menu image
AssuranceSecurityGovernanceMembers & LeadersProfessionals & PractitionersStudents & EducatorsExhibitors & Advertisers
menu shadow
Student Benefits & Join
Educators
Model Curriculum
Downloads
Bookstore
IT Audit Basics
Career Centre
spacer image
Print this page
spacer image

Home Students & Educators IT Audit Basics


What Every IT Auditor Should
Know About Identity Theft

By Tommie W. Singleton, Ph.D., CISA, CMA, CPA, CITP
Volume 6, 2006

Criminals have found a new and easier way to commit financial crimes— identity theft. It is much safer than robbing a bank, and it is much easier to get away with the bag full of money. For example, one man was recently arrested with thousands of credit cards that were being used for identity theft purposes. Stolen customer data were written onto the cards, and the forgeries were sold and used successfully to buy merchandise. He was even able to hide the true nature of his “job” from his family.

Identity theft (ID theft) can strike anyone at anytime. Victims are usually randomly selected, or self-selected, in the processes used to gather personal information. Perhaps the most commonly used method, and probably the most successful one, is phishing. One definition of phishing states:

Phishing is a form of online identity theft that employs both social engineering and technical subterfuge to steal consumers’ personal identity data and financial account credentials.1

Usually, the perpetrator sends thousands of bogus e-mails that contain a link to a web site where the victim is asked to supply his/her personal information (such as banking information or login information). Unsuspecting users who reply often become victims of financial crimes against their credit card accounts or other financial accounts.

This crime has been increasing rapidly over the last few years. According to the Gartner Group, banks and credit card users lost US $1.2 billion in 2003 in direct losses. Indirect losses are much higher, according to Gartner, and are difficult to estimate, but they do not take into account the hardship victims suffer in dealing with their messy personal credit records. It can take years to get one’s credit corrected after such an experience. According to the US Federal Bureau of Investigation (FBI), almost 10 million Americans were victims of ID theft in 2003. About 5 percent of recipients of phishing emails do respond, according to the US Federal Deposit Insurance Corporation (FDIC).

One professional group that is concentrating on fighting this type of crime is the Anti-Phishing Work Group (APWG). APWG works closely with other groups, especially associated federal agencies.

According to APWG statistics, more than 5,000 more phishing reports were made in May 2006 than in May 2005. The total for May 2006 was more than 20,000 reports. Malicious electronic stealing of passwords also increased from 495 in May 2005 to 2,100 in May 2006. In May 2006, a total of 137 brands were hijacked for phishing expeditions—the highest number of brands ever recorded by APWG. Figure 1 shows some highlights of APWG’s May 2006 statistics on phishing. Clearly, phishing and stealing passwords have reached epidemic proportions.

Image

At first, this epidemic might seem to be strictly at a personal level, and not related to business and especially IT audits. However, it is of great concern for IT auditors. After all, phishing and identity theft are usually dependent on electronic means to gather electronic personal data. Phishers use the Internet and e-mail to seduce a person to volunteer personal data, and often break into data vaults of companies to steal personal data. For instance, hackers have been successful in breaking into systems to steal data files containing credit card and/or personal data that were used to perpetrate ID theft (examples include CD Universe and Choicepoint). Thus, if a company maintains such private personal data in its system, it has a significant risk associated with the loss of that data and, in particular, with criminals stealing that information and using it to commit ID theft crimes.

Regulations and Public Policy

Most IT auditors are aware of the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm- Leach-Bliley Act (GLBA) and how they relate to privacy of information. However, California (USA) passed a law a few years ago that goes beyond the recent federal regulations. The California act requires any entity in any state to notify California residents individually with a letter of any security breach of their personal information, regardless whether the entity was able to determine if the data were actually compromised by a malicious person. If an entity has a security breach and it knows that personal data could have been stolen or compromised, and if some of the data belong to California residents, that entity is legally bound to notify each California resident personally and individually of the breach and the status of the compromise. Some call this notification the Scarlet Letter.

As an example, Choicepoint had thousands of accounts accessed by a malicious client or clients and had to send thousands of letters to California residents. IT auditors need to be aware of which states have such laws, and make sure that procedures and controls are in place to comply with them.

Also, public policy has become such that larger institutions are expected to notify their customers and clients when such an event occurs. These notifications are usually accompanied by a year of free service of a credit bureau or credit watch entity so customers, members or clients can monitor their credit reports for evidence of ID theft.

Some examples provide a framework for thinking through how a particular entity might be at risk. In May 2006, the American Institute of Certified Public Accountants (AICPA) had a backup drive with thousands of members’ personal data lost in transfer to an offsite storage location by an independent mover. AICPA notified all of these members of the loss by letter, and although it was not able to determine if anyone actually had compromised the data, it provided a year of a credit watch service.

