Tag Archives: eva velasquez

Will 2015 Top 2014 in Security Exposures?

It’s hard to imagine how 2014 could be surpassed as the worst year for massive identity theft and data loss exposures.

The news developments of 2014 were relentless and mind-numbing. Heartbleed and Shellshock rose to the fore as two of the nastiest Internet-wide vulnerabilities ever to come to light. Heartbleed exposes the OpenSSL protocols widely used by website shopping carts. And Shellshock enables a hacker to take control of the module used to type text-based commands on Linux, Unix and Mac servers.

“These are problems in the very fabric of what the Internet is built on,” says David Holmes, security evangelist at F5 Networks.

Click here to receive fresh analysis of breaking developments from top cybersecurity and privacy experts.

Meanwhile, Target, Nieman Marcus, Dairy Queen, Home Depot, JP Morgan and SonyPictures led a parade of organizations disclosing major data breaches. Indeed, the tally of data breaches made public in the U.S. hit a record 783 in 2014, nearly 30% higher than in 2013, according to the the Identity Theft Resource Center.

“The ubiquitous nature of data breaches has left some consumers and businesses in a state of fatigue and denial about the serious nature of this issue,” says Eva Velasquez, chief executive offer of the ITRC.

The scary part

Now here’s the scary part: The pace hasn’t slowed in the first few weeks of 2015.

Consider that the financial services sector has spent billions over the past decade on the best defensive technologies and systems money can buy. Yet a low-level Morgan Stanley financial adviser was able to exfiltrate account records, including passwords, for six million of the Wall Street giant’s clients.

Meanwhile, forensic analysts at Dell SecureWorks recently uncovered a novel strain of malware circulating deep inside a corporate network. It’s being referred to as a “skeleton key.” With a skeleton key an intruder can fool the authentication protocols on widely used Microsoft Active Directory systems by typing arbitrary passwords. This enables the attacker to do such things as gain unfettered access to webmail and virtual private networks (VPNs).

“It’s much easier to be an attacker than a defender,” observes Jeff Williams, director of security strategy for Dell SecureWorks’ Counter Threats Unit. “As a defender, you must protect all paths of access, whereas the attacker only needs to find one foothold from which to mount an intrusion.”

If nothing else, the headlines of 2014 should grab the attention of company owners, directors and senior executives. No one wants to make it to the ITRC’s list of U.S. breaches for 2015.

SMBs exposed

But small and medium-sized businesses (SMBs) should pay heed as well, says William Klusovsky, a security specialist at NTT Com Security. SMBs should grasp that they are part of a wider supply chain and that modern day cybercriminals are intensively hunting for all weak links, he says.

Small business owners should “understand your businesses processes, be aware of your risk profiles and be able to explain that to your partners,” Klusovsky advises. “And then within reason implement the protections you can afford.”

A good place to start, for companies of any size, is to step into an attacker’s shoes, Dell SecureWorks’ Williams says. “Identify paths of entry and put mitigations in place, whether that be two-factor authentication, removing unneeded services, implementing, monitoring or training staff,” Williams says.

Security consultants can be valuable guides, and third-party managed services can do the day-to-day heavy lifting. But the due diligence must come from the business owner.

The business owner should plan to “remain engaged and active in the conversations with that security service provider,” Williams says.

Over time, all business owners need to develop some level of skill about security policies and procedures and look to infuse that knowledge into the company’s infrastructure.

See more at Third Certainty

‘Data on the Move’ Means Data at Risk

Everywhere we look today, data is on the move. The downside:  When personal information and data are being moved electronically, they’re more vulnerable to identity theft.

At the Identity Theft Resource Center,  a crucial part of our analysis when we track data breaches is to look for emerging trends.  Unfortunately, one trend has become evident: The number of breaches linked to “data on the move” in the healthcare industry is up significantly.  In fact, these types of data breaches – say, when a laptop or flash drive is stolen or back-up tapes are lost in the mail – have risen above other industries quite dramatically.

But there’s hope. Companies and organizations can take steps to reduce these data breaches. They can provide more robust employee training and stricter controls over what devices are allowed to leave the premises. Organizations can also review what data is stored on devices and how the devices are protected. Adding encryption to laptops that contain sensitive data – and that must leave the premises – will also improve the situation without busting the bottom line.

