Pick up any magazine or newspaper, surf to any Internet technology or news site, turn on the TV and listen to the news and it becomes apparent that identity theft is a major problem. And not just individuals are suffering from this new crisis, but public and private organizations are also feeling the effects of this growing problem.
From recent cases in the media, involving major organizations such as Bank of America, America Online, Berkeley University, Time Warner, and Ralph Lauren, ID theft can have severe consequences, such as direct loss of revenue and stock decline. There are also other major intangible side-effects that can result from a breach of personal data, such as brand damage, loss of customer confidence, and decline in service. The question is, would you do business with an organization that had recently lost thousands or millions of users’ personal data to hackers and scam artists?
For most, the answer would be no. It is clear that something must urgently be done to assure users, both internally and externally, connecting to applications and data from any location using a number of different connectivity methods, such as laptops, home PCs, PDAs, and smart phones.
Where to start
It used to be that all attacks and security breaches took place on the edge of the organization’s network, centered on the firewall. So naturally, organizations focused on enhancing security in the network to ensure nobody could break through the outside perimeters.
Recently, this has all changed. A number of different threats change the way we think about security and how we protect the information most valuable to us.
- Trojans – programs that get installed on a users device and alters the behaviour of that device without the user knowing it.
- Keyloggers – programs that capture the keystrokes of a user and sends it back to a third party.
- Screen-scrapers – programs that capture screen information on a users device.
- Password sniffers – programs that detect what passwords are being used.
- Viruses – code that infects a users device and often destroys data and settings on that device.
All these threats take the burden away from the network and moves the threats to end user devices being used to connect to data and applications. Devices need to be assessed before even being allowed to connect to an organization’s network, and only if the device meets the set security policy, should the user be allowed to proceed on to the authentication stage.
Figure 1. The location of threats and attacks have moved from the edge of the network to user devices.
On the user devices, there are many requirements that organizations should put on devices to ensure ID theft is minimized. Only when the requirements are met should a user gain access to the network. Some of these requirements could include:
- Anti-virus software is installed and up-to-date.
- Spyware and Trojan checking software is installed.
- Latest operating system and patches are installed.
- Device is approved for entry.
Other things that could be checked, depending on the situation, are network configuration settings, domain and registry settings, and open ports on the device.
To minimize ID theft, security needs to start at the end point, and only when the end-point is secure should users be allowed to proceed with entering user names and passwords.
Preventing others from using your identity
A big step that organizations can do to ensure that trust is established between users and applications is to implement stronger authentication methods. The most basic authentication methods are very easy to break, even for novice hackers and password cracking tools, but enforcing strong one-factor authentication, coupled with two- or three-factor authentication can virtually guarantee ID theft is minimized due to the sensitive and unique nature of the authentication methods.
Basic authentication requires users to input a username and a password, and everything will be available to them, including sensitive and confidential information. But making the distinction on how users authenticate is a big step in stopping sensitive information being stolen. For example, an organization could set the policy that if a user uses one-factor authentication, they will only have access to the most basic information, such as e-mail, but if the user uses higher levels of authentication then more applications and data will be available to them, such as e-mail, sales systems, purchasing systems, etc.
A large percentage of stolen data comes from unhappy employees who leave backdoors open to themselves where they only need the right username and password to get access to everything, after they have left the organization. With two-factor authentication, requiring the user to own a unique possession, such as PDA, mobile phone, or hardware token (usually a password generating device issued by a third party) , would make it much harder for disgruntled employees to hack their way back into systems to cause damage.
Highly sensitive systems could even require an extra level of protection adding in bio-metric authentication, where the user needs to use a physical attribute unique to them, such as their iris or finger print.
In March of 2005, Techworld reported on a gang of scam artists who had sent out millions of daily emails to users, and once the user clicked on the links in the email, a Trojan keylogger was automatically installed on the user’s device, recording everything the user did and sending it back to the gang. The gang was so successful in their operation that they managed to profit more than $37,000,000 before being shut down. Most of the profit came from users accessing online banking systems and credit card purchases, which could be easily captured and exploited. Two-factor authentication could have ensured that information had stayed safe, because users would be required to enter a unique one-time password that is unique to a device that they own.
Several large financial institutions across the world are now starting to implement two-factor authentication ensuring that trust can be re-established with their users, fearing that if nothing is done profits are lost, customer confidence will drop, and the brand will be damaged for long-term disadvantages.
The icing on the cake: adding an extra layer of security
Most organizations think that providing users with secure authentication, along with the latest anti-virus and anti-spyware software should take care of the problem of identity theft. The reality is that with the changing paradigm of how users connect, security also needs to be present after the user ends the session or connection.
In the 1980s and 1990s it was easy to control what devices users used to connect with, but in today’s world, go into any city around the world and there are bound to be several internet cafÃ©s offering easy and cheap access, or walk through the airport and you are guaranteed to find a number of Internet kiosks offering quick and easy access to the Internet. Any time a user uses an “insecure” device, they could be leaving a trail of information behind, stored in cookies, URL history, temporary files, and even downloaded files. For organizations to offer mobile access from any location using any device, automatic clean-up of session data is imperative.
By combining the session clean-up with an upfront device assessment, it becomes easy to detect if the user is using a device approved by the organization or if it is not approved. If the device is not approved, once the user is done using the system to connect to e-mail or any other number of applications, data should be erased immediately from the device.
By simply adding this extra layer of protection, most organizations can safe-guard themselves against losing sensitive data to malicious attackers. Session clean-up should be added as part of a larger security strategy aimed at minimizing the loss of personal data, in combination with device assessment and strong authentication.
According to recent surveys, identity theft is seeing the largest increase over any other kind of crime worldwide. Depending on what methods of security are implemented by the organization you are doing business with and what the relationship you have with them, secure access can be achieved. Securing access from any location, using any device is not an impossible task but can be overcome by thinking about how users access applications and data in a real-world scenario. Only then can user trust be re-established, and all the benefits of using online communications can come true resulting in maximum customer satisfaction, speedy collaboration, and significant competitive advantage.