FOCUS
Technology – Security
Identity crisis
From hospital wards to the boardrooms of oil companies, biometric technologies are being used increasingly to authenticate access to IT systems. But does this all spell the end of the password?
There can be few less likely places to find the application of seriously cutting-edge technology than the boardroom of a staid oil giant. But one such organisation has kitted out its independent directors with the latest in biometrics - technologies that analyse physical characteristics for identity and authentication purposes. When this venerable collection of ex-politicians, lawyers and business leaders gather for board meetings, they bring with them custom-made handheld computers that can only be accessed by placing a fingerprint over a scanner built into the device.
For this ageing group of men, the selling point appears to be that they no longer have to remember PINs and passwords. For the company, the upside comes from faster decision-making, assured security and lower support costs.
The same benefits are being seen elsewhere. Intensive care doctors and nurses at the Royal National Orthopaedic Hospital (RNOH) in London are using a combination of smartcards and fingerprint readers on keyboards to access patient records at the bedside. The hospital's head of IT and networks, Steve Pickup, says there have been some teething problems - the readers may not function properly if fingertips are too dry or too greasy - but generally the project has been a success: records are more secure, and they can be accessed quicker, saving valuable time. "It's our ambition to put a fingerprint access terminal on every bedside in the hospital," he says.
There are further flavours of biometrics. Rather than roll out fingerprint-based systems, the EHS Brann advertising agency chose to install iris readers on every door when it moved into new premises in London's fashionable Clerkenwell area. "We wanted to make it a groovy, high-tech office," says Kathy Gruzas, the agency's IT manager. But there was a more serious consideration - the vulnerability of non-biometric security. "In our last office we had swipecards, which caused endless hassle - people kept losing or sharing them, and it was expensive to administer. The biometrics system works very well."
Early adopters they may be, but the positive experiences of these organisations are likely to persuade others to take a closer look. Indeed, according to some observers, biometrics is finally about to make the long-talked-of crossover from expensive, futuristic toy to fundamental enterprise security technology.
One big difference is that increasing numbers of people are about to become a lot more familiar with biometrics. Defying privacy campaigners, David Blunkett, the UK's home secretary, wants to put biometric identifiers on national ID cards, while the European Commission is exploring the possibility of making fingerprints mandatory on all European
Union passports. Already visa holders entering the US are being electronically fingerprinted as they enter the country and that data matched against their machine-readable passport information.
"We're starting to see government organisations using biometrics," says Carl Gohringer, head of new business development at NEC Security Systems, which is providing biometric systems to an ongoing UK passport trial. "They are the first to take it up for their internal employee management too."
New post-Enron corporate regulations, such as the Sarbanes-Oxley Act, have also fuelled demand. Biometric systems are helping to fulfil the need laid down by such new rules for a full audit trail of users' document access and transaction execution.
Traders at Dutch bank ABN Amro, for example, are using fingerprint authentication on every desktop terminal to speed up the authorise transactions - a critical business advantage over passwords when price fluctuations can determine the difference between a profit or loss on the deal. The system also plays another key role: it identifies exactly who authorised the deal.
As well as improving security, biometric systems are sold on the basis that once installed, they save money. There are few major costs after installation, say suppliers, and IT staff are largely freed from time-consuming administration that results from lost or forgotten passwords. In the first year, the costs of implementation are usually equivalent to the annual costs of administering a password-based system, say analysts; payback is generally obtained after about 18 months.
Companies with high staff turnover can particularly benefit. NEC Security Systems says that a major UK retailer, prior to adopting one of its biometric systems, found the job of managing passwords for its large and constantly-changing workforce so big that it felt compelled to employ six IT staff to do nothing else.
Steve Barnett, chairman of ISL Biometrics, the software specialist behind the Royal National Orthopaedic Hospital project, outlines the cost savings his fingerprint authentication systems brought for a customer that had outsourced its IT department. The customer's IT services supplier charged $70 each time it had to reset a password, which tended to generate big fees: the customer had about 4,000 employees, each using around six passwords. According to ISL figures, password management generally costs about $120 a year per employee, while a fingerprint access system has one-off costs of around $100 per user plus ongoing software support.
The eyes have it
Different biometric methods have their proponents. Some say that fingerprint-based systems are the most cost-effective solution. Others, such as Professor John Daugman of Cambridge University, who holds the patents for all iris scanning processes currently used, sees iris scanning technology as more foolproof. "The great strength of iris recognition is that it never makes false matches," points out Daugman.
But when choosing between different biometric methods, businesses should not base their decision only on the upfront cost, says Anthony Allan, an analyst at IT market consultancy Gartner. "With biometrics, you get what you pay for," he says. "Security for under $100 per user is very attractive but the characteristics are not good enough for enterprise use." Companies should budget for at least $200 per user, he suggests.
One problem that cheaper iris scanning systems encounter, for example, is that they can be fooled if a photograph of an authenticated user is held up to the reader. Daugman says this risk is eliminated by more sophisticated systems that check for signs of movement in the pupil or eyelid. Equally, the Japanese mathematician who managed to fool an older biometrics system by building moulds of fingerprints from the type of gelatin typically used to make confectionary might not have been successful if he had been testing costlier silicon sensors. Still, the Japanese test has alarmed experts. "If he could do this, then any semi-professional can almost certainly do much, much more," says security guru Bruce Schneier.
