Future Magazine logo University of Phoenix logo
the alumni magazine of University of Phoenix Go to University of Phoenix Web site.


   

 

  

Spring, 2004
 
Taken Identity

The proliferation of identity theft points to a deeper issue: How do we treat information in an information society?

By Jake Poinier

The story of computer security has centered on hype, horror and hijacked identities, but it’s really about hygiene. You wouldn’t let a stranger into your house without first peering through the curtains or out the peephole and asking who he was and what he wanted. You wouldn’t invite him to read the mail sitting on your counter or pocket some of the credit card receipts strewn about. And if you value your friendships, you certainly wouldn’t let him make a photocopy of your address book. And yet, that’s precisely what you’re doing if you’re operating a computer without the proper security measures.

“Many home users don’t understand that they’re part of the Internet ecosystem,” says Howard Schmidt, vice president and chief security officer at online auctioneer eBay. “Consumers think it’s just big corporations that are at risk for security problems, but that’s not true,” says Schmidt, who received both a bachelor’s degree in business administration and a master’s degree in organizational management from University of Phoenix. “The denial-of-service attacks a few years ago were successful because organizations such as universities had high-capacity connections and were used as zombies. Now they’ve put better controls in place. Today, the bad guys accomplish the same thing by simultaneously taking over the cable or DSL connections of thousands of home users to attack other systems.”

Unless you’re running the proper anti-virus software, spam control and firewalls, you’re not even going to notice that you’re no longer the only one using your computer.

Old Tales with a New Spin

Identity theft is the most visible issue at the crossroads of identity management and systems security. For the past four years, identity theft has topped the Federal Trade Commission’s (FTC) annual list of consumer complaints—in 2003, it represented 42 percent of the more than half-million total complaints. According to the Identity Theft Resource Center in San Diego, identity theft costs consumers an average of $1,400 per fraud as well as up to $16,000 in lost earnings. Between financial institutions, merchants and related businesses, the total costs are estimated at a mind-blowing $49 billion a year.

High-profile cases of identity theft have even touched the worlds of celebrities such as Steven Spielberg, Ross Perot and Oprah Winfrey—people whose identities would seem to be too obvious to touch. (Tell that to Abraham Abdallah, the restaurant busboy who used the Forbes 400 list of wealthiest Americans to formulate his targets, and public-library computers and phones to gain access to their financial information.)

However, Jim Van Dyke of Javelin Strategy & Research notes that the public’s fear of online commerce is often misplaced. In fact, he maintains that more than $2 billion in identity fraud a year could be prevented simply by getting consumers to use electronic banking for transactions and bill paying—because it would eliminate the “paper culprit behind a significant amount of identity theft.”

“I agree that the hype about the bad things is worse than it should be,” Schmidt says. “It used to be that, to rob a bank, you’d have to get a gun and a car and physically go to the bank. Now it’s a global issue, and the risks for the bad guys are lower in an online environment. As with any technology that enhances our lives, there are going to be criminals out there who will try to beat the system, and law enforcement is trying to keep pace. That doesn’t mean you quit doing good things. I would never tell someone not to buy a new computer or shop online.”

Much of identity theft remains rooted in physical-world problems such as stolen information derived from credit cards, telephones, utilities and banks. A criminal doesn’t necessarily need a computer to acquire that type of information, although the online world provides a convenient research and business tool once he has it. Consider, too, that many of the online scams have their ancestry in more traditional cons—the Internet simply makes it a message that they can broadcast more easily, widely and cheaply. The purported Nigerian ambassador who “needs your bank account number to transfer funds” is familiar to folks over the age of 30 as something that they first saw in regular old U.S. mail, then by fax.

What makes the modern-day “phishing” e-mails, which masquerade as correspondence from a legitimate entity, more dangerous is how realistic they can be. Whereas the Nigerian letters are in broken English and suspicious looking, the fraudulent e-mails supposedly from banks, Internet service providers and retailers may be convincing to the unwary eye. The return addresses look real, and some of the e-mails even use the Internet Fraud Complaint Center and FBI logos to add an air of legitimacy (if not irony).

In January 2004, untold numbers of people received an e-mail alleging to be from the Federal Deposit Insurance Corporation advising that the U.S. Department of Homeland Security had suspended the recipient’s account until bank information could be verified through the provided link. Based on the number of people who were duped, we can expect to see more criminals trying to profit from such schemes.

