Stop, Thief!

Stop, Thief!

Identity-theft threats seem to be a constant, thanks to porous networks and laid-back users. But there are some key strategies campus leaders can use to help keep the bad guys at bay.

By Elizabeth Millard, University Business, October 2008
October 2008

“Identity theft may not be your fault, but it could be your problem,” says Dan Holden of IBM’s X-Force research group, which examines identity theft. “It’s hard for any organization to achieve a high level of prevention and control, but it’s worth the effort to try.”

Although many higher ed institutions lock down their networks, eschew the use of Social Security numbers as identifiers, and train IT staff to protect student privacy, identity theft is still widespread on college campuses, Holden notes.

Still, there are ways administrators can—and should—help protect students, staff, guests, and their own good names from falling into the digital hands of identity thieves. Here are six prevention practices.

1. Pinpoint different perspectives on privacy.

IT needs to protect a range of users, from professors on the brink of retirement to 18-year-olds who have just claimed their side of the dorm room, and it is useful to understand that different groups have unique perceptions of what constitutes private information. “Kids raised on Facebook and MySpace don’t have much of an idea of privacy. They believe everything is up for public consumption,” says Stephen Katz, founder and president of the consulting firm Security Risk Solutions and former chief information security officer at Citibank.

Students may also feel that if a breach does happen, they’ll be protected anyway, a view that has been bolstered by the type of identity-theft control provided by credit card companies and banks. Having a strong grasp of what students believe about privacy will help shape user education efforts, Katz notes. “They learn not to go into each other’s lockers and backpacks, so they need to shift that learning to data, and realize that some things really should be kept private.”

2. Create formal education workshops.

Distributing information online or in printed form about identity theft might get some students and staff members to pay attention, but making education mandatory will net even more.
Iowa State University officials, for example, are pilot testing a two-hour online identity theft seminar that students, and even parents, can take. The material was developed through testing with law enforcement and insurance industry representatives, notes Steffen Schmidt, professor of political science at ISU and co-author of The Silent Crime: What You Need to Know About Identity Theft (Twin Lakes Press, 2008). “The workshop reminds people that this type of theft is a massive, exploding problem that’s almost out of control now,” he says. “People always think it won’t happen to them, and they don’t think it’s a really serious issue.”

To tailor the course toward students, Schmidt and others at ISU focused on how students conduct themselves online, pointing out how information sharing can lead to potential personal data breaches.

For students, address social engineering situations that could result in identity theft, such as sharing a password with a visiting friend or giving out personal information to a new roommate.
For IHEs who are developing their own efforts, Schmidt advises getting to know students’ habits to make the workshops or seminars more relevant. For instance, if many students use Facebook, a program could play up the dangers of sharing information on that site.

Also important is to address social engineering situations that could result in identity theft, such as sharing a password with a visiting friend or giving out personal information to a new roommate. After all, in 2007, one-third of all identity theft was done by someone known to the person whose identity was stolen, notes Matt Shanahan, senior vice president of marketing and strategy of software provider AdmitOne Security. Say a friend of a friend requests a password for access to a WiFi connection. “Now you’re vulnerable, because he or she can access all your files, and essentially become you,” he says. Describing these types of scenarios will be helpful for students, because they can see themselves in the situation, rather than talking in generalities.
Even one piece of information can be dangerous, since thieves may have several parts of what they need and require only one more, such as a person’s bank routing information or mother’s maiden name, says IBM’s Holden. “There’s been a lot of phishing activity lately, where someone gets an e-mail that’s supposedly from their bank or the IRS, where they’re supposed to call and just verify some info,” he says, noting that this combination of e-mail messages with phone confirmations is increasing, since many people are aware they shouldn’t be giving out bank information or personal details over e-mail. “They might think that because they’re talking to a real person, it’s legitimate,” he explains.

Another useful user education tactic, according to experts, is to highlight how an individual could be affected financially by identity theft. For example, students should learn that a hit to their credit rating could change financial aid in the next semester. Encouraging students and staff to check their bank transactions online frequently, and to look over their credit reports at least once or twice per year, can create better awareness about keeping their identities safe.
Even highlighting tactics as simple as not using laptop bags (since they’re bull’s-eye targets for thieves) and putting cable locks in place can be helpful.

