ICFE eNEWS #09-09 - April 8th 2009
ICFE eNEWS #09-09 - April 8th 2009
San Diego, CA - The American National Standards Institute (ANSI) and the Better Business Bureau (BBB) created the Identity Theft Prevention and Identity Management Standards Panel (IDSP). The ICFE is a charter member of the panel. The IDSP is designed to bring together the spectrum of standards and guidelines germane to ID Theft & Fraud Prevention and ID Management that exist across industries and sectors into a single resource, accessible to businesses of all sizes and types. As part of this process, the Panel identified standards that need updating and/or gaps where new standards work should be done.
IDSP Newsletter - March 2009
The IDSP newsletter provides information on news
items relating to identity theft, identity management, privacy, data security
and cyber security, either pulled from the headlines or submitted by IDSP
participants. If you have news that you would like to share for a future
issue, please send it to the IDSP Program Administrator.
NEWS and INFORMATION
IDSP Convenes Third Plenary Meeting on Identity Theft and Fraud
The American
National Standards Institute (ANSI) will hold the third plenary meeting of its
Identity Theft Prevention and Identity Management Standards Panel (IDSP) April
27-28, 2009, in Arlington, Virginia. The IDSP is a cross-sector coordinating
body working to reduce identity theft and fraud by promoting the development
and use of voluntary consensus standards and best practices. The April meeting
will take a point-in-time look at the state of identity theft prevention and
identity management. Panel discussions will consider progress made on a
number of fronts and look ahead at areas that still need attention and
that may be ripe for future IDSP work. Agenda topics will include:
measuring identity theft, regulatory developments
relating to customer authentication and the use of Social Security
numbers, the need for identity verification guidelines, the commercial
applications of identity management systems, medical identity theft, and what's
on the horizon over the next year.
GAO Report on the Security of US Passport Issuance Process Causes
Alarm
U.S. Senators Dianne Feinstein (D-Calif.) and Jon Kyl (R-Ariz.) are
expressing concern over a Government Accountability Office (GAO) report
that found that potential terrorists or criminals could steal an
American's identity and create fraudulent documents to obtain a genuine
U.S. passport from the State Department. GAO investigators conducted
four tests simulating this approach and were successful each time. The
senators will continue their oversight of this matter and are working on
legislation to address these security vulnerabilities.
First Comprehensive Bill of Rights for Victims of ID Theft Now
Available
The Santa Fe Group, a financial services consulting firm, along
with The Santa Fe Group Vendor Council, a consortium of leading service providers
to the financial services industry, has released the a Bill of Rights
white paper for victims of identity theft. The Bill of Rights calls for
consistent processes for handling identity crime incidents in addition
to amendments to privacy legislation and regulation so victims can more
easily access and correct their personal information records.
The paper will be
presented in a free 90-minute webinar on April 29, 2009.
Gartner Releases Report on Data Breaches and Consumer Reactions
According
to a survey by Gartner, Inc., approximately 7.5 percent of U.S. adults lost money
as a result of some sort of financial fraud in 2008, in large part because of
data breaches. Analysts said this is having an adverse effect on consumer victims
who are significantly changing their financial transaction behaviors. Gartner
found that payment card fraud (credit, debit and ATM card fraud) was the method
most actively used by crooks to steal money, claiming 36 percent more
victims in 2008 than other types of fraud. New-account fraud, in which a
thief steals identity information to open a new account, occurs less
frequently than payment card fraud, although Gartner estimates that up
to half of all new-account frauds involve synthetic identities, and
therefore many cases go unreported.
CFA Releases Report on Identity Theft Services
The Consumer Federation of
America (CFA) has released a new report, "To
Catch a Thief: Are Identity Theft Services Worth the Cost?" that
explores the types of services currently offered in the identity
protection marketplace. It covers the fees such services charge, how
they describe what they do, the claims they make about the benefits of
membership, and how what they do compares with what consumers can do to
protect themselves. To address the concerns raised in the report, CFA
recommends that law enforcement take steps to stop misleading claims and
practices that harm consumers, such as preventing them from obtaining
their free annual credit reports, and look at the security of sensitive
personal data provided by consumers to these companies.
ICFE note: Last fall, ICFE completed and issued a report with similar objectives. ICFE's Report is available online, plus versions for Holders of Protected Information and for Consumers. Especially for organizations with activities that involve storage and transmission of consumer data, ICFE recommends a careful review of both reports prior to making any operational decisions.
Obama Orders Review of Cybersecurity
President Barack Obama has ordered a two-month
review of the government's cybersecurity efforts. Melissa Hathaway, a former
Bush administration aide, has been tasked with conducting this review. Her
focus will include taking ongoing cybersecurity programs and developing
recommendations for ensuring that they are aligned with government and
private-sector needs, according to a statement released by the White
House. The Administration is asking for $355 million in next year's
budget to fund the Department of Homeland Security's (DHS) cybersecurity
work. The president's goal is to make sure the cybersecurity efforts
encompass the homeland security, intelligence, law enforcement, military
and diplomatic mission areas of the U.S. government, according to the
document.
