Sorry, but copying text is forbidden on this website!
“You have $92.13c left in your Chase bank account, contact us today with your details to switch from telephone banking to online banking” – I was in the country barely 72 hours and I was already subject to someone attempting to steal my Identity! I am referring to the past summer that I spent in America working under a student visa. After registering my mobile phone and opening my first American bank account, I started getting texts like the one above. This my was my first personal exposure to the problem of Identity theft, and after a quick Google search to enquire what I was dealing with, I found that it was a very common occurrence in America; More than 57 million American adults receive “phishing” attack emails & texts every year – from hackers or cyber thieves who pretend to be trusted service providers to steal consumer account information, and more than half of those who responded become victims of Identity Theft (Gartner Research, Phishing Attack Victims Likely Victims for Identity Theft). Lucky I didn’t respond to that text then, aren’t I? That was just my small run in with what has become a global problem over the last decade.
And, the more I delved into the reading for this topic, the more I became aware of the vast amounts of literature available to me. I felt none of the other topics for this assignment had such in depth reading, which was mostly available online to me. There was online e-books, some of which I purchased; “Identity Theft Secrets: Exposing The Tricks of The Trade” – By Dale Penn, and “Double Trouble” – by Neal O’Farrell. Research websites were also helpful, like the Gartner Research website. I found some very interesting websites online, one of which I’ll give a mention; “Publications USA” – an American government run website, it had a section to provide American consumers with information on Identity Theft. Sites like these helped me understand the impact of Identity Theft on the consumer, how the consumer battles it – and ultimately this showed me how business must deal with it, in their every day transactions with consumers.
There was a vast amount of Scholar articles I found online, through Google scholar of course, they took very interesting views on the problem, and posed some very good questions. These articles included; “Did Privacy issues cause identity theft?” to articles such as “Identity theft: Myths, Methods and the New Law”. Also, simply with a quick look at the papers every Sunday for the past few weeks, I found plenty of material in them – Papers such as the Sunday Business Post, The Financial Times, The Guardian & The Irish Times.
They always provided me with something to read that was related to identity theft. After reading all this material, I saw both sides of the argument. Most do believe Identity theft is a Real Threat to business and consumers alike. I will quickly look at how much of a problem this has become, and I will then point to some of the major cases, and the impact of these cases on business. However, there are the those that believe Identity theft is over exaggerated, I will look closely at how researchers collect their data for research, and I will also look at the impact of this over-exaggeration within business, how it has sparked some companies within the protection business to come under scrutiny for over-exaggerating the risk of Identity Theft.
Why and how do Identity Thieves do it?
“Cybercrime has surpassed illegal drug trafficking as a crime enterprise” – [Symantec Corporation, 2009] Identity thieves use the Internet as a weapon against individual consumers by taking personal and financial information, such as credit card numbers and social security numbers, and then using that information to, purchase products or launder money (Identity thieves have been known to purchase cars and homes or even create criminal records under another individual’s identity) [Overseas Digest, When Bad Things Happen To your Good Name].
Such a scheme can be devastating for an identity theft victim and can create financial costs for credit card companies and other commercial entities. According to Columbus state university research, computer fraud in general, within the U.S. alone, exceeds $3 billion each year, and in the U.K. exceeds £2.5 billion each year [Columbus State University, 2011]. These statistics alone show the huge impact of computer fraud and identity theft on the economy and businesses in the world we live in today. It shows what a lucrative business Identity Theft has become today.
Cases of Identity Theft Causing a “Real Threat” in Business Arguably the most famous case of Identity Theft is that of Frank Abagnale, who was depicted in the 2002 Hollywood blockbuster movie “Catch Me if You Can” [DreamWorks (film), 2002]. In the 1960’s, Abagnale eluded authorities by posing as characters such as an airline pilot, doctor, assistant Attorney General, and history professor, all the while racking up $4 million in bad cheques [Posing Facts, 10 bizarre cases of Identity Theft]. This bizarre case of Identity theft is portrayed in a comical sense in the film, with Tom Hanks left chasing shadows. But for businesses in today’s society it is far from comical, as the protection of consumers’ information poses major issues within business today. The best way to see the affects of Identity Theft on business is to actually take a look at some of the major cases within the last few years. This will show the business issues and the implications it is having on business on a daily basis.
The headlines within the last few years have highlighted the threat that Identity Theft poses. In what was dubbed at the time the largest ever case of identity theft to be prosecuted by the American Department of Justice [CBS News, 23rd Feb 2010], the “Miami Hack Pack” (dubbed that by [Miami New Times, May 20th 2010]) stole over 100 million credit Card details over the course of 4 years. The credit card details, which they hacked, were stored by a number of companies; one of which was T.J. Maxx, a British retailer (they would be known here in Ireland for their chain of stores called “T.K. Maxx”).