Parents can also be involved. According to Schmidt, many parents have expressed interest in taking ISU’s ID theft seminar. Since personal data is often part of student aid packages and enrollment, parents and guardians are at risk as well. They can therefore be powerful allies in convincing students to take more care in how they share information.

3. Rediscover encryption.

A major security measure has been the use of encryption, which takes data and attaches long strings of numbers and text so that the information can’t be understood by unauthorized users—it needs to be decrypted to get the true data. But slapping on all this extra digital gobbledygook to numerically-based data has been tricky, Katz says. For example, credit card or Social Security numbers would get lost when an encrypted data string would swell to a format long enough to provide security, he says.

Commonsense ID Theft
Prevention Tips
- Buy a shredder and use it to destroy all personal information or mail before throwing it away, particularly credit card offers or forms that include Social Security numbers.
- Don't throw credit card receipts in the trash.
- Change passwords monthly, and choose ones that won't be obvious, such as ones that include your birthday or your pet's name.
- Don't carry extra credit cards, Social Security cards, passports, or other documents unless necessary.
- If possible, pick up new checks at the bank rather than having them sent to your home.
- Limit the number of credit cards you own, and cancel any inactive accounts.
- Keep a list of credit card accounts and bank accounts in a safe place, so you can call the companies if cards are missing or stolen.

But recently, Format Preserving Encryption (FPE) has been introduced, allowing ID numbers or bank routing info to be intact and maintain “referential integrity,” explains Katz. With FPE, a school can integrate data-level encryption into legacy application frameworks without the kind of database re-engineering previously required.

Another big encryption breakthrough has been encrypted USB drives. These little portable storage units, sometimes called flash drives or thumb drives, have sometimes been the bane of IT departments, since they can carry viruses that could infect a network. Also, if a lost or untended thumb drive is found, any personal data could be retrieved simply by plugging the drive into the nearest computer.

At Boston Medical Center, a university research hospital, the use of drives is widespread, and IT Director Brad Blake has instituted a policy that only drives with encryption are allowed to be used. “Locking down data on USB drives isn’t easy, but it’s part of what can make data more secure,” he says. “It’s similar to having a policy on anything that can be carried around and potentially lost.”

Students should be informed that any device—such as an iPhone, iPod, or cell phone—can contain data that could be used for identity theft. Education efforts should cover ways to protect these and USB drives as a good backup to encryption.

4. Establish a risk and compliance group.

Top ID-Related "Don'ts" for Students and Staff
Even sharing some quick tips for students and staff will help them be more adept at identity protection. The creators of Identity Finder security software, which searches through files and e-mail for personal data so it can be shredded, offer these cautions to share with end users:
- Don't store personal information on your computer unprotected.
- Don't share personal data, such as Social Security number or even birth date, on MySpace or Facebook.
- Don't assume the school can protect you completely.
- Don't forget to configure peer-to-peer file sharing programs so they're secure.
- Don't neglect to perform software updates and fixes weekly or monthly, if these are not handled by the school's IT department.
- Don't leave your laptop unattended.
- Don't click on e-mail messages that contain hyperlinks to websites.
- Don't enter private information on public computers, such as those in the library.
- Don't e-mail or instant message personal info, since these communications are usually not secure.

Responsibility for identity protection is shared among users, IT staff, software providers, and others, but to truly create a strong strategy that includes education initiatives and technology purchasing, a separate group should be created, according to Shanahan.

“For the best protection, there should be an integrated strategy that looks at the issue from end-to-end,” he says. “That’s in contrast to each department coming up with their own approach. Until someone owns it and does risk management, you’ll always be patching up the holes that will inevitably occur.”

Part of the risk management group’s effort should be the creation of a centralized data warehouse, he says, which prevents the kind of fragmentation that occurs when data is in departmental silos. Shanahan has seen many universities pool data in this way and develop risk management committees that address security policies and procedures. “Think of identity protection in a holistic way,” he advises. “Creating more unity will make fraud-monitoring tools more effective and give more clout to user education.”