Breach incidents because of data on the move have been trending downward as a percentage of all breach incidents, from 20% in 2008 to 12% in 2012. Although the percentage increased slightly to 13% in 2013, most industry sectors have seen a payoff from preventive measures.

The medical sector is not having a similar experience. More than half of the breaches because of data on the move occurred in the health/medical sector.

DataMove

For instance, in California, Palomar Health recently experienced a data breach when an encrypted laptop and two unencrypted flash drives were taken from a staff member’s car. The devices exposed the personal health information of 5,000 patients. In Michigan in late January, a laptop computer and flash drive were stolen from an employee of the state Long Term Care (LTC) Ombudsman’s Office. Information on the laptop was encrypted, but data on the flash drive was not. The flash drive contained personal information about 2,595 living and deceased individuals, including names and addresses and, for some individuals, dates of birth. Either a Social Security number or a Medicaid identification number was included with 1,539 records.

Data breaches pose a significant risk to consumers because of the correlation between breaches and identity theft. According to Javelin Research, one out of three people whose information was breached fell victim to fraud in the same year. When medical records or personal health information (PHI) are compromised, consumers are not only  facing an increased risk of medical identity theft. The risk for all types of identity theft is increased. (For more information on medical identity theft and its impact on the community, see the Medical Identity Theft and Fraud article on ITL).

The information entrusted to medical providers and insurance companies is often the same information that can be used to steal a person’s identity and commit financial identity theft, government identity theft and even criminal identity theft. In addition to receiving medical goods and services or prescriptions in the victim’s name, a thief could obtain loans or new lines of credit, apply for government benefits or file a false tax return. The perpetrator could even use the victim’s name if caught while committing a crime.

“Whether sensitive data is at rest or in transit, it should have appropriate risk-based controls and policies applied to its governance,” says Ann Patterson, program director with Medical Identity Fraud Association, which unites all the stakeholders and helps to convey the importance of these best practices. “The same judicious enterprise-wide data protection principles that you apply to your data at rest should also be considered for your data in transit and your mobile data. Particularly for mobile, BYOD policies (Bring Your Own Device) are essential.”

According to MIFA, many organizations are feeling the impact of shrinking budgets and may be tempted to reduce costs by limiting financial resources for internal fraud detection and prevention programs.  This may provide immediate help to the bottom line. But in the long term it’s the wrong solution. Costs creep up in other areas when fraud is ignored.  This could result in an organizational culture shift; as the old saying goes, what we allow, we encourage.

Coupled with human resources divisions, the fraud detection and prevention programs often provide employee training and formulate best practices in regard to fraud reduction.

The ITRC realizes the critical importance of information management and data security. We believe strongly in the importance of educating consumers and businesses about  the value of our individual data and the importance of personally identifying information (PII). For this reason, our organization began tracking data breaches in 2005. Tracking breaches has allowed us to look for patterns in regard to how our information is being safeguarded, or compromised, by those we trust with it.

The ITRC defines a data breach as an event in which an individual name plus a Social Security number, driver’s license number, medical record or financial record (credit/debit cards included) is potentially put at risk because of exposure. This exposure can occur either electronically or in paper format. The ITRC will capture breaches that do not, by the nature of the incident, trigger data-breach-notification laws. Generally, these breaches consist of the exposure of user names, emails and passwords without involving sensitive personal identifying information. These breach incidents will be included by name but without the total number of records exposed. (For a more detailed explanation of our methods, visit the ITRC breach report page).

Data breaches and identity theft have been on the rise and have a significant effect on the individual victims as well as on the U.S. economy.  We acknowledge that there is no panacea to rid ourselves of this issue entirely. However, encouraging negligence by not providing employees with the proper tools, and simply not acknowledging the problem, is not the answer, either.

Small and steady gains can be made by implementing training and increasing accountability for the individuals and organizations that we entrust to be good stewards of our PII.  A good start would be to understand and recognize how each type of incident plays a role and identify deficiencies.