The hackers gained access to the company systems of T.J. Maxx and stole personal information of over 45 million credit card and debit cards in July 2005. These cards belonged to the company’s customers who purchased items from January 2003 to November 23, 2003, however the company did not discover the theft until much later in 2007 [Identity Theft Awareness, 2011]. Deepak Taneja, chief executive of Aveska, a firm that advised the company on information security commented at the time; “It’s not clear when information was deleted, it’s not clear who had access to what, and it’s not clear whether the data kept in all these files was encrypted, so it’s very hard to know how big this was,” [St. Petersberg Times, 30th March 2007] – This quote shows the issues TJ Maxx faced at the time.
They simply didn’t know how large this was, added to this was the fact that it took nearly 2 years to find the breach. A combination of the above led to huge consumer outrage at the way T.J. Maxx handled their customers’ information, and left consumers baffled as to why T.J. Maxx held onto the details for 2 years after the transactions had taken place. Many experts speculated that TJ Maxx would pay dearly for the incident. Customers would abandon the brand for fear their personal information would be exposed, and investors would avoid the brand because of crippling fines and costs faced by the company. However, in the 12 months that followed the announcement of the breach, TJ Maxx never looked better.
Revenues increased Profits increased, and share price increased [Neal O’Farrell, Double Trouble; 12 Reasons why we’re Losing the Battle against Identity Theft]. But what does this mean? Could this have been contrived as a clear message to TJ Maxx and other businesses that not only is a data breach no big deal any more, but it may just be another acceptable cost of doing business? Perhaps. But there is still no doubting the potential impact of a company’s consumer information being breached.
And, in the case of TJ Maxx, if the right procedures were followed, this kind of occurrence may have been preventable. Despite the fact their Brand and profits didn’t suffer, TJ Maxx realised this was a major wake up call. And it was still a learning curve for any business looking in. Lessons must be learnt: 1) Collect only the minimum personal customer information needed to complete a business transaction. 2) Retain the collected personal information for only as long as needed per business and legal requirements. 3) Monitor systems to detect unauthorized software and suspicious network traffic such as unusual data download in terms of size and time. [Identity Theft Awareness, 2011].
Businesses must constantly consider their risks and assess their internal controls to prevent costly incidents and their unintended consequences. As far as TJ Maxx, the company spent over $130 million to deal with the consequences of this international identity theft case. Even though their Brand didn’t seem to suffer, and profits rose and investment wasn’t hindered, TJ Maxx couldn’t afford to take this risk again. [Neal O’Farrell, Double trouble]
The second case I’ll look at is that of Sony’s PlayStation Network hack earlier this year. The details of 77 million of Sony’s online PlayStation Network customers were breached. This most recent major intrusion has shown that Identity Theft is still a major issue for large corporations. This case again raised major questions about online transactions [The Guardian, April 2011]. Confidence in E-Commerce has always been a major problem for business [OECD; Reinforcing consumer confidence- Key to Boosting e-commerce], it has been for years, after all, it’s the reason that most think twice before making an online purchase, it’s that lingering feeling that overshadows an online purchase.
It is an obstacle that is being slowly removed, but set backs like this do not help, as Steve Curran, creative director at the Brighton-based studio Zoe Mode, told Develop Magazine; “From my perspective, the bigger issue is not about the PlayStation Network, but confidence in digital distribution generally. For every story like this that breaks in the mainstream press, consumer confidence about their details being safe is eroded. Confidence [in online transactions] has been building up, and I think will continue to, but this is a blip. It could be a little step back” [Develop Magazine, ”Digital distrust could follow”, 2011]. This hack was a major set back for the company’s on going battle for control of the gaming market with Microsoft’s Xbox. And it was up to Sony to rebuild confidence in their brand after the major breach [The Guardian, April, 2011].
Is it an “Exaggerated Risk”?
One thing I did notice when I was doing my research was that, most of the information we have on cyber crime losses is derived from surveys. But can one form an accurate estimate by survey alone? J. Ryan & T. Jefferson claim in their book “The Use, Misuse, and Abuse of Statistics in Information Technology”, that losses are extremely concentrated, so that representative sampling of the population does not give representative sampling of the losses as a whole. They also argue that losses are based on unverified self-reported numbers. Not only is it possible for a single outlier to distort the result, we find evidence that most surveys are dominated by a minority of responses in the upper tail [J. Ryan and T. I. Jefferson; The Use, Misuse, and Abuse of Statistics in Information Security Research]. In the 1983 Federal Reserve Survey of Consumer Finances an incorrectly recorded answer from a single individual erroneously in inflated the estimate of US household wealth by $1 trillion.