5. Find ways to secure public computers.

Many students and staff have their own computing resources, but there’s also dependence on public machines, such as those found in libraries, and ensuring that these machines are safe can be tricky, says Steven Zink, vice president of information technology and dean of University Libraries at the University of Nevada, Reno. “I’ve seen people walk away from a terminal with all their personal information still on the screen, even banking data,” says Zink. “Sometimes they just get distracted and don’t even think about it.”

The university uses Deep Freeze, a security program from Faronics that resets a computer to its original settings on a regular basis. This erases any stored cookies, input data, and even malware and viruses that may have crept into the computer while it was idle.

6. Create a loss prevention plan.

A working group should address how to deal with lost or stolen laptops—a common way for information to be obtained by thieves. This type of loss is particularly challenging because laptops are so popular, notes David Hawks of Absolute Software, maker of Computrace laptop security software, which can detect changes in hardware (including missing computer memory or drives) and helps track and recover stolen computers. “People are putting their personal information on university assets like laptops, so there need to be added security measures,” Hawks says. “From an identity thief’s perspective, getting a machine is ideal, because not only will it have university information, but also a user’s personal data like passwords, banking information, and credit card numbers.”

Even if there’s some encryption, it can be fairly easy for thieves to use computer forensic tools to tweeze out valuable data, he adds. Using a program to wipe data remotely is a strong option, and establishing procedures for erasing data from broken or donated machines is crucial. Some laptops that land on eBay still have plenty of usable information even though a user might have put personal files in the digital trash.

Resources
Absolute Software, www.absolute.com
AdmitOne Security, www.admitonesecurity.com
Faronics, www.faronics.com
IBM X-Force, http://tinyurl.com/6aa22x
Identity Finder, www.identityfinder.com
IdentityTruth, www.identitytruth.com
Security Risk Solutions, www.securityrisksolutions.com
“To create enough identity protection, you need a layered approach, where there are best practices around password security, encryption, user education, and loss prevention,” says Hawks. “You’d be amazed at how many people don’t know how to protect their data, so an IT department has to do everything possible to do the protection for them.”
Elizabeth Millard, a Minneapolis-based freelance writer, specializes in covering technology.

The Item for today is "Another Way to Lose Your Identity."

Well, as you'd expect, the bad guys have found another way to launch an attack against us.

PORTLAND, Ore. - Users of the popular social Web site Facebook are being warned that a computer virus is being spread through a well-disguised e-mail masquerading as a video from a friend.

The site boasts over 60 million registered users, including many employees at KATU.

Reporter Dan Tilkin recently registered on the site on the advice of friends and co-workers and received what he thought was a friendly e-mail from a former producer.

A link in the e-mail led him to a Web site that appeared to play a video and prompted him to update his computer's software to see the video.

However, the download was a virus instead.

It's not clear exactly what the virus does, but it should be assumed the purpose is malicious. A computer virus is also commonly referred to as "malware," which is short for "malicious software."

Many viruses scour a computer for personal information including banking and credit card information and then send it out of the country where hackers use it steal funds from the victim.

A virus can also turn a computer into a "zombie" and help to spread the virus to other computers or launch Denial of Service attacks on Web sites without the owner realizing what is taking place.

Computer experts warn users never to download any file with an ".exe" prefix sent from anyone, even if they are a friend, and to carefully monitor what page your browser lands on.

http://www.komonews.com/news/tech/27449439.html

Welcome to Campus! Give me Your Identity!

It's college time kids!

Now we need to prep ypu for all the perps out there who will find you easy pickin' for stealing your credit card or more. The statistics on growing ID theft cases at colleges are frightening and we need to more quickly to change your behavior and teach you to be "Identity Theft Aware."

We have been working on an ID theft "condom" to make sure you practice "safe computing."

After all, the college health serives (in spite of Rush Limbaugh) may be handing out actual condoms so you have "safe sex" so we want to make sure that you also protect your identity information from "viruses" just like you do against STD's.

Unfortunately we have had a hard time making the ID condom big enough to cover your laptop so instead we are developing a short, one hour, on-line "Safe Identity behavior" workshop for you kids.

We want to encourage every college and university in the USA to include a short 10 minute presentation on Safe Identity Behavior right after the talk about safe sex during incoming or freshman orientation. Then they should send you to the web site so you can take the short seminar.