Professor Brian Collins of Cranfield University, a former director of technology at the government's signals intelligence agency, GCHQ, notes that there are other ways of abusing biometrics. By knocking out the database that holds biometrics information, 'denial of service' hacker attacks could be just as harmful on a large scale as the compromising of the data itself.
He warns that organisations must take seriously the process of enrolling new users. "Screening someone on the basis of only one credential [such as a birth certificate] is a very dangerous thing to do," he says. "Proof of originality, as opposed to identity, starts to become the main problem." Birth certificates really need DNA-based biometrics verifying them, he says.
There are other security issues. Samir Kapuria, director of strategic solutions at digital security services company @stake, says most of his corporate customers see biometrics as "an art form, not a science". Just because the technology works well in trials, it does not necessarily mean it will scale well or prove resilient to as-yet-undiscovered threats, he says. As that underscores, the technology is still maturing. Errors from some fingerprint and iris scanning systems tend to be as high as around one in every 100 people tested, say experts. Cases in which unauthorised users gain entry to a system are extremely rare, but when they occur they pose a bigger risk than when, say, a single password is hacked.
These are not insurmountable problems, but even some suppliers accept that they must be resolved before biometrics will appeal to the mainstream corporate market. "Interest is still outstripping implementation by quite a long way," admits Jackie Groves, UK managing director of Utimaco, which develops biometrics hardware and software products as well as other security products.
More of a lead bullet
As an example of a business that has so far failed to convert interest in biometrics into a widespread implementation, the case of Nationwide Building Society is instructive. In recent years, it has tested just about every available biometrics system imaginable, from iris recognition to speech verification. Although the trials were deemed successful - in that users were not unduly fazed and the installations went smoothly - executives remain reluctant to roll out biometrics. "We continue to take an active interest," says David Followell, the head of Nationwide's business futures and usability unit, "but we will only progress with it once we are convinced of the customer and business benefits of doing so." Amid the hype, it is easy to forget that biometrics is only another arm of IT security. General security principles apply; given the degree of faith that users tend to place in biometrics, it is important to follow them.
David Porter, head of operational risk at specialist IT consultancy Detica, accepts that biometrics is not the security sector's 'silver bullet'. "I don't think any technology will ever be 100% reliable, because you will always have people and sloppy processes involved. A seemingly foolproof biometric system can still be scuppered by employees using it in the wrong way."
Given that, biometrics should form only one part of a wider ID management system, he says. "I'm afraid you'd be crazy to use biometrics on its own. This nirvana of 'the end of password' is not true." He advises combining biometrics with another system - 'second factor authentication' in the jargon - such as smart cards. John Madeline, director of corporate and business development at RSA Security, agrees. "We are just beginning to see second factor authentication moving mainstream. Most people are still only taking the initial steps towards understanding that just a password is not good enough and a second factor is going to be key," he says.
Indeed, it may be several years, at least, before the corporate use of biometrics becomes commonplace. One day, all PCs and wireless devices may come with some form of biometric reader; already, one of the world's biggest computer makers, Hewlett-Packard, is issuing staff with PDAs that are activated through built-in fingerprint readers. The hope is that such identity systems will be a key part of a single sign-on system that will automatically grant pre-defined privileges to the user, perhaps removing the need to tap in PINs and passwords to access different systems.
Even then, however, biometrics are still likely to form only one part of a much wider identity and authentication system. But when the technology matures, its use could go from the niche to the universal. Fingerprint readers or voice authentication could be indispensable to the use of wireless commerce through mobile phones, while fingerprint-activated smart cards could soon replace credit cards and loyalty cards.
Biometrics may not necessarily spell the end of the humble password, but it ought to herald a new wave of security applications. It should also one day remove many of the costs and the vulnerabilities of the current generation of security systems.
Author: Tim Bradshaw
Technology – Software
Gates presses ahead with 'Longhorn' despite EC ruling
Bill Gates appeared to brush off the European Commission (EC) ruling against his company and its alleged market abuses by insisting that test copies of the next major update of Windows will be shipped as planned by the end of 2004.
Gates, appearing at analyst firm Gartner's conference in San Diego, also said it was "valid speculation" that the commercial versions of the 'Longhorn'-codenamed operating system would appear some time in 2006.
He added, however, that it was not a "date-driven release", unlike some Microsoft products.
'Longhorn' has been subject to delays in the past, but an informal timetable of late-2004 for the 'alpha' version and late-2006 for the commercial version is believed to have been in place for some time. Significantly, its release does not appear to have been affected by the EC ruling.
Speculation that Microsoft might feel compelled to alter the make-up of 'Longhorn' – perhaps by selling some components separately – has been rife since the EC judged that its practice of 'bundling' new features, such as video applications with the Windows operating system, amounted to an abuse of market power.
By sticking to Longhorn's informal schedule, Microsoft is indicating that its plans for the release have been unaffected by the developments in Brussels.
Leaked copies of initial versions of 'Longhorn' suggest the operating system will be bundled with new security features, an updated file server and an embedded search engine product.
While some Microsoft executives and legal advisers have expressed barely disguised dismay at the EC's judgement, Gates gave little away when pressed about his reaction.
He acknowledged that there were issues still to be resolved, although there "will be several more years of process in Europe" to get to that point. He added: "People want more capability in Windows. There are some legal issues about how we package that up, how we license it, how we engineer it."
The EC imposed a record fine of $615 million on Microsoft last week. It also ordered it to open up key product interfaces to competitors and told it to unbundle its Media Player package from Windows.