This single error added 10% to the total estimate of US household wealth [Dinei Florencio & Cormac Herley, Microsoft research; Sex, Lies and Cyber-Crime Surveys]. In the 2006 Federal Trade Commission (FTC) survey of Identity Theft the answers of two respondents were discarded as “not being identity theft” and “inconsistent with the record”. Inclusion of both answers would have increased the estimate by $37.3 billion, in other words it would have changed the estimate 3 fold [Federal Trade Commission, 2007]. In surveys of sexual behaviour men consistently report having had more female sex partners than women report having had male sex partners (which is impossible). The difference ranges from a factor of 3 to 9. It is pointed out that a tiny portion of men who claim, e.g., 100 or 200 lifetime partners account for most of the difference.
Removing the outliers all but eliminates the discrepancy [Florencio & Herley, Microsoft Research]. These seem like simple mistakes, which could be avoided, however safeguards against producing these erroneous results seem largely ignored when it comes to Cyber-Crime surveys [Florencio & Herley]. So, what does this potential over exaggeration mean for business? This over exaggeration and bad estimates can have huge consequences on both resource allocation and in policy issues within business and government alike. Imagine this, in a simple scenario; a research company comes out with staggering new figures about the rise in Identity theft, online fraud, and the number of companies being sued by customers who were affected by their bad data protection protocols. This type of scenario has happened before; take for example the research conducted by the ITRC (Identity Theft Resource Center) in 2008.
They reported that Data Breaches soared by 47% over 2007 [ITRC, 2008 Data Breach Totals Soars]. These kind of estimates can cause alarm bells to ring for some businesses, they in turn may pump more funds into the data protection systems in their own firm to prevent what they believed were “Real Threats”. Yet, as highlighted above there could be major issues with these statistics, and Florencio & Herley even mention the discrepancies of the ITRC yearly surveys in their book.
Again, imagine the implications of such research on policy issues, especially government policy issues. If the government take the results of a certain survey on Identity Theft as a perceived “Real Threat”, and adopt major measures to tackle it, it could have major implications on business. For starters, it could damage consumer confidence in E-Commerce. Like I mentioned before, it’s the reason we all think twice before making a purchase online and isn’t it the reason for the introduction of Prepaid Credit Cards? People who have never experienced Identity Theft take measures to avoid it. And this could be all down to policy measures.
Exaggerated Risk on business in the industry
On 29th March 2011, CPP Group PLC, a British based company selling life assistance products, announced that the Financial Services Authority (FSA) would be launching an investigation into the sale of one of its products to U.K. customers. The product included services such as credit-score monitoring, an Internet search facility alerting the user of inappropriate use of their data and a caseworker to help the person reinstate their identity [The York Press, 30th March 2011]. The financial services Authority’s investigation centres around allegations that CPP overstated the risk of identity theft when selling insurance for that purpose. As a result in the investigation, CPP had to suspend all sales of its identity theft protection product with immediate effect. The product includes services such as credit-score monitoring, an Internet search facility alerting the user of inappropriate use of their data and a caseworker to help the person reinstate their identity.
And, after announcing the news to the London stock exchange, shares in CPP fell a staggering 46% from £2.35 to £1.50, within one day of trading [Financial Times, March 2011]. The reason for this dramatic fall was, as Chief Executive Eric Woolley stated, “Card and identity protection products in the U.K. accounted for more than 60 per cent of CPP’s business” [Eric Woolley, March 2011]. This shows how exaggerating the risk of Identity theft within this type of organisation can cause massive losses for a business. In one fowl swoop CPP Croup PLC lost almost half its market capitalisation, just because they were “under investigation” for over stating (A.K.A Exaggerating) the risk of Identity theft through calls to potential customers. This example shows that some can, and do, overstate the risk of Identity theft, and they reap the rewards as a result, as they can sell the technology to tackle it.
In the introduction I provided an overview of some of the literature and then within the assignment I took a look at both sides of the argument. Through the major cases above I have shown how Identity Theft is a Real Threat to business. However it is also a threat to small businesses, small businesses must follow the same guidelines as highlighted in the TJ Maxx instance. Failure to could possibly lead to the damaging effects of major fines, lawsuits and the damaging of the brand image of a company, as well as deterring investors. Don’t forget the wider implications for business, with the growing trend towards e-commerce, many companies want to take advantage of this, however major data breaches as seen above can hamper the consumer confidence and set back this industry. Again this is a threat to business in this area.