Also, don't get trashed and let someone steal your wallet, purse, bag or backpack and all that personal info you keep in there. A drunk is the best target for old fashioned "analog"ID theft!

Have fun ! Be safe!

As soon as it comes out I'll be posting a link to an article on this that will be published in a college-oriented publication soon.

The Big Enchiladas Get Caught!

We've dribbling out cases of spammers and hackers recently arrested. Now we can report on the largest ID theft case in history!



11 are charged with massive ID theft:
41 million credit card numbers allegedly stolen in global theft ring

This is the version in The Boston Globe, August 6, 2008

A ring of people spread across the globe hacked into nine major US companies and stole and sold more than 41 million credit and debit card numbers from 2003 to 2008, costing the companies and individuals hundreds of millions of dollars, federal law enforcement officials said yesterday.

"So far as we know, this is the single largest and most complex identity theft case ever charged in this country," US Attorney General Michael Mukasey said at a news conference at the John Joseph Moakley US Courthouse in Boston.

A grand jury indictment released yesterday charged that Albert "Segvec" Gonzalez of Miami, the alleged ringleader, and his 10 conspirators cruised around with a laptop computer and tapped into accessible wireless networks.

They then hacked into the networks of TJX, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Dave & Buster's, Sports Authority, Forever 21, and DSW. After gaining access to the systems, they installed programs that captured card numbers, passwords, and account information, officials said.

In addition to Gonzalez, two other Miami residents were charged in Boston and eight other alleged conspirators were charged in San Diego. The defendants - one from Estonia, three from Ukraine, two from China, one from Belarus, and one of unknown origin - allegedly concealed the data in encrypted computer servers they controlled in Europe and the United States. They sold some of the numbers, via the Internet, to other criminals, authorities alleged.

The suspected hackers also encoded some of the stolen numbers on the magnetic strips of blank credit or debit cards, which were then used to withdraw tens of thousands of dollars from ATM machines, officials said.

It was not clear how much of the stolen information had been used.

Rene Palomino Jr., a Miami lawyer representing Gonzalez, said his client will be proven innocent. "The government will have an uphill battle to prove their allegations," said Palomino, who declined to comment on the specific allegations.

Lawyers for the other men charged in Boston did not return calls.

Part of the scheme came to the public's attention early last year, when TJX, the Framingham-based retailer that runs T.J. Maxx, Marshalls, and other stores, found that credit and debit card information had been stolen from its computer systems.

In a statement yesterday, TJX officials called on credit card companies to improve security measures to protect consumers.

"The sheer number of retailers attacked by these cyber criminals demonstrates the much broader challenges in protecting sensitive consumer data from this increasing threat," said Sherry Lang, a TJX spokeswoman. "Broader action beyond retailers alone is required to protect consumer data. Banks and the US payment card industry must join retailers and work together."

Lang called for installing proven card security measures that are in use throughout much of the world.

Ted Julian, vice president of strategy and marketing for Application Security Inc. in New York, said the indictments reflect the changing tactics of cyber-criminals. Rather than go after individual consumers, hackers are targeting major retailers, such as wireless networks, to access troves of personal data.

"There are thousands of conduits to customer data. Security isn't working and TJX is the poster child of a big data breach," Julian said. "What is needed is a different approach to secure that data far more directly where it lives."

Officials at BJ's Wholesale Club of Natick, which settled charges in 2005 with the Federal Trade Commission that it failed to take appropriate security measures to protect the sensitive information of thousands of its customers, said they are pleased by the case's progress.

"We instituted significant system upgrades . . . and we are continuously employing measures to help protect data against the ever-increasing sophistication of thieves," the company said in a statement.

At yesterday's news conference, Mukasey said that over the past three years, officials and undercover agents from various federal agencies received help from investigative agencies worldwide.

"The message is simply this: We will track you down wherever you are in the world," Mukasey said. "We will see that you are arrested, and you will go to jail."

Officials said Gonzalez was previously arrested by the Secret Service in 2003 for access device fraud. The Secret Service later discovered that Gonzalez, who was working as a confidential informant for the agency, had become involved in the credit card theft case. He is now in a federal prison in New York awaiting trial on related charges.