Importantly, the ruling is designed to set guidelines for Microsoft's future actions as well as punish it for alleged past transgressions. Although it is a matter of conjecture, legal experts argue that Microsoft might face fresh legal challenges if it continues to bundle new features already available from other suppliers in future versions of Windows.
The ruling has provoked anger among many US politicians and the EC has reportedly come under intense pressure to reach a settlement with the software giant.
Author: Dominic Tonner
e-Business – Shopping online
BA considers options for Opodo stake
British Airways is reportedly planning to offload its stake in travel website Opodo to travel technology firm Amadeus.
A report in the Mail on Sunday said that Amadeus is planning to take full control of Opodo by buying BA's 20% share and adding it to its current EU33m or 17% stake.
Opodo issued a statement today saying that it would not comment on speculative matters. It did however say: "We can confirm that the executive board and shareholders of the company are looking at ways of growing the business. This may take the form of acquisitions, moving into new markets, additional investment, or changes to shareholder structure."
Opodo added that its shareholders were all still 'fully committed to Opodo', which was launched with the backing of nine European airlines in 2001 to compete in the fast-growing online travel sector.
BA followed up with a supporting statement: "British Airways and the shareholders of Opodo are currently looking at ways of how to grow the Opodo business. This may or may not lead to a change of shareholding structure, however, as no decisions have been taken, any reports are premature and speculative."
The airline added that it would continue to use use Opodo as a distribution channel.
HIGHLIGHTS
Internet – ISP
Wanadoo To Stop Using Freeserve Brand Name
Wanadoo, a European ISP, will replace the name of its Freeserve provider this summer with its own, the Guardian said, without saying where it got the information.
Source; The Guardian, March 04
Friday, April 02, 2004
Thursday, April 01, 2004
FOCUS
Technology – IT Services
IT Services in Germany: 6.3% Decline in 2003
A recently conducted survey among IT services providers in Germany showed on average that the employee number declined by 6.3%. Less than 20% of service providers could increase the number of employees. Marketing and PR have been hit the most, sales the least. In detail, the numbers are as follows (2002 vs. 2003): marketing -9.8%, PR -8.7%, sales -0.3%. PR and marketing are used as "breathing space." The strategic sales force - a species with the rare skill to sell services engagement - was left intact.
Information technology – Market
Government Spending
When compared to private industry, the public sector is investing similarly in IT (4.1%, with some organizations spending as much as 20% of their budgets on IT and as little as 1%). The private sector is investing, on average, 4.4% of its total annual operational expenses on IT. However, not surprisingly, government organizations tend to spend less on business transformation and growth than the private sector (which invests on average 61% on "lights on" activities). This implies that government spends more on basic, run-the-business IT, as a percentage of total operational expenses, compared to the private sector - nearly 20% more. As government budgets continue to tighten, these organizations will be pressured to focus on nothing other than keeping lights on. These organizations will need to optimise IT in order to get the credibility to obtain funding for growth and transformation.
Technology – Security
Five Ways to Fight ID Theft
What's more valuable than your own good name? Identity theft is the fastest growing white-collar crime in the country. What's a CSO to do?
When John N. Stewart tried to buy his wife a motorcycle, things did not go well. He had trouble getting credit and, to be honest, he had expected to, since he himself had issued a fraud alert with the credit bureaus warning creditors to be leery of anyone claiming to be John N. Stewart. He had no choice. Someone had forged a California driver's license in his name and used it to take out $3,500 of instant credit at an automotive repair shop in which he, the real John N. Stewart, had never set foot.
The motorcycle shop that his real feet eventually walked into needed to confirm that John N. Stewart was indeed creditworthy.
But they couldn't.
"When you say to a person from whom you're buying something, 'When you call to check, they might deny my credit,' cynicism sets in at the other side of the desk," says Stewart, director of corporate security programs for Cisco and former CSO for the Cable & Wireless subsidiary Digital Island. "They look at you like you're just a deadbeat that can't manage your credit."
For 16 months, Stewart worked to prove he wasn't a deadbeat. He pored over copies of his credit report, made explanatory phone calls and filled out legal documents. Still, when he walked down the street, he had the strange feeling that everyone he saw thought he had bad credit. It didn't matter that eventually he got the motorcycle. He felt angry and on edge all the time. "It becomes a very personal experience," he says, "and it's almost embarrassing. OK, it is very embarrassing."
What's more valuable than your own good name? Hardly anything, if the millions of dollars' worth of preapproved credit offers that litter Americans' mailboxes annually are any measure. That's why tales such as Stewart's strike fear in the hearts of the bill-paying populace. Identity theft is, after all, the fastest growing white-collar crime in the country.
A recent Federal Trade Commission study suggests that nearly 10 million Americans discovered in the past year that they had been the victim of some kind of identity fraud, ranging from simple credit card fraud to complicated cases of identity takeover. This type of crime costs individual victims an average of $500 each and businesses an estimated $48 billion a year. The problem is so acute that, in December, President Bush signed the Fair and Accurate Credit Transactions (FACT) Act of 2003, which is intended to help consumers control and monitor their credit ratings.
Identity theft is difficult enough to prevent that even someone as security-savvy as a CSO can himself fall victim, as Stewart learned the hard way. But even if you don't work in the financial services industry, which is on the front line of preventing financial fraud, your customers and fellow employees are counting on you, the CSO, to keep it from happening to them.