Another option for organizations is to get involved with industry and trade organizations that also tackle issues related to data breach best practices daily. Businesses want to keep proprietary information close to the vest, but best practices about breaches should not be a trade secret.  A highly engaged and enlightened health/medical community would be a step in the right direction.

Why Traditional Crime Measurements Don’t Tell the Whole Story

All over the nation, the question is being asked, “Why is the overall crime rate in the US on the decline?”

We have the answer:  “It’s not.”

In 1930, the FBI was given the task of collecting and publishing crime-rate statistics from across the country, and the UCR (Uniform Crime Reporting) Program was born. This program collects data from across the country, and it is published in several reports, including the often quoted Crime in the United States report. The report separates offenses into two categories: violent crime and property crime. 

These two categories appear to provide an adequate sample of the types of crimes that should be captured to measure the overall crime rate, but the four “property crime” categories fall short. There is a simple reason: They have not changed since the 1920s.*

For instance, the category of larceny-theft does not include embezzlement, confidence games, forgery, check fraud, etc. Identity theft, which is growing astronomically, is also not included.

According to the two entities within the federal government that measure and report identity theft rates — the Federal Trade Commission’s (FTC) Consumer Sentinel Report and the Bureau of Justice Statistics — identity theft crime rates continue to increase. Identity theft has been ranked as the #1 complaint reported to the FTC for the past 13 years. Of the 2,061,495 complaints captured from a variety of organizations that share data with the FTC, 369,132 were regarding identity theft.

The Bureau of Justice Statistics uses the National Crime Victimization Survey (NCVS) to capture and report its statistics on identity theft.  The last report available captures information from 2005-2010. According to this latest report, approximately 8.6 million households experienced financial identity theft.

The latest statistics available (2012) are from Javelin Strategy & Research Inc., an independent organization not affiliated with the federal government.  Their study concluded that there have been 12.6 million incidents of identity fraud.

Identity theft is increasing faster than property theft crimes are declining, but the public isn’t paying enough attention.  The reasons for apathy include the misconception that one can’t be a victim without a stellar credit rating (i.e., my identity isn’t worthy stealing) and the conspiracy theorist notion that this is all just a scare tactic promoted by industry to entice consumers into buying services that are unnecessary. Both are misguided.

A change in public perception is required. It has been engrained into us that we must take personal responsibility for safeguarding our possessions and our physical wellbeing, so why not our identity?

Most people realize that they cannot guarantee they will never be burglarized.  So they employ tactics to make it harder to break into their home.  When leaving for vacation, they secure doors and windows and activate alarms.  Often, mail is held at the post office and friends are asked to check in on the place.

People must likewise actively guard their identity components (such as passwords and devices).  Taking regular steps to safeguard your identity must become engrained in all of us.  It’s absolutely true that you can do everything right and still become a victim of identity theft – but why not make the thieves work hard?

Ask anyone if they would think twice about wandering into a dark alley, alone, at night, in a dicey neighborhood, and they would say, Absolutely! But consumers think nothing of going to strange websites and entering credit card (or even more personal information) without checking the legitimacy of the site, especially when you can get a screaming deal on that flat-screen TV or tablet.

It is widely recognized that fraud and financial crimes don’t scare or shock people in the same way that violent crimes do.  Unless they rise to the level of Bernie Madoff or Enron, the crimes rarely make headlines.

Additionally, financial crimes are often cited as much harder to accurately measure because of underreporting and lack of consistent reporting methods.**  Some individuals do not believe that financial crime victims suffer true harm, especially if they are eventually made financially whole, as can happen with some identity-theft victims.  There is a misconception that once an individual has false charges removed from a credit account, or false accounts removed from a credit report, or a false tax return remedied by the IRS, that they are no longer the victim.  The victim label is assigned to the entity that takes the financial hit, such as the credit card issuer/financial institution and the IRS. Regardless, a crime has still been committed. Even if the crimes are difficult to measure and don’t shock, they certainly should be included in our evaluation of crime rates.

The infiltration of technology into our daily lives has not only changed the way we live, it has changed the way crimes are being committed. Much like water, criminal elements will take the path of least resistance.  When law enforcement and society become adept at suppressing scofflaws by making a particular crime more difficult to commit, such as through anti-theft devices on cars, criminals move on to other crimes.