Christopher Scott and Damon Patrick Toey of Miami were also charged in Boston. Maksym "Maksik" Yastermskiy, Dzmitry Burak, and Sergey Storchak of Ukraine; Aleksandr "Jonny Hell" Suvorov of Estonia; Hung-Ming Chiu and Zhi Zhi Wang of China; Sergey Pavlovich of Belarus; and a person known only by the online nickname of "Delpiero" were charged in San Diego.

The indictments charge the defendants with crimes related to the sale of the stolen credit card data. Charges included conspiracy to possess unauthorized access devices, possession of unauthorized access devices, trafficking in unauthorized access devices, identity theft, aggravated identity theft, aiding and abetting, trafficking in unauthorized access devices, conspiracy to launder monetary instruments, and trafficking in counterfeit access devices.

The San Diego charges allege that Yastremskiy, Suvorov, Chiu, Wang, Delpiero, Pavolvich, Burak, and Storchak operated an international stolen credit and debit card distribution ring with operations from Ukraine, Belarus, Estonia, China, the Philippines, and Thailand. The indictments allege Yastremskiy earned more than $11 million from his illicit operation.

In May, prosecutors charged Gonzalez, Suvorov, and Yastremskiy with hacking into computer networks run by the Dave & Buster's restaurant chain and stealing credit and debit card numbers from at least 11 locations. They allegedly gained access to the cash register terminals and installed at each restaurant a computer code configured to capture credit and debit card numbers as the restaurants processed them.

At one restaurant, the so-called "packet sniffer" captured data for about 5,000 credit and debit cards, eventually causing losses of at least $600,000 to the financial institutions that issued the credit and debit cards, authorities said.

Richard Walega, a New Bedford city employee who had $6,700 in fraudulent charges appear on his bank card weeks after shopping for Christmas presents at a T.J. Maxx store in Westborough in 2006, said he was "aghast" at the scope of the crimes.

Walega said he hasn't returned to T.J. Maxx and is still awaiting a settlement from the company, which has offered vouchers, cash benefits, credit monitoring, identity theft insurance, and reimbursements to eligible victims.

"It's totally mind-boggling," he said. "I hope this is the end of the trail."

That our security systems have been so porous and weak is the real story here. that corporations still don't have robust defenses against ID theft is the tragedy!

IP address = personal information

Yesterday the European Parliament's Civil Liberties Committee discussed the idea of linking your IP address to personal information. This would effectively give legal protection to IP addresses.

Of course, businesses who collect this information are against it. The leader of the pack being Google, which logs massive amounts of data and where it comes from. Tracking IP addresses can help google crack down on click fraud or identify the geographical region of its customers and in many ways is crucial to the company.

Google’s Peter Fleischer was quoted to have said: "There is no black or white answer: sometimes an IP address can be considered as personal data and sometimes not; it depends on the context, and which personal information it reveals" (Link to PDF).

On the opposite side of the debate the Electronic Privacy Information Center argues that with the upcoming IP6 model of the internet, IP addresses are being more and more personal.

Another big supporter of this side of the debate is Germany’s Peter Scharr, who heads the EU’s Data Protection Working Group. He believes that an IP address has to be regarded as personal data in situations where it can be used to identify someone.

If this idea does gain traction in Europe, it's unlikely to prevent the collection of IP addresses, which are used for everything from busting child pornography suspects to finding file-swappers to blacklisting spam domains, but it would no doubt require databases of IP addresses to meet certain security and retention standards.

Do you think IP addresses personal information and as such, should be protected legally?

Nate Evans
ISEAGE PBS Leader
The Krell Institute

Seasons Greetings

At the start of the holiday season this year my friend Moses Whiffington of Boston, Mass went to fill his car with gas and his credit card was refused. His wife Wilhelmina was turned down at Walgreens Pharmacy an hour later and could not buy Robitussin for little Benjamin – “Sorry, mam, your credit card has been frozen”. The credit card company said they were over their limit in the last hour because of the $6 K charges they had made in Boston at Bonwitt Teller. Moses was at home filling his snowplow with gas when those charges were made. The Whiffingtons had not mail ordered six gold Christmas gift bracelets to be sent by currier to an address only 2 blocks from the store.

