Data Breaches and Identity Theft: Interview With Two Experts (Part One)

Imagine finding thousands of dollars worth of charges on your credit card. Or worse – imagine not getting the bill and having the charges affect your credit rating. We could keep going with progressively worse scenarios, but the point is that data and identity theft is a serious problem.
We interviewed two data security experts on this important topic.
Part One – Dave Bull, Secure Computing
Part Two – Wasim Ahmad, Voltage Security
Dave Bull.png
First is an interview with Dave Bull, Manager, Product Marketing of Secure Computing Corp.
Is there really a problem with identity theft? We hear about the high profile cases in the news, but maybe there’s not much theft happening.
Absolutely. Obviously the term ‘identity theft’ is quite broad as there are so many different ways to accomplish such a thing — I run into new techniques all the time. Of course, I have colleagues that are federal agents who are involved in identity theft investigations, so I may be in a unique position to learn about the latest and greatest techniques the bad guys are using. But just because it isn’t a ‘hot’ news topic, doesn’t mean it isn’t going on around you. Just ask the next few people you see if they have had an issue, and you will run into someone with a story to tell quite quickly.

Maybe this is only an issue for very large companies as they present big targets.
Identity theft is an issue for literally everyone. The latest technique is something that targets the every-day Joe and it doesn’t matter if they are a CEO at the fortune 500 company down the road or the local school district bus driver. This technique is commonly called ‘slicing’ and it doesn’t require the bad guys to know anything about you at all. This is how it works:
i. Pretty much every bad guy has credit cards, debit cards, gift cards, whatever. These cards already have the bad guy’s name on them and possibly even a picture ID. If the bad guy knows which numbers on that card belong to the bank and which ones are specific to the card owner, they slice off the owner specific numbers with a razor blade or X-ACTO knife.
ii. The next step is to call the bank phone number on the back of the card to check the balance, and when they ask for the account number, start punching in random numbers until they hit a ‘live’ account. If the wrong number is entered, the automated phone system will just tell them they have entered an invalid number, so they try it again to find a good number – which is easily identified as soon as the phone system asks them for the password or secure ID, etc.
iii. Now that they know a valid account number, they can just slice off the appropriate numbers from another credit card, or gift certificate from their local store, and carefully super-glue the valid numbers on their card. Now the bad guy has your credit card, or mine, or somebody’s (who knows who!?) and they can go test it out, hoping it has a huge limit to go crazy on.
As you can see, this form of identity theft has no particular target in mind except for someone that has a valid credit card with credit to spare.
Beyond anti-virus software, firewalls (server and client), and some other security tools, is there more needed?
I’ll use the slicing example as a basis for a strong security tool. How would one defend against something like that? Those of us that use our credit cards for everything to make sure we get cash back, or airline miles end up with a large number of charges every month. Do you track every single receipt? Now if the illegal charges are out of state or something obvious, no problem, they are easy to pick up on, but if not, there is only one obvious way to track it: manually. If you use your cards a lot, you should be checking the charges as often as realistically possible. Online is one of the easiest ways – or at least it should be. The real pain here is how all of these financial institutions have deployed security on their Web sites. Instead of using something as simple as a two-factor authentication method like Secure SafeWord, or even providing VPN devices for their customers, Financial institutions force you to answer 10 questions, pick an image to personalize your page to avoid phishing techniques, insist they will never communicate with you via email, etc. It can take 30 minutes just to register on some of these sites to be able to check your account status. I think strong authentication tools are simply underutilized in the financial industry. Financial institutions use authentication methods mostly to protect employees; not many using them for customer protection. Those that do view it as a competitive edge. VPN technologies and strong authentication tools should be leveraged more to protect against identity theft, password theft, and more
What role does simple, human vigilance play?
Human vigilance is the one and only technique that can be relied on — mostly because in most cases we as customers aren’t provided the tools to use. As I mentioned before, the only way to protect yourself is to make sure you know exactly what is going on with your accounts. “Where did this charge in Denver come from? I was in Minneapolis at that time?!” And just because you haven’t had issues in the past doesn’t mean you haven’t exposed yourself in some way for abuse in the future.
What are some basic and then more complex solutions smaller businesses can use to protect themselves?
The best part about a lot of the solutions that are coming out today is that even the most complex, sophisticated and expensive solutions make it down the to small business or even consumer level. I’ll use the Secure Web (formerly Webwasher) solution as an example here. Secure Web is the number one anti-malware solution in the market — it continually wins third party bake-offs. In the past, this has been a fairly expensive solution that larger organizations could afford, but not the little guys. As time goes on technology is developed to be easier to deploy and less expensive solutions are provided. Secure Computing has just launched the Secure Web Protection Service, which is a new hosted service offering customers Web security protection through a reliable software as a service (SaaS) deployment option. With no applications or hardware to install or deploy, the service provides organizations with immediate and reliable network protection. It addresses all of the key business issues surrounding Internet use in the workplace: security, organizational compliance, and policy control – all leveraging proven technologies such as Secure Web and TrustedSource–Secure Computing’s proactive global reputation system. Optional deployment scenarios such as appliances, virtualized appliances, and hosted technologies can enable a much broader audience to leverage the best security technology in the world.
What role does the local solution provider play? Should one hire a security expert vs. a generalist?
Security has become such an important topic to cover on a daily basis within any organization that I would recommend consulting a security specialist. With all the great security technology that Secure Computing provides to our partners, they are continually training on the latest and greatest security products and blocking techniques, not to mention that the threats are changing so fast, they also need to be aware of the new bad guys out there. What is the latest malware they should be worried about? Secure Computing partners and consultants are some of the most heavily trained professionals in the industry because they are protecting some of the most secure organizations and agencies in the world. Personally I don’t think a small business owner will ever regret consulting a security professional on the best ways to protect their assets.