In fall 2005, a university had evidence of an unauthorized access to student data in one of its schools when a network connection was not secured. That school also sent a letter to the students to inform them of the breach and the unknown status of any use of that data, and it gave them a free year of service from a credit watch service. In July 2006, a US Veterans Affairs employee had a laptop stolen from his/her home in Washington DC, USA. The laptop contained thousands of veterans’ personal information. A manhunt ensued and the criminals were caught; they turned out to be burglars who did not know what they had. Although the Veterans Affairs office had a policy of not taking these data files offsite, this employee did (in obvious violation of policy) and subjected the data to exposure.

Clearly, having a policy is not enough!

Concerns and Controls

Often, there is adequate protection of personal data within the bounds of an entity’s facilities. But what about transfers of backup disks or employees who take a laptop home? What about a hacker who successfully signs up as a customer or member (e.g., a false company used only to perpetrate a crime such as ID theft) to gain access to personal data, which is what happened to Choicepoint?

Thus, maintaining the privacy and security of personal data extends beyond policy and the four walls of a building. If data are going to be moved to an offsite storage location, what controls are in place to prevent a theft or loss of the drive? One potential control could be for the company to go to the expense of encrypting any data that go into a third party’s control for transfer of the device.

There are also different concerns for industries that are highly susceptible, such as finance and banking. According to APWG, 92 percent of all phishing attacks target the financial services industry (as of May 2006). An article in Bank Accounting and Finance2 recommends that the following general steps should be used to protect financial services institutions (they also apply generally to any other type of company):

  • Do a realistic risk assessment of the risks. For risks above an acceptable level, three more steps are recommended.
  • Conduct research and implement the appropriate prevention techniques, tools and policies.3
  • Ensure that there is a sound recovery plan in case of a successful attack.
  • Develop an effective incident response plan well in advance of an actual attack.

In regard to phishing in the finance and banking industry, the weakest link is the uninformed, innocent customer who unwittingly responds to a phishing attack. For those businesses, customer education is a critical success factor.

The US Department of Justice emphasizes a memorable plan: Stop, Look and Call. Stop because phishing e-mails inevitably have a sense of urgency in them. Look because the link as written in an e-mail is probably not the real link (URL) and because the e-mail address can supply a clue that it is bogus. For example, an e-mail supposedly coming from Bank of America (BOA) might be Bank.of.America@iliut3.dpe.com— not likely a valid e-mail address for BOA. Call because customers should call the organization first to see if the request is legitimate.

Enterprises can also educate customers via their web sites. There, the entity can provide information such as the fact it never asks for personal information via e-mail, and what to do if a customer gets an e-mail that appears to be from that entity. On some web sites, this notification is near the bottom and users can only see the link or information if they happen to scroll down. It is important that it appears in the first window, viewable immediately, to make sure customers can be effectively informed. Stuffers in bank statements and flyers in the lobby are also helpful. A help desk or toll-free phone number for suspicious activities is even more helpful.

Conclusion

ID theft is a growing concern for the business world and the general population. Laws such as HIPAA, GLBA, and the California Scarlet Letter law have been passed to protect the private information of customers, clients, patients and members. Any entity that maintains personal information has some risk of ID theft. The concerns and controls include all locations of the data and all movements of the data, inside and outside the entity. This article attempts to provide some basics about protecting an entity against ID theft, and a few resources for technical guidance on controls.

Endnotes

1 Anti-Phishing Work Group, www.apwg.org

2 Singleton, Tommie; Aaron Singleton; Geoff Gottlieb; “Cyberthreats Facing the Banking Industry,” Accounting and Finance, March 2006, p. 26-32

3 See the following articles from the APWG for best practices and controls: Emigh, Aaron; “Online Identity Theft: Phishing Technology, Chokepoints, and Countermeasures,” APWG white paper, 3 October 2005, www.apwg.org, and Messaging Anti-Abuse Working Group and APWG, “Anti-Phishing Best Practices for ISPs and Mailbox Providers,” July 2006, www.apwg.org

Tommie W. Singleton, Ph.D., CISA, CMA, CPA, CITP
is an assistant professor of information systems at the University of Alabama at Birmingham (USA), Marshall IS Scholar, and director of the Forensic Accounting Program. Prior to obtaining his doctorate in accountancy from the University of Mississippi (USA) in 1995, Singleton was president of a small, valueadded dealer of accounting information systems using microcomputers. In 1999, the Alabama Society of CPAs awarded Singleton the 1998-1999 Innovative User of Technology Award. Singleton is the ISACA academic advocate at the University of Alabama at Birmingham. His publications on fraud, IT/IS, IT auditing and IT governance have appeared in numerous journals, including the Information Systems Control Journal.

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the ISACA. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.

Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.
nav menu image
spacer image
Assurance | Security | Governance
Members & Leaders | Professionals & Practitioners | Students & Educators | Exhibitors & Advertisers
Info Request | Join | Bookstore | My ISACA | About ISACA
Home | Site Map | Shopping Cart | Logout | Contact Us
spacer image
menu shadow

Terms Of Use | Privacy Policy | IP Guidelines
© 2008 ISACA All rights reserved.
3701 Algonquin Road, Suite 1010, Rolling Meadows, Illinois 60008 USA