The next day they got the notification from the famous MM Kean Outdoor Wear Catalog Company in Pawamatuxet, Maine that, as per application, a business account had been activated and the first shipment of Wully Pully cashmere sweaters in the amount of $12,000 had been shipped, as per instructions, to Whiffington Outlet Bazaar in Amarillo, Texas. And, MM Kean proudly announced “We are pleased to tell you that you’ve been authorized for the Platinum Credit Line of up to $60k. Congratulations and Happy Holidays!”

Moses and Willy are typical of millions of Americans whose credit information is stolen by cyber crooks. Then the long, frustrating, and angry process of trying to recover credit ratings and their good name begins. What a way to spend Christmas!

Moses was innocent and had mostly ignored news stories and reports about ID Theft. His company, Vizagnez Pharmaceutical Packaging had never run an employee training program on Identity Security and Moses who is VP of Marketing had never had alarm bells go off when customers complained that after doing business with Viz (as the company is known) they suddenly had unauthorized charges in the tens of thousands on their company accounts. Little did Moses know that the marketing web site had been hacked, spyware installed, and vital, confidential information leaked out on customers accounts.

Moses called me on my cell and I authorized a download of our book on ID Theft as my Christmas present to him and his family. He followed the check-list of ten steps and is now spending New Years applying for new and more secure credit cards. He also has ordered a complete security review of all customer data. My associate and I are flying out to Boston to do a one-day training seminar for all employees at Viz Packaging. This seminar will be archived and available for all new Viz employees who are required to take it and pass the certification testing of our ID Secure CompanyÔ training program.

Meanwhile, preoccupied with cutting the size of the federal government and “getting government off your back”, the Congress and the Executive Branch have still not stepped up fully and robustly to enact much tougher and proactive identity theft legislation.

Last week Moses got a package from DHL Delivery Services that his corporate account for package delivery and small business credit had been approved. He expects to get approved for many more unsolicited business accounts and the charges that come with those as the thieves continue their spending spree.
Happy Holidays, Merry Christmas, and we hope that your New Year 2008 is free of these hassles.

Brit Data Loss Hits 40% of Population; Bureaucrats should be sent to US Guantanamo Bay Military Detention center for Training.

Prof. Steffen Schmidt

The story datelined London, Nov. 21, 2007 opened this way:

The British government struggled Wednesday to explain its loss of computer disks containing detailed personal information on 25 million Britons, including an unknown number of bank account identifiers, in what analysts described as potentially the most significant privacy breach of the digital era. The New York Times, “Data Leak in Britain Affects 25 Million”, by ERIC PFANNER

The data was on two disks that were sent by private delivery service, TNT, unregistered. The disks were apparently protected by a password but the data was not encrypted and were sent by Her Majesty’s Revenue and Customs the tax collection agency to the National Audit Office, which monitors government spending.

It appears to me that the bureaucrats in the British government who handle such sensitive information in such an astounding volume, were never once told about identity theft and were not trained in handling such life changing information. This is not shocking to me at all since identity theft protection data handling has been cavalierly ignored by governments, by private companies and corporations as well as non-profits, clubs, social organizations, educational institutions, insurance, and health care providers.

According to the New York Times,

The data went astray in October, after two computer disks that contained information on families that receive government financial benefits for children were sent out from a government tax agency unregistered, via a private delivery service. The episode is one of three this year in which the agency improperly handled its vast archive of personal data, according to an account by the chancellor of the Exchequer — including the sending of a second set of disks when the first set did not arrive.

This data loss apparently contained personal information on 40 percent of the population of the country. The disks included people’s names, addresses, bank account numbers, and their national insurance numbers, the British equivalent of Social Security numbers. The disks also contained data on almost every child under 16 in Britain.

Experts said the information could allow crimes beyond identity theft. Some people use the name of a child or part of an address as a password on a bank account, so the combination of these details could allow someone to break their code.
Apparently the government also waited an ungodly time before informing banks so that they could put higher levels of security in place and monitor unusual activity on people’s accounts.

The British Prime Minister Gordon Brown apologized and the head of the tax agency resigned. Oh goody! That will calm the nerves of half of the population of Britain who are now faced with years of anxiety over their personal information.

Government Information Commissioner Richard Thomas said he was shocked at the scale of the security breach.

“It's almost certain that they have broken the data protection law. This is a shocking case. I'm at a loss to find out what happened in this situation,” he told BBC radio.

