The US$2.7 million identity theft scam recently uncovered in the U.S. should serve notice to all enterprises that information security cannot be taken lightly, according to one IT security expert.
The story highlights valid concerns about information security in a world of networked databases, according to Ron Moritz, senior vice-president for Islandia, N.Y.-based Computer Associates International’s eTrust Security Solutions division.
“We still tend to think of security in the sense of gates, guns and guards,” Moritz said, adding it’s not enough to have traditional reactionary threat management. “Security takes effort, security takes concentration and we don’t necessarily see companies making that type of investment.”
The New York-based scam – which spanned three years, involved more than 30,000 victims, and is believed to be the largest such scheme in U.S. history – involved a low-tech solution in exposing sensitive data. [Please see U.S. feds crack huge identity theft ring.]
The U.S. Federal Bureau of Investigation (FBI) announced Monday the arrest of Philip Cummings, who is said to have started the scam while working at the help desk of Teledata Communications Inc. (TCI). The Bay Shore, N.Y.-based company provides banks and other entities with credit reports, combining information collected by credit rating agencies Equifax Inc., Experian Information Solutions Inc. and Trans Union LLC.
Beginning in 1999, Cummings had access to the passwords and codes used by TCI’s customers to access credit reports, authorities said. During that time, Cummings is alleged to have given passwords and codes to a co-conspirator and collected roughly US$30 for every credit report obtained using the stolen codes.
With the illegally obtained credit reports, some victims reported having their bank accounts depleted, while others reported having credit cards, cheques and ATM cards sent to unauthorized locations.
The passwords and codes stolen for use in the scam belonged to various entities that request credit reports for their customers. Despite the sensitivity of the information contained in their databases, the three major consumer credit agencies did not appear to have robust protections in place for accessing that data from the outside, experts said.
There is still a disconnect between security practices and security technologies and it’s primarily because security is not that easy to do, Moritz said.
“(Enterprises) have not done a good job at relating the identity of an individual and their role inside an organization with the various access and services we make available; it does take a lot more work,” Moritz said.
“When you’re talking about the physical environment, we’ve done a much better job of thinking about what parts of the building you have access to. But when to computer systems, it’s much easier to give you general access and likely more access than you need.”
While there is no 100 per cent foolproof solution, Moritz noted the basic tenets of a solid enterprise security policy state that employee access to data needs to be monitored.
“Security is cultural, security is dynamic and we have to be on the lookout,” Moritz said, adding that enterprises should continually monitor and respond to changes in infrastructure, applications, active threats and end-user populations.
“What we have to understand is that employees themselves are trusted assets. We rely on them to bring integrity into the company,” Moritz said.
That said, companies cannot remain na