Is Identity theft over-exaggerated? You may think I strayed from the point a little here, but I felt it was important to look at this side of the argument, and what drives it. What mainly drives it is that backing of the argument that the surveys conducted are unreliable. I am personally not over awed by this argument, however the people who make the argument point to some interesting evidence of the inaccuracy of surveys from some top researchers in Identity Theft. A look into the CPP Group case gives another side to the exaggerated risk argument. Do people/corporations over-exaggerate the risk for their own benefit? Perhaps. But that is where regulation steps in, and in the case of CPP they had to change their marketing strategy within a few weeks once the FSA began an investigation. Overall, this was a very interesting topic to research, and it opened my eyes to some new areas of IT within business and some of the problems it must tackle.
1.Gartner Research, Phishing Attack Victims Likely Targets for Identity Theft, 4th May 2004; (http://www.social-engineer.org/wiki/archives/IdTheif/IdTheif-phishing_attack.pdf)
2.Symantec Corporation; “Cyber Crime has Surpassed Illegal Drug Trafficking as a Criminal Money-maker; 1 in 5 will become a Victim” – Sept 10th 2009; (http://www.symantec.com/about/news/release/article.jsp?prid=20090910_01)
3.Overseas Digest; “Identity Theft: When Bad things Happen to your Good Name”. – February 2001; (http://www.overseasdigest.com/odarticles/idtheives.htm)
4.Columbus State University;“Is There a Security Problem in Computing?” -17 February 2011; (http://csc.columbusstate.edu/summers/notes/security.htm)
5.DreamWorks (film); “Catch me if you Can” – December 25th 2002; (http://www.angelfire.com/biz7/netmeeting/catchme.html)
6.Stefan Nagtegaal; “Data Theft: 100 million Records stolen” – 13th August 2008; (http://whereismydata.wordpress.com/tag/tjx/)
7.CBS News; “11 Indicted in Largest ID Theft Case Ever” – Feb 23rd 2010; (http://www.cbsnews.com/stories/2008/08/05/tech/main4323211.shtml)
8.Miami New Times; “The Biggest Identity case ever. Right here in Miami” – May 20th 2010; (http://www.miaminewtimes.com/content/printVersion/2270696/)
9.Identity Theft Awareness; “TJ Maxx Identity Theft” – 2011; (http://www.identity-theft-awareness.com/tj-maxx.html)
10.St. Petersberg Times; “TJX Hacker Theft May be Largest Security Breach. Data from 45.7-million Cards illegally Obtained” – March 30th 2007; (http://www.sptimes.com/2007/03/30/Business/TJX_hacker_theft_may_.shtml)
11.Neal O’Farrell; E-BOOK: “Double Trouble; 12 Reasons why we’re Losing the Battle against Identity Theft” – 2011; (http://www.identityguard.com/downloads/ebook-double-trouble.pdf)
12.The Guardian; “PlayStation Network Hack: Industry Reactions and Theories” – 29th April 2011; (http://www.guardian.co.uk/technology/gamesblog/2011/apr/29/psn-hack-industry-reactions?INTCMP=ILCNETTXT3487)
13.OECD; “Reinforcing consumer confidence- Key to Boosting e-commerce” – 16TH November 2009; (http://www.oecd.org/document/20/0,3746,en_21571361_43348316_44078356_1_1_1_1,00.html)
14.Develop Magazine; “Dvs on PSN hack; digital distrust could follow” – 27th April 2011; (http://www.develop-online.net/news/37568/Devs-on-PSN-hack-Digital-distrust-could-follow)
15.J. Ryan and T. I. Jefferson; “The Use, Misuse, and Abuse of Statistics in Information Security Research” – 2003. (http://www.belt.es/expertos/HOME2_experto.asp?id=5752)
16.Dinei Florencio & Cormac Herley, (Microsoft Research) “Sex, Lies and Cyber-Crime Surveys”. (http://www.belt.es/expertos/HOME2_experto.asp?id=5752)
17.Federal Trade Commission; “2006 Identity Theft Survey Report” – November 2007. [http://www.ftc.gov/os/2007/11/SynovateFinalReportIDTheft2006.pdf]
18.ITRC; “2008 Data Breach Total Soars” – June 15th 2009; (http://www.idtheftcenter.org/artman2/publish/m_press/2008_Data_Breach_Totals_Soar.shtml)
19.The Financial Times; “CPP in free fall amid FSA worries” – March 29th 2011; (http://www.ft.com/intl/cms/s/0/89a516dc-5a38-11e0-86d3-00144feab49a.html#axzz1eB8FvcKU)
20.The York Press; “FSA’s concerns contested as CPP Claims ‘highest level of integrity’ “- March 30th 2011; (http://www.yorkpress.co.uk/news/business/news/8941469.Watchdog___s_concerns_contested_as_CPP_claims____highest_levels_of_integrity___/)