Non-violent crimes rates haven’t decreased; they have just changed. Whereas the criminal of twenty years ago was armed with a knife or a gun, today’s criminal is armed with a keyboard or skimming device. The weapon(s) of choice has changed from tools of violence to tools of technology.  Criminals aren’t committing fewer criminal acts, just different ones. We don’t have fewer criminals, only smarter ones.

* Upon inquiry, the FBI responded with the historical information to explain how the eight offense classifications known as Part I crimes were chosen as indicators of the overall crime rate in the country.  The first seven offenses were originally chosen in 1929.  Arson, the 8th offense was added in 1979. The 7 original offenses chosen to illustrate the overall crime rate and used in the annual publication Crime in the United States were not altered at that time.  In fact, they have remained mostly unchanged since the 1920s.

** The FBI has a Financial Crimes Report that is listed under its “Other Reports and Publications” section. Other offense data for fraud and fraud type offenses is captured in the FBI’s NIBRS (National Incident-Based Reporting System); however, identity theft is not one of the incident types captured.

The Financial Crimes Report(s) differ in format from the violent crime/property crime format in the UCR and are more difficult to decipher.  The data contained in these reports is for cases investigated by the FBI.  It does not include financial crimes cases for local jurisdictions throughout the United States as the UCR does.  The most recent report shows 5 year trends in various categories.  The categories of  Corporate Fraud, Securities and commodities fraud, health care fraud, and mortgage fraud (reported cases) all show increasing numbers. Financial institution fraud, insurance fraud, and money laundering case statistics show a decrease in numbers and mass marketing fraud has stayed relatively flat.

The NIBRS report for 2011 indicates there is data on the following fraud type offenses: Bribery – 293; Counterfeiting/Forgery – 74,131; Embezzlement – 17,000; Extortion – 1217, and Fraud Offenses – 245,301. This a total of over 330,000 known incidents that could be counted in the overall crime rate in the UCR.  Though small in comparison to the other property crime numbers, it is not a statistically irrelevant number.   Identity theft statistics are not captured on this report.  Identity theft statistics are published by another department within the USDOJ (of which the FBI is a part), the Bureau of Justice Statistics.

Health Insurance Exchange Scam Alert: Beware of Fake Websites

The Identity Theft Resource Center (ITRC) has growing concerns regarding the potential for new scams concerning the implementation of the Health Insurance Exchange (HIE) websites as part of the Patient Protection and Affordable Care Act (also known as Obamacare). These exchanges are currently online with enrollment due to start on October 1st.

According to the Act, each state must implement insurance exchanges. These exchanges are to serve as online marketplaces (websites) for consumers to compare rates and make choices about which health insurance coverage is best for them. Each state has the ability to determine the best way to manage these exchanges in order to meet the needs of their uninsured residents.

The open enrollment period for these exchanges begins on October 1, 2013. There have already been some predictions that there will be “bugs and glitches,” to quote President Obama, during this process. IT professionals are already voicing concerns regarding the ability to handle the amount of traffic anticipated on the first day of the rollout. However, no one is talking about ensuring that consumers actually know and understand where to go in the first place.

There is huge potential for misinformation and misunderstanding with this new insurance exchange program. Consumers will now be mandated (or face a penalty come tax time) to purchase health insurance if they don’t have existing coverage. The official website, www.healthcare.gov will be used by the majority of the states. But 17 states have opted to manage their own unique exchange with a different URL. This has the potential to cause much confusion for consumers. While it may appear that this information would easily be located via an internet search, our experience was that the official website was not easy to locate. In fact, when we searched for “health insurance exchange official websites” (rather than “website”) the websites for the 17 states that have their own unique URLs appeared, but www.healthcare.gov did not appear on the first page.

From our experience with scams and fake websites, we believe it would be extremely easy for scammers to create multiple websites that will trick consumers into thinking that it is either the federal health exchange website or one of the alternative state websites. Without known and reliable sources, there exists a great opportunity for gaming of the Internet search engines to attract consumers to websites intent on harming them by eliciting the fraudulent collection of personal identifying information (PII). There is a need to present factual information about which websites represent the accredited websites for the new insurance exchanges.