The More Perfect Crime
People's identities, not pocket money, were the target of one sophisticated pickpocket ring busted by the New York City Police Department. Organizers quickly forged New York state driver's licenses using the names of women whose wallets had been stolen. Within hours of the purse-snatchings - before the victims had canceled their credit cards - women dressed in mink coats and high heels were flashing fake photo IDs as they charged expensive items in stores.
"If I go and rob somebody, how much am I going to get? Maybe $100, $200," says Lt. John Otero, commanding officer of the NYPD's Computer Crime Squad, who worked on the case. "If I steal someone's identity, I can get from $4,000 to $10,000."
In the simplest instances of identity theft (which are more accurately described as identity fraud), criminals use a stolen credit card number, or perhaps a stolen PayPal or eBay account name and password, to purchase expensive items for personal use or resale. In more complicated cases of identity theft, thieves open new lines of credit or access bank accounts. And in the most serious cases of identity takeover, they use forged or even government-issued driver's licenses or passports to do all that and more—renting apartments, obtaining medical care, even identifying themselves as the identity theft victim when charged with a crime.
The weapon? Personal information, including the victim's name, address, mother's maiden name, date and place of birth, and the most coveted number of all—the Social Security number, which cannot be changed even after it's been stolen. "Once they have this information, they own you—they are you," Otero says.
The Internet makes this type of crime even more efficient. With "phishing" scams, criminals send out bogus e-mails telling recipients that they need to confirm certain account details to reactivate their accounts or claim prizes. The messages appear to come from a reputable business and often include logos and text lifted from company e-mails and websites. But the links actually go to phony but convincing websites set up solely to gather information, whether it's ISP passwords or Social Security numbers.
"It's just so much easier and cheaper than going around to people's mailboxes and stealing credit card applications," says Dave Jevans, chairman of a new industry association called the Anti-Phishing Working Group and a marketing senior vice president at Tumbleweed Communications. "And it can be done long distance."
Consumers can protect themselves by staying informed about the latest Internet scams, by removing their Social Security numbers from their wallets, by shredding sensitive trash and the like.
But there's only so much one person can do. In another case Otero worked on, criminals took out second mortgages on victims' homes to the tune of $8 million. All the victims had purchased cars from the same auto dealership in the previous year, leading police to believe—although they never proved it—that an employee of the car dealership was selling customers' personal information. The victims had done nothing more, it seemed, than apply for auto loans.
"Most of the time, it's beyond the consumer's control," says Mari Frank, an attorney who made a name for herself as a consumer rights advocate after having her identity stolen in 1996. Her imposter ordered her credit report online, then used her good credit to take out new credit.
More than seven years later, there's still an edge to her voice when she speaks of the incident. "People want to put the blame on the bad guy, but the bad guy can only do what he can do when it's facilitated by others," she says. "The companies that have our personal and financial information are the ones who are in the position to prevent this."
More specifically, the CSO is in the position to prevent this. Here are five ways any CSO can make a difference.
1 - Practice good data hygiene. Got employees? Then you have information that could be used for identity theft, and nothing will help as much as just being good at your job in the first place. We're talking data hygiene 101: firewalls, background checks and security policies. "The reason that a CSO should be concerned over identity theft is because it fits in with so many other elements of a good security program," says Richard Lefler, the former vice president of worldwide security for American Express.
For instance, he says, background checks might help keep criminals from infiltrating your human resources department, where they could access employee records. Shredding policies could keep Dumpster divers from getting their mitts on sensitive customer data. And audit trails would help you determine the source of a possible problem if law enforcement spotted a trend that traced back to your company.
Sound paranoid? Perhaps. However, notes Lefler, although "criminal enterprises generally are small and loosely knit, they can be very large and very sophisticated.
"Other forms of white-collar crimes have become more difficult, so many of the criminals have migrated into doing identity takeover because they can increase their returns." In other words: Don't underestimate your enemy.
2 - Limit the use of personal information. The best way for individuals to protect themselves from identity theft is by not carrying their Social Security numbers in their wallets. Yet many insurance cards, student IDs and drivers' licenses still use this unique number as an identifier. (Only California has passed legislation making it illegal.)
And even businesses that aren't guilty of putting Social Security numbers on cards in people's wallets routinely put it on monthly account statements, which travel through the mail, which means that they can theoretically pass through the hands of everyone from envelope stuffers to mail sorters to, eventually, the garbage collector.
The CSO can protect customers and employees—and make everyone's job easier—just by limiting how many places this number appears. That's what Harriet Pearson did when she became chief privacy officer of IBM three years ago.
First, she worked with human resources to try to get Social Security numbers off of internal documents.
Then she turned her attention to the companies that insure IBM's half a million employees and dependents.
In early 2003, IBM asked all its 150 health insurance providers to stop using the Social Security number as an identifier. The 16 companies that did not immediately agree to the request received a letter from Pearson and the vice president in charge of health benefits "making the request a little more formal," Pearson says.
While they stopped short of making it a requirement, they did warn companies that compliance would be considered as part of the annual renewal process. By the deadline of Jan. 1, 2004, only Empire BlueCross BlueShield and two or three small HMOs had to request an extension.
Pearson understands that making the change can be an expensive and time-consuming process, but it's also one that your customers and employees will appreciate. "People notice that the SSN is not gone from the cards" of those carriers who have not yet complied, she says.