He also said his office had been issuing warnings about data protection to organizations for years.

“We've been all the time saying that the more you are collecting personal data, for understandable reasons, the more the risks increase and the more you must be aware of what can go wrong.” Globe and Mail

The irony is that in Europe it is illegal to collect and sell personal information of people but of course that does little to stop a “junior” staff member of the tax collection agency from sending disks with all this vital data. I find it mind boggling to begin with that a “junior” staff member would be allowed to even touch such data. I also find it criminally neglectful that so much vital information would all be aggregated in a single location.

What can we learn?

First of all, this example is proof positive that we need massive and highly intrusive data protection training for employees who handle such information.

Secondly, this tragedy demonstrated clearly that encryption is not an option but should be an absolutely required, mandated, and it’s omission a punishable offense.

Third, the case suggests that my computer and information geek friends need to develop a radical new best practice for data storage and management. I would suggest a system of distributed and disaggregated data storage, where filed are NOT all kept together on data bases and where piece of identity information for each file are also not stored together. The algorithms for managing this information would be written in such as way that when data is needed it seeks the required information, and then temporarily assembles the pieces of each persons record for specific use. When the operation is finished the assembled data evaporates and the encrypted system goes back to disaggregated storage.

One side effect of the data loss was to deal a blow to Britain’s plan to issue a national ID card.

Critics of Britain's plans for compulsory identity cards said on Wednesday the multi-billion pound scheme should be ditched after the data loss.

Opposition politicians and opponents said loss showed the government could not be trusted to bring in ID cards, which would involve one of the world's biggest IT schemes.

The Globe and Mailhttp://www.theglobeandmail.com/servlet/story/RTGAM.20071121.wukdatalosss1121/BNStory/International/home

Information Protection and Behavior Modification

In 2006-2007 the National Science Foundation (NSF) and the Iowa State University Center for Information protection (CIP) funded a study on information and identity theft protection of which I am the PI (Principal Investigator). The NSF-CIP project is directed at identifying factors that lead to data and critical information loss and then designing targeted and appropriate educational/training programs that change people’s behavior and lead to more “Security Consciousness” – (SEC-CON).

As a result of this research we are now developing best practices for information and ID protection. Our colleagues in computer science, computer engineering, mathematics, and management information systems (MIS) are working on parallel discoveries that will make information more secure and personal identities less vulnerable. Their work and ours will be incorporated into corporate, government, non-profit organizations and into individual practices.

I am delighted to report some preliminary findings which can help secure information.

Individuals need to have personal security of personal data high on their “awareness” list. In fact research shows that ID security needs to become a “second sense”. It should never be something we do once a month or quarterly.

There is now significant evidence that there is an “Unwarranted Trust” - UT -factor which basically “disarms” people’s behavior when it comes to securing and protecting sensitive data. Understanding UT as a sociological and psychological behavioral phenomenon, we feel, is THE single most critically important factor in successful “Security Behavior Modification” – SBM.

The second phase of the NSF-CIP project is designed to modify and improve and develop a continuous improvement paradigm for training systems for employees who have access to critical information. As one of our sponsors who is with a large multinational company pointed out at a recent briefing SBM is invaluable not only for the protection of traditional data of concern such as Social Security and Credit Card numbers and birth dates but also as a means of sensitizing employees to the risk of revealing or losing proprietary information, business plans, patents, and other information that should be secured and protected.

For more information on the National Science Foundation/Center for Information Protection project please contact us at ---
Michael McCoy - 559 Ross Hall Ames, IA. 50011-1204 or email: mrmccoy@iastate.edu

Steffen Schmidt

England Has Their Problems As Well

Experian Inc. a credit checking agency on Thursday reported that identity theft cases in England have increased by 69% between 2005 and 2006.

In England over 2,000 people contacted the Experian victims of identity theft hotline for in the last six months of 2006 alone.

According to Experian, about 45 percent of those victims were alerted to a problem by a financial services company that noticed unusual activity. Forty-one percent found out through their credit report. The rest found out either after a refusal of credit, a theft or through notices they were being awarded credit they had not personally requested.

Watch out when companies like these start offering you services to protect your good name. Isn't there a small conflict of interest?