Front page
Archive

Bookmark and Share


About Dave Kearns

follow me on Twitter

Dave's Other Musings


IdM Journal
Wired Windows

Dave Kearns' Fusion newsletters on:
Identity Management
Windows Networking
NetWare

Technorati Profile

 

Friday, October 20, 2006

Posted 11:53 AM

Does Chicken Luddle work for RSA?

Dr. Fred Cate, director of the Indiana University Center for Applied Cybersecurity Research, recently wrote an article for the Washington Post- "The Identity Theft Scare." In it, Dr. Cate refreshingly questions the many scare items we read daily, it seems, in the newspapers:

"...most security breaches involve the accidental loss of information or equipment rather than a deliberate attack on data.
"...identity theft is most commonly the result of data being obtained directly from victims, not through security breaches.
 "...roughly half of all known identity thieves were not strangers. Another 23 percent of such cases involved dishonest employees. All together, three-fourths of identity theft cases did not involve access to the kind of third-party data obtained through a security breach.
 "Although the figure most commonly cited in the media is 10 million U.S. victims a year, in April the Justice Department put the number at 3.6 million for the second half of 2004. But more than half of those cases (two-thirds, according to the Federal Trade Commission) actually involve credit card fraud."

Refreshing, indeed. But in commenting on this article, Shannon Kellogg, Director of Information Security Policy & Programs in the Office of Government Relations at RSA Security (now part of EMC Corporation) says: "How can Professor Cate ?– or anyone, for that matter ?– know just how long a criminal might wait to exploit stolen sensitive information such as a social security number..."

Well, I'm no director of security policy, nor am I an identity thief, but even I could hazard a guess that the best time to use stolen identity information is ASAP - before the victim discovers the loss and reports it to the authorities! If it were jewelry that was stolen, say, then it makes sense to sit on it for as long as possible - until the "heat is off" on the burglary. But stolen identity info goes on automated electronic "watch lists" - it's not subject to some pawn shop owner reading through volumes of lists of stolen items.

Dr. Cate did his homework and got it right. Now if only the Chicken Luddles would realize that the identity sky hasn't fallen.
Comments:
Kearns wrote:

"Well, I'm no director of security policy, nor am I an identity thief, but even I could hazard a guess that the best time to use stolen identity information is ASAP - before the victim discovers the loss and reports it to the authorities! If it were jewelry that was stolen, say, then it makes sense to sit on it for as long as possible - until the "heat is off" on the burglary. But stolen identity info goes on automated electronic 'atch lists' - it's not subject to some pawn shop owner reading through volumes of lists of stolen items."
__

Dave, there was actually a different point in this statement that you quoted from my blog posting: "How can Professor Cate– or anyone, for that matter– know just how long a criminal might wait to exploit stolen sensitive information such as a social security number..."

You are correct. If someone grabs credit card information, they are likely to try to use that as soon as possible, although I have been informed by law enforcement experts that even credit card information can sometimes be sold multiple times over a period of weeks and months before it is actually used, depending on how it was stolen and if the holder of that information actually realized that it had been exposed electronically or otherwise. But, the reason that I highlighted “information such as a social security number” is this: if a database of sensitive personal information is hacked, for example, but there is no immediate indication that that information will be used to hijack the victim’s identity, this does not mean that the victim is off the hook. The criminal may sit on that information for a while or sell it to another criminal to be used at another time. It is a lot more difficult – and inconvenient –for a consumer to change their Social Security Number than it is to cancel a credit card; and, unlike credit card fraud, it can also take months and sometimes years to undo the damage done when someone runs amok with an SSN for nefarious purposes.

If you want to call me a “Chicken Luddle” for challenging those that imply that there is no threat of ID theft -- and believe me, there are plenty of them in Washington, DC, where I work -- then so be it! But I believe the overall point I was making is one worth communicating, responsibly, to the industry and its end-users. The sky is not falling, certainly, but that is no reason to be complacent.
# posted by Anonymous Anonymous : 12:28 PM
 
Post a Comment

© 2003-2006 The Virtual Quill, All Rights Reserved

Home

[Powered by Blogger]

-->