difficult topic does a disservice to anyone who needs to know more. In the case of identity theft, that includes just about all of us. Most of us have seen the e-mails purportedly from a bank or online auction site, attempting to lure us into disclosing our credentials via bogus Web sites. Or we know someone who has been the victim of credit card fraud, identity theft, identity fraud or some sort of related attack. Unfortunately, our understanding — as consumers, data custodians, technologists and policy-makers — is incomplete and disjointed.
One of the primary goals of the ID Theft Prevention SIG is to provide a forum for frank and open discussion of the topic, in an effort to overcome this situation. In addition, the group is chartered with making recommendations and documenting best practices to prevent identity theft. The first major undertaking of the group, made up of a variety of organizations including a number of financial services companies, was to develop a lexicon.
“Defining ID theft is a lot like the joke about a group of blind men trying to describe an elephant,” comments Robin Wilton, Corporate Architect for Federated Identity at Sun Microsystems. “Each one describes a different part, and no one actually understands the whole. We talk about true name identity theft, or “parallel lives,” mass data compromise, account takeover or hijacking, and criminal identity theft in the same breath, while in fact they are all very different. There are various activities that take place at different stages along the lifecycle, each of which must be defined and understood.”
Broadening the Scope
According to the SIG, “true name” identity theft occurs when someone fraudulently obtains personal information and uses it to open up a new credit card account, cell phone service, etc. Account takeover happens when stolen personal information is used to access existing accounts — perhaps by changing the mailing address, and then running up charges before the victim becomes aware that anything is wrong. And criminal identity theft is even more sinister: imagine a criminal who, when stopped by law enforcement, gives your identification as his own. It’s no longer a matter of simply money — there may be a warrant for your arrest!
“As we delved deeper into the discussions, we began to broaden the scope of our project,” recounts Britta Glade, Program Manger for the SIG. “We felt that by coming up with a much more detailed definition, we could perhaps find better ways to counter the crime.” What the group discovered was really quite unexpected. “Instead of a single perpetrator, identity theft is in fact a series of crimes that could be committed by many different people — and they don’t even need to know about, or know, one another,” according to Glade.
As the group dove deeper into the issue, they determined that the result would not be a simple lexicon. In fact, a much more in-depth deliverable began to take shape. Called the Identity Theft Primer, it is a thorough overview of the topic, complete with definitions of the various terms, a well-documented overview of the identity theft lifecycle, and a comprehensive appendix of identity theft attack vectors and the steps that can be taken to mitigate each one. The ID Theft Primer is freely available on the Liberty Alliance Web site and is a must-read for anyone who has an interest in protecting against, preventing or recovering from, identity theft.
The ID theft lifecycle is illustrative of the scope of the work. The ID Theft Primer, as the document is called, documents six distinct phases: Planning, Setup, Attack, Collection, Fraud and Post-Attack, each of which could be committed by different individuals or groups. The good news is that activities in each phase, if caught early on, could actually be mitigated by a series of unique activities.
It’s difficult to stop identity theft, in any of its forms, since no single organization is going to solve the entire problem, according to the chief security officer for a major financial services organization, who took part in the SIG discussions. But if you understand the sequence of events that must occur in order for ID theft to happen, you will know where to apply solutions to achieve the best results.
The Attack Vector section is equally intriguing, with its comprehensive treatment of technical, physical and social engineering attack vectors and relevant mitigations. The many and varied types of attack illustrates the complexity of this issue and the steps that each of us can and should take on a daily basis. Just as interesting is the section entitled “How Information Becomes Money” where the role of the black market becomes apparent.
The Identity Theft SIG views the ID Theft Primer as just that: a first step to understanding, and stopping, identity theft. Already in the works are three related documents that will be of especial interest to various readers of the Primer. “The Data Custodian’s Guide to Stopping Identity Theft” will contain recommendations and best practices for those organizations and individuals who actually receive, communicate and store personally identifiable information.
“It will describe the principles that should be used, rather than the substantive best practices, because specific approaches will undoubtedly become out of date as technology changes,” explains Barrett. “The Policy-Maker’s Guide to Stopping Identity Theft” will summarize applicable legislation in various countries, to help in formulating compliance plans and implementing new legislation. The third document, “The Technologists’ Guide to Stopping Identity Theft,” will assist architects, software designers and software buyers who need to be involved in decisions that could affect personal information.
It’s not often that a work of this caliber is made available free of charge to anyone who wants it. This group of experts has found a way to jump-start our understanding of, and ability to deal with, identity theft in its many guises. Read the Primer, familiarize yourself with the issue and be precise when discussing this complex topic. And keep an eye out for the companion documents, with more detailed advice on how to take the next steps.
Tanya Candia is a consultant and expert on information technology (most notably data management and security), business management and marketing issues. As president/founder of Candia Communications, she consults with a variety of companies on busienss, strategy and maketing programs. Candia can be reached at [email protected].