3 - Consider address change confirmations. One popular tactic of identity fraudsters is opening a new account with the victim's real address, then immediately changing the address. That way, the victim never gets a single bill or finds out about the account—at least not until she checks her credit report or, worse, gets a call from a collection agency. In response, a growing number of organizations, from the U.S. Postal Service to mutual funds companies, have started sending address change confirmations to both new and old addresses. This simple step alone would solve much of the identity theft problem, but there are still plenty of banks, stores, telephone companies and other groups that don't bother.
It's not free, of course. "You have to measure the expense against the loss," Lefler says, looking at how many of your customers have been victimized in the past year versus how much the additional mailings would cost. But identity theft is growing rapidly enough that the scales might have tipped in the past year.
And don't underestimate customer goodwill, either, says Frank, the consumer advocate. Even helping just a few people spot identity theft early on might be worth more than you think. "People do business with people they trust," she says.
4 - Phight phishing. At first glance, it seems you can't do a lot if your company is targeted by a phishing scam, in which a phisher spoofs your company's identity in an effort to gather personal information about your customers "It's pretty difficult" to deal with, admits the Anti-Phishing Working Group's Jevans. "You can say, we will never send you e-mail, or do not click on a URL in e-mail, but that makes it difficult to do any kind of e-commerce." What's more, when a bogus website is reported to law enforcement, Jevans says, it takes an average of 160 hours to get it shut down if it is hosted outside the United States—which applies to 40 percent of phishing sites. And by then the damage is done.
In this case, a little education can go a long way. Start by letting customers know that your company won't ever ask them by e-mail to divulge personal information, says Howard Schmidt, former vice chairman of President Bush's Critical Infrastructure Protection Board and CISO of eBay. Common targets such as Amazon, AOL and eBay have set up phishing tutorials on their websites to educate their customers about the scams.
At the same time, make sure employees who correspond with customers don't ask for this kind of information. You'll also need a mechanism for consumers to report the spoofed e-mails to you, and for your company to report the scams to law enforcement. Then, Schmidt says, "it becomes a policy issue."
5 - Explore new technical solutions. Schmidt blames the success of such phishing scams on the fact that websites are still using static IDs and passwords for authentication, instead of more sophisticated identity management tools. Schmidt hopes that technical solutions will help strengthen authentication and in the process dramatically reduce identity theft, since thieves won't be able to accomplish so much with so little personal information. "I don't like to make predictions, but I'll be surprised if within the next year, we don't start seeing some commercialization of digital identities as ways to prevent identity theft and online fraud," Schmidt says.
That could work any number of ways. Companies could require customers to download digital certificates that would give them secure access to their account information. Or customers could log on to websites using smart cards or USB thumb drives that hold digital identification. And there's the long-awaited promise of biometric technologies that would let customers log on with a fingertip. Prices are coming down enough that it's possible to imagine a day when every new computer comes with this type of hardware; thumb scanners now cost less than $100.
In the meantime, it might be enough to advocate that your company begin digitally signing all outgoing e-mails. You might be forced to do so: Some security-savvy customers are already trashing all e-mails from businesses that aren't digitally signed.
A Stitch in Time
CSOs who don't protect customers and employees from identity theft may face a more onerous task: damage control. Just ask Bob Brand, security director for Cox Enterprises, who found himself in the unenviable position of trailblazing the role of the CSO in preventing and responding to the crime.
It started four years ago when some of the 80,000 employees of Cox Enterprises, an Atlanta-based media conglomerate, began getting notices from collection agencies about overdue store credit card accounts. The credit had been issued at Best Buy, Circuit City and Federated stores in the Atlanta area, but many employees were based in Ohio and Texas and had never even been to Atlanta. Gradually, through word of mouth, affected employees realized that it must be an internal problem. An investigation revealed that personal information about some employees had leaked through contractors working on a project.
Brand admits that Cox could have prevented the problem. "What happened with us happened with a lot of companies: We grew fast," he says. "You put the system in place and then you have to play catch up with some of the administrative issues."
And if it were partially his fault, the solution was also partially his. As security director, he took charge of helping victims restore their credit. "It wasn't pleasant," he says. Dispatchers didn't understand how to take down a report of identity theft because the issues cross state and even country lines. When the perpetrators were eventually convicted, Brand shared the victims' disappointment at the sentences—probation with no jail time. "We had an expression that unless you used the judge's identity, you weren't going to get punished," he says. Brand was so disturbed by the whole experience that he went on to help form the Georgia Stop Identity Theft Network, which brought together businesses, law enforcement and the attorney general's office, and has resulted in Georgia having some of the toughest identity theft laws in the United States.
Brand discovered at the business level what John N. Stewart had discovered on a personal level: It's still a whole lot easier to keep identity theft from happening in the first place than to repair the damage after the fact.
"This crime can be just devastating," Brand says. "It's bad business not to protect to the best of our ability an individual's personal information. Why would you want to do business with a company that does not protect your information?"
HIGHLIGHTS
e-Business – Linux
For Novell, Linux means new life
Thanks to a "remarkably ambitious" Linux strategy, Novell may finally be on its way to reinventing itself after a 10-year lull, according to a growing number of investors and Wall Street analysts. By March 2003, "the financial community had all but given up on the stock, which then traded at just above $2 with only one analyst covering it" – 12 months later, the company is "winning credibility" as a "play on Linux." In fact, the company’s share price surged to $14 in early February and seven more Wall Street analysts now cover the stock. The article reviews the buzz surrounding the company’s recent BrainShare conference, highlights key. Linux initiatives and takes a look at the company’s ongoing efforts to execute on a focused Linux strategy.
