Archive for February, 2011

by Ondrej Krehel

The New York Times ran an on how law enforcement is capitalizing on the Electronic Communications Privacy Act of 1986.

The story stated that in the first half of 2010, Google received more than 4,200 requests from law enforcement agencies for information on customer usage. Facebook said it’s subpoenaed anywhere from 10 to 20 times a day, and, way back in 2007, Verizon said it was receiving more than 90,000 requests every year. We can only assume that number has increased.

The volume of requests shows just how valuable this information really is. Law enforcement mines the data to build cases. Some companies charge money for it. Google even built an of the number of law enforcement requests from around the globe.

Information is a commodity.

Twitter has also in the WikiLeaks case. U.S. prosecutors are investigating the accounts of several people connected to the release of American diplomatic cables.

Beyond the legal, privacy and consumer issues raised, this rash of court cases and news stories demonstrates one crucial thing: Wherever we go online, someone or some site is recording our moves. In the old days of computer crime, a hacker or pornographer might have learned about a pending government investigation, and taken—literally—a hammer to his or her hard drive. The evidence was broken to pieces along with the drive. Not anymore.

Your search engine, your social networking sites, your bank and your cell phone are constantly monitoring where you are—or what you’re looking for. We are creating a digital footprint, our parallel digital self. And that information, stored on the business-side servers, is readily available to anyone with subpoena power.

The Internet has become the place where we all meet, where we socialize and do business—a town square, if you will, for all the world to visit. But, as these stories remind us, there are cameras in the trees.

Ondrej Krehel, Chief Information Security Officer,

Ondrej has more than a decade of network and computer security experience. His expertise extends to investigations of intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. He led U.S. computer security projects at Stroz Friedberg and worked in IT security at Loews Corp.

L-R IDT911 Fraud Specialists Mark Fullbright, Vicki Volkert and Raul Vargas on the set of ABC15.

On February 21, Identity Theft 911 fraud specialists Mark Fullbright, Vicki Volkert and Raul Vargas tackled phone questions about identity theft during an on-air special on Arizona’s KNXV ABC 15.  To watch the video and read the full article, please visit the .

Concerned about identity theft? Follow these tips to reduce your risk:

Protect your Social Security number (SSN)

• Don’t carry your Social Security card in your wallet.

• Avoid carrying cards with your SSN, particularly health insurance cards, unless you need them to receive care.

• Request that your driver’s license number is not the same as your Social Security number.

• Never give out your SSN, credit card number, or other personal information over the phone unless you have a trusted business relationship with the organization and initiated the call using a verified phone number.

• Avoid including your SSN on job applications.

• Provide your SSN only when absolutely necessary—for tax forms, employment, student records, stock, and property transactions, etc.

• If your financial institution attempts to use your SSN as an account number, ask them to change it immediately.

• If a government agency requests your SSN, look for a Privacy Act notice. This will state whether a SSN is required, how it will be used, how it is protected, and what happens if you don’t provide it.

Protect what’s in your wallet, pocket, or purse

• Never leave your wallet or purse in your car, not even in the trunk.

• Whenever possible, avoid carrying these items with you: birth certificate; passport; military identification card; driver’s license or insurance card with SSN on it; banking information (PINs, logins, passwords, or account numbers); paychecks; pay stubs; and deposit slips.

Protect your mail

• Use either a secure locking mailbox or a post office box.

• Never place outbound mail (at home or work) in an open, unlocked mailbox.

• Never leave mail in your car.

• Investigate immediately if expected statements or bills from your financial institutions do not arrive on time.

• Be especially vigilant during January and April when tax documents are sent out—they’re favorite targets for identity thieves.

• During extended absences, have mail held at the post office.

• Never simply discard “pre-approved” credit offers you received in the mail. Always shred them.

Additional tips can be found in the .

 

BankInfoSecurity.com spoke with Identity Theft 911 Chief Information Security Officer Ondrej Krehel about ways organizations can proactively defend against fraud and how forensics investigations can help protect against debilitating data breaches.

Click to listen.

By Brian McGinley

Headlines in the newly released trumpet a 28-percent reduction in Identity Fraud in 2010 and the reporters and pundits descend on the report spewing their pearls of wisdom, anxious for their own headlines.  I have been approached by family, friends, neighbors and yes, the media, asking, “You’re in the business, what do you make of the story about identity theft being down so much – is identity fraud behind us and can we breathe a sigh a relief and go about our lives being sweetly oblivious to it?”   And my short answer is, “No!”. This is not the time to hang the “Mission Accomplished” banner across our command tower and take our eyes off the threat.  We are collectively doing a lot of the right things and we may have won a battle or two, but we have not won the war – and make no mistake, it is a war.

This is not the time for anyone – consumer, business, financial institution or government entities – to become complacent based on these published statistics.  Like crime statistics – overall crime may be down, but if you are the one getting mugged – the punch in the nose doesn’t hurt any less to the victim. This is also the case in the fraud, identity theft and data protection arenas, but more harmful and often times longer lasting.