Privacy, Identity, and the Use of RFID and RF-Enabled Smart Card
Technology
In this article, the Smart Card Alliance investigates current concerns
of state policy makers as they examine the use of RFID technology in
identity cards and the implications that holds for protecting privacy
and personal information in identity applications and systems. The
brief examines best practices for privacy-secure identity systems from
the point of view of card technologies. It was prepared by the Identity
Council of the Smart Card Alliance, a non-profit public/private
partnership organization whose members include both government users and
card technology providers.
Using FIPS 201 and the PIV Card for the Corporate Enterprise
Corporate enterprises
have always required employees to carry cards or badges that verify the employee's
identity and allow the employee to access enterprise resources. However, changes
in both the regulatory environment and the amount of risk that enterprises face
from unauthorized access are driving executives to reevaluate their identity
management practices. This Smart Card Alliance article summarizes the
benefits of considering the FIPS 201 standard as a starting point for
achieving identity assurance and access control across the corporate
enterprise.
U.S. Leads JTC 1 Effort to Address Jurisdictional and Societal Issues of
Biometric Technology
Biometric technology is used in many applications worldwide,
allowing both public and private-sector entities to authenticate an individual's
identity, secure national borders, and restrict access to certain
physical and online settings. A new Technical Report released by Joint
Technical Committee (JTC) 1 of the International Organization for
Standardization (ISO) and the International Electrotechnical Commission
(IEC) provides guidance and clarification on jurisdictional and societal
issues related to the use of biometrics for the identification of
people.
ISO Releases New Technical Specification on Pseudonymization to Protect
Privacy Information in Health Informatics
A new ISO technical specification will
help to reconcile the increasing use in healthcare of electronic processing of
patient data with increasing patient expectations for privacy protection. ISO/TS
25237:2008, Health informatics - Pseudonymization, contains principles
and requirements for privacy protection using pseudonymization services
for the protection of personal health information in databases.
Pseudonymization allows for the removal of an association with a data
subject. It differs from anonymization in that it allows for data to be
linked to the same person across multiple data records or information
systems without revealing the identity of the person.
New OECD Publication: Online Identity Theft
Using widely available Internet
tools, internet thieves trick unsuspecting computer users into providing personal
data, which they then use for illicit purposes, causing mistrust of online payment
and banking services. This book defines identity theft and studies how it
is perpetrated, outlines what is being done to combat the major types of
ID theft, and recommends specific ways that ID theft can be addressed in
an effective, global manner.
Obama Administration: Constitution Does Not Protect Cell-Site
Records
The Obama administration says the Fourth Amendment prohibition against
unreasonable searches and seizures does not apply to cell-site
information mobile phone carriers retain on their customers. Mobile
phone providers keep such information for up to eighteen months.
Historical cell-site location information includes the tower connected
at the beginning of a call and at the end of the call. The position is
being staked out in a case pending before the 3rd U.S. Circuit Court of
Appeals in Philadelphia. At issue is whether the government can require
federal judges to order mobile phone companies to release historical
cell-tower information of a phone number without probable cause.
Privacy Group Asks FTC to Investigate Google
The Electronic Privacy Information
Center has asked the Federal Trade Commission to investigate the privacy and
security safeguards of Gmail, Google Docs and other cloud computing services
offered by Google to customers. The filing points to a security breach that may
have improperly exposed the files of Google Docs users to others. The full
filing is available online.
RRS Settles with FTC Over ID Theft
The Rental Research Services, Inc (RRS) and
Lee Mikkelson (vice president and managing officer of RRS) have settled Federal
Trade Commission (FTC) charges that they failed to properly screen potential
customers, leading to the sale of at least 318 credit reports to
identity thieves. RRS is an organization that provides consumer
information to individuals and business clients, such as landlords
seeking credit reports on potential tenants. The settlement prescribes
that RRS cease providing information to anyone lacking legitimate claim
to it. It was also ordered to enlist a security procedure to protect
data and to submit to a third-party audit every other year for 20
years.
Spam Spreads Faster with Discovery of Automated Attacks
Cybercriminals are
spreading infections far and wide across the Internet by hammering hundreds of
thousands of websites each day with SQL injection attacks. SQL attacks take aim
at the database layer of websites. Initially they were manual attacks designed
to pilfer customer data from merchant websites. That changed last June when
someone figured out how to automate the attacks, and use them to plant
infections. An infected PC thereafter gets put to work delivering spam
and spreading more infections. Any sensitive data, such as log-ons and
account number, get stolen.
New Internet Fraud Scheme Uses Google Trends
Cyber attackers have discovered
a new way to defraud internet users. In this new scheme, attackers choose a popular
search term that they identify from Google Trends, which is regularly updated
with the top 100 most searched items. They find a website that is already highly
ranked for that particular search term and then build a malicious site that
contains the same content as the legitimate site, enabling the bogus
site to rise to the top of the search rankings. Links deliver users to
a website where they are served a Trojan called FakeAlert.
Please check the IDSP Events Calendar for regularly updated event information.
For further information on any of the items above, and updates on the Panel, please visit the IDSP website
Sent by:
Paul Richard
President - Executive Director
Institute of Consumer Financial Education
(ICFE)
ICFE - Institute of Consumer Financial Education - ICFE.info - customer.service@ICFE.info - 619.239.1401