Source; Business Week, March 04
e-Business – RFID
Oracle joins race to bring RFID to retailers
Oracle plans to launch new RFID software offerings in an attempt to give retailers such as Wal-Mart the ability to "handle the deluge of data that RFID systems are expected to produce." According to Oracle executives, "The IT systems most companies use today are not equipped for a world in which billions of objects report their whereabouts in real-time." In addition to building in RFID data-processing capabilities in its databases and application servers, Oracle will release new device drivers in its software as well as "device driver frameworks." Other big-name IT vendors, such as IBM and Microsoft, are also actively exploring new RFID technology offerings.
Source; News.com, March 04
Technology – IT Services
IT Services in Germany: 6.3% Decline in 2003
A recently conducted survey among IT services providers in Germany showed on average that the employee number declined by 6.3%. Less than 20% of service providers could increase the number of employees. Marketing and PR have been hit the most, sales the least. In detail, the numbers are as follows (2002 vs. 2003): marketing -9.8%, PR -8.7%, sales -0.3%. PR and marketing are used as "breathing space." The strategic sales force - a species with the rare skill to sell services engagement - was left intact.
Information technology – Market
Government Spending
When compared to private industry, the public sector is investing similarly in IT (4.1%, with some organizations spending as much as 20% of their budgets on IT and as little as 1%). The private sector is investing, on average, 4.4% of its total annual operational expenses on IT. However, not surprisingly, government organizations tend to spend less on business transformation and growth than the private sector (which invests on average 61% on "lights on" activities). This implies that government spends more on basic, run-the-business IT, as a percentage of total operational expenses, compared to the private sector - nearly 20% more. As government budgets continue to tighten, these organizations will be pressured to focus on nothing other than keeping lights on. These organizations will need to optimise IT in order to get the credibility to obtain funding for growth and transformation.
Technology – Security
Five Ways to Fight ID Theft
What's more valuable than your own good name? Identity theft is the fastest growing white-collar crime in the country. What's a CSO to do?
When John N. Stewart tried to buy his wife a motorcycle, things did not go well. He had trouble getting credit and, to be honest, he had expected to, since he himself had issued a fraud alert with the credit bureaus warning creditors to be leery of anyone claiming to be John N. Stewart. He had no choice. Someone had forged a California driver's license in his name and used it to take out $3,500 of instant credit at an automotive repair shop in which he, the real John N. Stewart, had never set foot.
The motorcycle shop that his real feet eventually walked into needed to confirm that John N. Stewart was indeed creditworthy.
But they couldn't.
"When you say to a person from whom you're buying something, 'When you call to check, they might deny my credit,' cynicism sets in at the other side of the desk," says Stewart, director of corporate security programs for Cisco and former CSO for the Cable & Wireless subsidiary Digital Island. "They look at you like you're just a deadbeat that can't manage your credit."
For 16 months, Stewart worked to prove he wasn't a deadbeat. He pored over copies of his credit report, made explanatory phone calls and filled out legal documents. Still, when he walked down the street, he had the strange feeling that everyone he saw thought he had bad credit. It didn't matter that eventually he got the motorcycle. He felt angry and on edge all the time. "It becomes a very personal experience," he says, "and it's almost embarrassing. OK, it is very embarrassing."
What's more valuable than your own good name? Hardly anything, if the millions of dollars' worth of preapproved credit offers that litter Americans' mailboxes annually are any measure. That's why tales such as Stewart's strike fear in the hearts of the bill-paying populace. Identity theft is, after all, the fastest growing white-collar crime in the country.
A recent Federal Trade Commission study suggests that nearly 10 million Americans discovered in the past year that they had been the victim of some kind of identity fraud, ranging from simple credit card fraud to complicated cases of identity takeover. This type of crime costs individual victims an average of $500 each and businesses an estimated $48 billion a year. The problem is so acute that, in December, President Bush signed the Fair and Accurate Credit Transactions (FACT) Act of 2003, which is intended to help consumers control and monitor their credit ratings.
Identity theft is difficult enough to prevent that even someone as security-savvy as a CSO can himself fall victim, as Stewart learned the hard way. But even if you don't work in the financial services industry, which is on the front line of preventing financial fraud, your customers and fellow employees are counting on you, the CSO, to keep it from happening to them.
The More Perfect Crime
People's identities, not pocket money, were the target of one sophisticated pickpocket ring busted by the New York City Police Department. Organizers quickly forged New York state driver's licenses using the names of women whose wallets had been stolen. Within hours of the purse-snatchings - before the victims had canceled their credit cards - women dressed in mink coats and high heels were flashing fake photo IDs as they charged expensive items in stores.
"If I go and rob somebody, how much am I going to get? Maybe $100, $200," says Lt. John Otero, commanding officer of the NYPD's Computer Crime Squad, who worked on the case. "If I steal someone's identity, I can get from $4,000 to $10,000."
In the simplest instances of identity theft (which are more accurately described as identity fraud), criminals use a stolen credit card number, or perhaps a stolen PayPal or eBay account name and password, to purchase expensive items for personal use or resale. In more complicated cases of identity theft, thieves open new lines of credit or access bank accounts. And in the most serious cases of identity takeover, they use forged or even government-issued driver's licenses or passports to do all that and more—renting apartments, obtaining medical care, even identifying themselves as the identity theft victim when charged with a crime.