It is risky just to jump to the headlines which can lead to a wrong impression – in the fraud and identity theft arena, the “devil is in the details” – and it is important to consider the details in determining the “so what are you going to do about it?” question.  Behind the closed doors, there is not a professional fraud management practitioner out there who believes that all the right protections are already in place and is not concerned about identity related fraud.   We’re still trying figure out how to stem the current tide and worried about when the next “Big One” is going to hit.

So what do I think?  At the heart of identity and financial fraud is information compromise whether it is Personally Identifiable Information (), Protected Health Information (), Personal Credit Information (PCI), or other sensitive data – information has become a criminal commodity and enabler for fraud – It’s all about protecting the information.   Fraud is getting more sinister, sophisticated and complex and consumers and the business community need more guidance to identify potential threats and remediate existing and emerging threats to their information.

Keeping this issue front and center and raising awareness, debate and dialogue are key to protecting businesses’ reputations and consumers’ personal information.  In my next blog session, I will share more thoughts and information about the new complexities in fraud, as well as the evolution of what identity theft really means.

Brian McGinley, Senior Vice President of Data Risk Management,

With nearly 30 years of experience in risk management, security, loss management and compliance within financial institutions, Brian has held senior positions at Wachovia Corp. and Citigroup. He served as board chairman of the Financial Services Roundtable/BITS Identity Theft Assistance Center.

by Ondrej Krehel

The nonprofit (ITRC) recently released a report on data breaches in 2010 that is well worth considering.

The center documented 662 reported breaches, yet this is likely only a fraction of the total breaches that happened last year. Their list comes from a compilation of other studies and breaches reported by “the media and a few progressive state websites.” Most data breaches, many believe, are either not reported or underreported.

[Related: The Cyber World We Live In]

Still, the study found:

  • Despite this digital world around us, paper breaches account for nearly 20 percent of known breaches. “There is generally no mandatory reporting requirement for paper breaches,” the report notes.
  • Hacker attacks account for 17.1 percent of breaches, compared to 15.4 percent from insider theft.
  • Almost 40 percent of the reported breaches did not specify how the data was exposed. “This indicates a clear lack of transparency and full reporting to the public,” the report states.
  • Social Security numbers were exposed in 412 breaches—62 percent of all breaches.
  • 170 breaches, or 26 percent, involved .

Another independent source of reported data breaches can also be found at .

stands as an excellent snapshot of what’s happening in the industry and, if anything, the need for transparency and legislative measures in data breach reporting. Businesses need to be encouraged not to add insult to injury after a data breach. By guarding the details of a breach—or even hiding the fact that one occurred—rather than sharing the forensics information gathered after the fact, companies are doing a disservice to their peers and customers.

Ondrej Krehel, Chief Information Security Officer,

Ondrej has more than a decade of network and computer security experience. His expertise extends to investigations of intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. He led U.S. computer security projects at Stroz Friedberg and worked in IT security at Loews Corp.

by Ondrej Krehel

There’s a host of articles online about and to secure your smartphone. And for good reason: The risks have never been higher. Potential threats range from simply losing a device loaded with your personal and sensitive information to sophisticated unauthorized dialing, SMS scams (smishing) and data leakage scams.

There are several mobile security applications, such as , for all major smartphone platforms. They’re well worth exploring. Yet there are two simple things you can do—one low-tech, one hi-tech—to up your security game.

Get out the pen and paper, or your word processor. Seriously. Make a physical list of everything on your smartphone—all the accounts and documents (or types of documents) it can access. Big corporations call this data classification. If you log into Gmail and Facebook and Twitter, write the names of those sites down. Online banking? Shopping? Put down the names of your banks and credit cards. In the event the phone is lost or stolen, this list will be a lifesaver. You’ll have a clear guide to all the passwords you need to change and a list of the documents that may be at risk.

[Related: ]

With that list stored in a safe place, you might want to take one extra step and delete all the login names and passwords stored in your phone. Yes, you’ll have to type your Facebook login and password every time you access it on your phone, but that extra four seconds could save hours of headache if the phone is compromised. If you can’t remember all your passwords, install , which stores them in an encrypted database.

The hi-tech solution is for a worst-case scenario: remote data wipe. This amounts to logging into a website that sends a signal remotely to your lost or stolen phone to erase its internal memory. Lookout, linked above, offers this option for free for Android, BlackBerry and Windows-based phones. Apple offers the service through , but at the steep rate of $99 a year. Of course even this security layer has a weakness: The new “owner” of your phone can just pull the battery.

Is all this worth the trouble? Consider the list of accounts and documents stored on your phone. What would it cost to restore them, or even worse, what would the consequences be if a hacker or identity thief took them over.

Ondrej Krehel, Chief Information Security Officer,

Ondrej has more than a decade of network and computer security experience. His expertise extends to investigations of intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. He led U.S. computer security projects at Stroz Friedberg and worked in IT security at Loews Corp.

Image by , via Flickr