Next Steps

Schmidt, an advisor to numerous industry organizations who played a central role in drafting the White House’s “The National Strategy to Secure Cyberspace,” likens the evolution of the computer to the evolution of the car, albeit the time frame has been compressed from 100 years to about two decades. In the beginning, the people who owned cars were the people who could fix them, because there weren’t mechanics or certification programs. “Today, you go for a checkup and you plug the car into a computer and it tells you the left rear tire is low on air,” he says. “That’s automation and self-healing.”

And that, Schmidt says, is where the answers to our security woes lie. Today, we’re relatively on the front end of computer security, dependent on individual users to keep their systems and protections updated. He sees the next step in evolution as pushing automated security down to the user level, with wireless, networking and software companies designing foolproof systems that take the burden off the end user. In the corporate world, it’s already happening: Companies are making system patching automatic, and in the next generations of consumer-level hardware and software it will be automatic.

A second vital aspect of security and identity protection is the migration away from static user IDs and passwords. We’ve been told countless times to use different, complex passwords, but the average user ends up employing the same password across different areas—then if one of those areas gets compromised, they’re all compromised. Two-factor authentication, which requires a physical object, such as a card, key fob or cell phone, or a randomly generated software “token,” eliminates the possibility of someone hijacking your account because they know your user name and can guess your password. Industry initiatives such as Liberty Alliance, OPSEC and Passport are all moving the security world in that direction.

Global Reach, an organization that tracks Internet usage, estimated in January 2004 that there were 680 million people online around the world, on pace to reach 940 million by the end of the year. “If you look at the relatively small amount of people affected by theft, it puts matters in perspective,” notes Schmidt, who sees another analogy to cars. “[Compared to the number of cars on the road] there are a relatively small number of people who are in car accidents every year. You feel for those who do get hurt, but that doesn’t mean you stop driving.”

The smart thing to do, in a car or online, is to employ the recommended safety precautions that are available to you. Today, that means getting under the hood and doing required maintenance. Tomorrow, it should be as seamless as antilock brakes and airbags.

Security by the Numbers

University of Phoenix realized the importance of protecting student information very early,” says Joe Mildenhall, director of online technology for University of Phoenix Online. In particular, he describes several steps taken when implementing the student Web portal.

All traffic between the Web site and the student is transmitted in encrypted form (HTTPS), so it cannot be extracted and viewed by others.

All access is via user ID and password. Students must use an additional University-provided PIN to view grades or make changes to demographic information.

Another important security point, Mildenhall says, is that the University recognized early on that Social Security numbers should not be used to uniquely identify students. “The Internet portal was designed to link students with their university information using an individual record number (IRN) rather than a Social Security number,” he says. “In all phases of operations, changes have been made to make the IRN the primary point of reference for the student. The visibility of the Social Security number has been limited and, in some cases, only the last four digits are used to confirm student identity in phone conversations or similar circumstances.”

Information Hygiene

Security expert Howard Schmidt recommends using a layered approach to security. That includes a personal firewall, spam-control software, privacy protection and anti-virus software turned on and updated—all of which are often sold as a complete security suite. And don’t forget that some of the most important steps you can take don’t involve a computer at all.

Online World

  • Update your system when the vendor releases a security patch.
  • If you’re using wireless in a close-in area, use the encryption capability. (If you don’t know how, call the vendor’s toll-free number.)
  • When you’re surfing the Web, be aware of your surroundings, just as you would be in the physical world. Check the Better Business Bureau to verify that you’re dealing with a legitimate vendor.
  • If you think you’ve been a victim of a crime, report it immediately to the authorities, whether it’s the FTC, federal law enforcement, local law enforcement or the Internet Fraud Complaint Center (ifccfbi.gov).

Offline World

  • Guard your mail and trash from theft and use a shredder on bills or anything with identifying information.
  • If someone makes a copy of your driver’s license, such as a car dealership, make sure you get it back. If they use carbon paper for credit cards, get the carbon. Shred it.
  • Don’t carry your Social Security card with you, and give out the number only when absolutely necessary.
  • Check your bills before you file them, and follow up with creditors if your bills don’t arrive on time.
  • Order a copy of your credit report from each of the three major credit bureaus.
  • If you can’t remove the labels from your empty prescription bottles and shred them, black out the information with a permanent marker.
  • Ask about information security procedures in your workplace.
  • In retail checkout lines, watch for people standing behind you. The newest scam is to use a picture phone to shoot a digital photo of your credit cards and driver’s license to obtain pertinent numbers.
     

Top

Previous  Next
 
 
   © 2004 University of Phoenix. All rights reserved. Send to a Friend