The weapon? Personal information, including the victim's name, address, mother's maiden name, date and place of birth, and the most coveted number of all—the Social Security number, which cannot be changed even after it's been stolen. "Once they have this information, they own you—they are you," Otero says.
The Internet makes this type of crime even more efficient. With "phishing" scams, criminals send out bogus e-mails telling recipients that they need to confirm certain account details to reactivate their accounts or claim prizes. The messages appear to come from a reputable business and often include logos and text lifted from company e-mails and websites. But the links actually go to phony but convincing websites set up solely to gather information, whether it's ISP passwords or Social Security numbers.
"It's just so much easier and cheaper than going around to people's mailboxes and stealing credit card applications," says Dave Jevans, chairman of a new industry association called the Anti-Phishing Working Group and a marketing senior vice president at Tumbleweed Communications. "And it can be done long distance."
Consumers can protect themselves by staying informed about the latest Internet scams, by removing their Social Security numbers from their wallets, by shredding sensitive trash and the like.
But there's only so much one person can do. In another case Otero worked on, criminals took out second mortgages on victims' homes to the tune of $8 million. All the victims had purchased cars from the same auto dealership in the previous year, leading police to believe—although they never proved it—that an employee of the car dealership was selling customers' personal information. The victims had done nothing more, it seemed, than apply for auto loans.
"Most of the time, it's beyond the consumer's control," says Mari Frank, an attorney who made a name for herself as a consumer rights advocate after having her identity stolen in 1996. Her imposter ordered her credit report online, then used her good credit to take out new credit.
More than seven years later, there's still an edge to her voice when she speaks of the incident. "People want to put the blame on the bad guy, but the bad guy can only do what he can do when it's facilitated by others," she says. "The companies that have our personal and financial information are the ones who are in the position to prevent this."
More specifically, the CSO is in the position to prevent this. Here are five ways any CSO can make a difference.
1 - Practice good data hygiene. Got employees? Then you have information that could be used for identity theft, and nothing will help as much as just being good at your job in the first place. We're talking data hygiene 101: firewalls, background checks and security policies. "The reason that a CSO should be concerned over identity theft is because it fits in with so many other elements of a good security program," says Richard Lefler, the former vice president of worldwide security for American Express.
For instance, he says, background checks might help keep criminals from infiltrating your human resources department, where they could access employee records. Shredding policies could keep Dumpster divers from getting their mitts on sensitive customer data. And audit trails would help you determine the source of a possible problem if law enforcement spotted a trend that traced back to your company.
Sound paranoid? Perhaps. However, notes Lefler, although "criminal enterprises generally are small and loosely knit, they can be very large and very sophisticated.
"Other forms of white-collar crimes have become more difficult, so many of the criminals have migrated into doing identity takeover because they can increase their returns." In other words: Don't underestimate your enemy.
2 - Limit the use of personal information. The best way for individuals to protect themselves from identity theft is by not carrying their Social Security numbers in their wallets. Yet many insurance cards, student IDs and drivers' licenses still use this unique number as an identifier. (Only California has passed legislation making it illegal.)
And even businesses that aren't guilty of putting Social Security numbers on cards in people's wallets routinely put it on monthly account statements, which travel through the mail, which means that they can theoretically pass through the hands of everyone from envelope stuffers to mail sorters to, eventually, the garbage collector.
The CSO can protect customers and employees—and make everyone's job easier—just by limiting how many places this number appears. That's what Harriet Pearson did when she became chief privacy officer of IBM three years ago.
First, she worked with human resources to try to get Social Security numbers off of internal documents.
Then she turned her attention to the companies that insure IBM's half a million employees and dependents.
In early 2003, IBM asked all its 150 health insurance providers to stop using the Social Security number as an identifier. The 16 companies that did not immediately agree to the request received a letter from Pearson and the vice president in charge of health benefits "making the request a little more formal," Pearson says.
While they stopped short of making it a requirement, they did warn companies that compliance would be considered as part of the annual renewal process. By the deadline of Jan. 1, 2004, only Empire BlueCross BlueShield and two or three small HMOs had to request an extension.
Pearson understands that making the change can be an expensive and time-consuming process, but it's also one that your customers and employees will appreciate. "People notice that the SSN is not gone from the cards" of those carriers who have not yet complied, she says.
3 - Consider address change confirmations. One popular tactic of identity fraudsters is opening a new account with the victim's real address, then immediately changing the address. That way, the victim never gets a single bill or finds out about the account—at least not until she checks her credit report or, worse, gets a call from a collection agency. In response, a growing number of organizations, from the U.S. Postal Service to mutual funds companies, have started sending address change confirmations to both new and old addresses. This simple step alone would solve much of the identity theft problem, but there are still plenty of banks, stores, telephone companies and other groups that don't bother.
It's not free, of course. "You have to measure the expense against the loss," Lefler says, looking at how many of your customers have been victimized in the past year versus how much the additional mailings would cost. But identity theft is growing rapidly enough that the scales might have tipped in the past year.
And don't underestimate customer goodwill, either, says Frank, the consumer advocate. Even helping just a few people spot identity theft early on might be worth more than you think. "People do business with people they trust," she says.