While there is a comprehensive list of insurance exchange websites on www.healthcare.gov, we are concerned that consumers may not find their way there in the first place. Already our searches indicate that there are organizations using keywords such as “Obamacare” and “Health insurance exchange” in the paid advertising section that are not the official insurance exchange websites. While these websites may not be scams, our concern is that it will only be a matter of time before imposter websites intent on real consumer harm surface.

This concern has a historical basis. The Fair Credit Reporting Act (FCRA) requires each of the Credit Reporting Agencies (CRAs: Experian, Transunion, and Equifax) to provide consumers with one free credit report annually. Confusion still exists between www.annualcreditreport.com, which is the court-mandated website hosted by the credit reporting agencies that actually provides annual free credit reports to consumers, and other websites that offer free credit reports or free credit scores such as www.freecreditreport.com, hosted by one of the credit reporting agencies. Soon after the creation of the original mandated website, dozens of look-alike websites were created. Consumer protection organizations, including the Federal Trade Commission, continue to educate consumers about this to this day (Consumer Information: Free Credit Reports) even though the mandated free website was launched in December 2004.

With the operational launch of these new insurance exchanges just a few short months away, consumers will be scrambling to comply before the January 1st, 2014 deadline. We already stated that we expect consumers to use search engines to locate the particular website they are supposed to use, and that the searches are inconsistent. With that knowledge, will regulators put provisions in place to identify, deter, monitor and address imposter websites? Or do they presume that the existing regulatory or enforcement provisions will deter those who create malicious fake websites intended to capture the personally identifiable information of consumers? Information provided to a fake insurance exchange website could be used to commit identity theft and other frauds.

There will be two types of imposter websites that will require redress. Not all imposter websites are created equal. There are differing levels of harm depending upon the type of imposter website consumers discover. There are legitimate businesses cutting corners and engaging in misleading tactics to secure new business and there are outright scam websites, whose intention is to secure personally identifiable information for malicious use.

Phishing and smishing could eventually come into play.

In 2012 “Imposter Scams” ranked 6th (out of 30) in the list of most complained about fraud events according to the FTC Consumer Sentinel Report. The 82,896 complaints represented 4% of the total complaints received by the FTC.

This category is defined by the FTC as “complaints about scammers claiming to be family, friends, a romantic interest, companies, or government agencies to induce people to send money or divulge personal information.” Complaints included the following: Scammers posing as friends or relatives stranded in foreign countries without money, scammers claiming to be working for or affiliated with government agencies, and scammers claiming to be affiliated with a private entity (a charity or company).

By far, the largest subtype of scam was regarding government agency imposters, with over 43,000 of the total in that category. Previous years’ statistics indicate that year over year, government imposters were the most complained about subtype: 47,454 in 2011 and 49,321 in 2010.

This demonstrates that the scammers continue to find impersonating the government to be a lucrative enterprise. Since this is a new program, even those consumers who normally know not to click on strange links in emails or respond to unknown senders of text messages, may feel compelled to respond and potentially share their personally identifiable information via these means. Why should we believe that the health care exchanges will be immune to this kind of impersonation?

If past behavior is an indicator, we can be sure that there will be financial harm to at least some of these victims.

The Internet Crimes Complaint Center (IC3) 2011 report states that it received approximately 39 complaints per day regarding FBI impersonation email scams. IC3 presented a total loss for this type of impersonation scam (via phishing emails) as over $3 million dollars. This number is just for the complaints that the IC3 received and does not take into account all the unreported losses.

A fundamental part of the Identity Theft Resource Center’s mission is to serve as a relevant national resource on topics such as this. In an effort to provide consumers with the important information they need about potential insurance exchange scams, the Identity Theft Resource Center has developed a scam alert and posted additional information on its website to help educate consumers.

The Identity Theft Resource Center is hopeful that there will be strong and coordinated efforts to educate consumers as to the authentic websites for these exchanges. As they differ from state to state, universal messaging will be difficult to coordinate. Of course, there will be glitches, and as with any new process, we will only discover what these are when the actual user experience is reviewed. However, these efforts need to take place now.