4 - Phight phishing. At first glance, it seems you can't do a lot if your company is targeted by a phishing scam, in which a phisher spoofs your company's identity in an effort to gather personal information about your customers "It's pretty difficult" to deal with, admits the Anti-Phishing Working Group's Jevans. "You can say, we will never send you e-mail, or do not click on a URL in e-mail, but that makes it difficult to do any kind of e-commerce." What's more, when a bogus website is reported to law enforcement, Jevans says, it takes an average of 160 hours to get it shut down if it is hosted outside the United States—which applies to 40 percent of phishing sites. And by then the damage is done.
In this case, a little education can go a long way. Start by letting customers know that your company won't ever ask them by e-mail to divulge personal information, says Howard Schmidt, former vice chairman of President Bush's Critical Infrastructure Protection Board and CISO of eBay. Common targets such as Amazon, AOL and eBay have set up phishing tutorials on their websites to educate their customers about the scams.
At the same time, make sure employees who correspond with customers don't ask for this kind of information. You'll also need a mechanism for consumers to report the spoofed e-mails to you, and for your company to report the scams to law enforcement. Then, Schmidt says, "it becomes a policy issue."
5 - Explore new technical solutions. Schmidt blames the success of such phishing scams on the fact that websites are still using static IDs and passwords for authentication, instead of more sophisticated identity management tools. Schmidt hopes that technical solutions will help strengthen authentication and in the process dramatically reduce identity theft, since thieves won't be able to accomplish so much with so little personal information. "I don't like to make predictions, but I'll be surprised if within the next year, we don't start seeing some commercialization of digital identities as ways to prevent identity theft and online fraud," Schmidt says.
That could work any number of ways. Companies could require customers to download digital certificates that would give them secure access to their account information. Or customers could log on to websites using smart cards or USB thumb drives that hold digital identification. And there's the long-awaited promise of biometric technologies that would let customers log on with a fingertip. Prices are coming down enough that it's possible to imagine a day when every new computer comes with this type of hardware; thumb scanners now cost less than $100.
In the meantime, it might be enough to advocate that your company begin digitally signing all outgoing e-mails. You might be forced to do so: Some security-savvy customers are already trashing all e-mails from businesses that aren't digitally signed.
A Stitch in Time
CSOs who don't protect customers and employees from identity theft may face a more onerous task: damage control. Just ask Bob Brand, security director for Cox Enterprises, who found himself in the unenviable position of trailblazing the role of the CSO in preventing and responding to the crime.
It started four years ago when some of the 80,000 employees of Cox Enterprises, an Atlanta-based media conglomerate, began getting notices from collection agencies about overdue store credit card accounts. The credit had been issued at Best Buy, Circuit City and Federated stores in the Atlanta area, but many employees were based in Ohio and Texas and had never even been to Atlanta. Gradually, through word of mouth, affected employees realized that it must be an internal problem. An investigation revealed that personal information about some employees had leaked through contractors working on a project.
Brand admits that Cox could have prevented the problem. "What happened with us happened with a lot of companies: We grew fast," he says. "You put the system in place and then you have to play catch up with some of the administrative issues."
And if it were partially his fault, the solution was also partially his. As security director, he took charge of helping victims restore their credit. "It wasn't pleasant," he says. Dispatchers didn't understand how to take down a report of identity theft because the issues cross state and even country lines. When the perpetrators were eventually convicted, Brand shared the victims' disappointment at the sentences—probation with no jail time. "We had an expression that unless you used the judge's identity, you weren't going to get punished," he says. Brand was so disturbed by the whole experience that he went on to help form the Georgia Stop Identity Theft Network, which brought together businesses, law enforcement and the attorney general's office, and has resulted in Georgia having some of the toughest identity theft laws in the United States.
Brand discovered at the business level what John N. Stewart had discovered on a personal level: It's still a whole lot easier to keep identity theft from happening in the first place than to repair the damage after the fact.
"This crime can be just devastating," Brand says. "It's bad business not to protect to the best of our ability an individual's personal information. Why would you want to do business with a company that does not protect your information?"
HIGHLIGHTS
e-Business – Linux
For Novell, Linux means new life
Thanks to a "remarkably ambitious" Linux strategy, Novell may finally be on its way to reinventing itself after a 10-year lull, according to a growing number of investors and Wall Street analysts. By March 2003, "the financial community had all but given up on the stock, which then traded at just above $2 with only one analyst covering it" – 12 months later, the company is "winning credibility" as a "play on Linux." In fact, the company’s share price surged to $14 in early February and seven more Wall Street analysts now cover the stock. The article reviews the buzz surrounding the company’s recent BrainShare conference, highlights key. Linux initiatives and takes a look at the company’s ongoing efforts to execute on a focused Linux strategy.
Source; Business Week, March 04
e-Business – RFID
Oracle joins race to bring RFID to retailers
Oracle plans to launch new RFID software offerings in an attempt to give retailers such as Wal-Mart the ability to "handle the deluge of data that RFID systems are expected to produce." According to Oracle executives, "The IT systems most companies use today are not equipped for a world in which billions of objects report their whereabouts in real-time." In addition to building in RFID data-processing capabilities in its databases and application servers, Oracle will release new device drivers in its software as well as "device driver frameworks." Other big-name IT vendors, such as IBM and Microsoft, are also actively exploring new RFID technology offerings.
Source; News.com, March 04
Subscribe to:
Posts (Atom)