Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

idtheft

2012: “A year of Identity & Fraud” a review by Experian

Experian, a global information services company has posted two summaries of its research and blogs for 2012. I have taken the information that relates to Identity theft and fraud and consolidated it into one post.

In March, Experian revealed its latest research which estimated £1.02 billion worth of online shopping transactions were abandoned the previous year by UK consumers frustrated by old and inefficient identity measures. One in five of these abandoned transactions were not taken elsewhere as individuals cancelled their shopping attempt altogether, resulting in £214 million worth of net lost revenue for UK retailers.

The study, which was conducted for Experian by the International Fraud Prevention Research Centre and included survey data as well as insights from online retailers and the Office of National Statistics, revealed that 44% of UK shoppers had abandoned at least one online shopping transaction in the last year having become frustrated with the length and complexity of certain older forms of identity verification.

Older forms of online identity verification, typically complex, standalone systems drawing on single sources of information to corroborate identity information, are unable to validate as many individuals electronically as modern services. As a result, genuine customers might be forced to call a contact centre, submit physical documents through the post or visit the store or branch to confirm identity. Alternatively, the organisation might choose to accept a lower level of proof, and risk higher levels of fraud, in order to minimise customer inconvenience.

In April, Experian revealed that fraudulent applications for mortgages increased by 8% in the previous year. This was the fifth year in a row in which the rate of mortgage fraud has increased. 34 in every 10,000 applications for mortgages were found to be fraudulent in 2011, compared to just 15 in every 10,000 in 2006.

The overall rate of fraud at point of application across the UK’s financial services sector increased by 4% in 2011, to just over 17 in every 10,000 applications. In addition to record mortgage fraud figures, this overall increase was also driven by growth in insurance and current account fraud. 93% of attempted mortgage fraud in 2011 was down to individuals misrepresenting their personal information on applications. Typically these first party frauds involved falsifying employment status or financial information, and most commonly attempting to hide an adverse credit history.

Experian’s demographic insight revealed that Mosaic groups Terraced Melting Pot (young, poorly educated individuals living in small towns) and Suburban Mindsets (predominantly middle aged, middle and skilled working class individuals) were both responsible for around 15% of first party mortgage fraud cases in 2011. The young, well educated professionals of the Liberal Opinions were also prone to attempting first party mortgage fraud, being responsible for 13% of cases.

Nick Mothershaw, UK&I director of identity & fraud at Experian, comments: “About 70 per cent of financial services application fraud in the UK fraud is down to first parties misrepresenting their circumstances, and the products such as mortgages and insurance that have seen fraud soar over the last year have a significant first party fraud element to them. This kind of fraud tends to originate from financially stressed segments of society.”

  • Insurance fraud. Insurance fraud rates reached 11 in every 10,000 applications and claims in 2011, an increase of 23% over the last year. 89% of insurance fraud was first-party led with the Terraced Melting Pot, Suburban Mindsets and Liberal Opinions demographics responsible for the most instances. Combined they accounted for 43% of cases.
  • Current accounts. The rate of current account fraud increased to 36 frauds in every 10,000 applications in 2011, up from 23 in every 10,000 in 2010. 60% of current account fraud in 2011 was committed by first-parties, almost a quarter (23%) of which was down to the Terraced Melting Pot demographic. The remaining 40% of current account fraud attempts were down to third-party identity fraudsters seeking to open accounts as a springboard to obtain other, more lucrative credit products, or for money laundering purposes.
  • Automotive and credit card fraud rates fall. Not all financial products saw fraud rates increase in 2011. Credit card fraud continued to fall, from 19 in every 10,000 applications in 2010 to 12 in every 10,000 in 2011. The rate at which fraudsters target new credit cards is almost a quarter of the level recorded in 2006, when 45 in every 10,000 applications were fraudulent.  Automotive finance providers have also seen fraud rates fall. 23 in every 10,000 applications were found to be fraudulent in 2011, down from 38 in every 10,000 during 2010. 85% of these frauds were first party.

In May, Experian revealed that Slough had overtaken London to become the identity fraud capital of the UK. The Berkshire town recorded 25 identity fraud attempts for every 10,000 households, with residents targeted at around four times the UK national average (seven households in every 10,000). Residents of London, Gravesend, Birmingham, Luton, Manchester and Leicester were also targeted at twice the national average rate. London as a whole experienced 22 attempts for every 10,000 households, although attempts were not spread evenly across the capital.

Substantial hotspots for identity fraud activity were found in and around London’s Olympic neighbourhoods. Financial service providers detected 78 incidents for every 10,000 households in East Ham, as residents were targeted at more than 11 times the national rate. Woolwich and Stratford also experienced significant identity fraud activity, recording 46 and 43 identity fraud attempts respectively for every 10,000 households.

Whilst the instances of fraud across all financial products remained at a constant level between 2010 and 2011 (six in every 10,000 applications were found to be fraudulent), the data shows that there was a surge in identity theft via current accounts and mortgages during this period, with rates doubling (from six to 14 in every 10,000 applications) and quadrupling (from one to four in every 10,000) respectively.

Identity fraud attempts on credit cards fell from 17 to four in every 10,000 applications.

Fraudsters turn their attention away from the wealthy.

  • For the first time, young people renting small flats from local councils or housing associations represent the demographic most likely to be targeted by identity fraudsters. This group, known in Experian’s Mosaic classification as Upper Floor Living, saw its identity fraud risk score increase by 47% to 256 in 2011. Its constituents are two-and-a-half times more likely than the average UK resident to be targeted.
  • Almost as high on the identity fraud danger list are the Terraced Melting Pot (risk score 242), a group of mostly young people with few qualifications that who work in relatively menial, routine occupations, and live close to the centres of small towns or, in London, in areas developed prior to 1914. The Terraced Melting Pot saw its risk score increase by 75% in 2011.
  • Previously, the wealthy Alpha Territory demographic – representing the wealthiest sections of society living in fashionable London neighbourhoods – were most likely to be targeted. The risk score for this group halved in 2011 (from 301 in 2010 to 149) as fraudsters turned their attentions to younger and less affluent sections of society.

In June, Experian revealed that the financial services industry saw a 16% quarter-on-quarter jump in fraud rates in the period January to March 2012, driven primarily by a significant surge in current account fraud. 19 in every 10,000 applications for financial services were found to be fraudulent in the first three months of 2012, up from 16 in the last quarter in 2011. 44 in every 10,000 current account applications were detected as being fraudulent during the first quarter of 2012, 23% higher than Q4 2011.

The current account extended its position as the most targeted financial product, recording the busiest period for current account fraud ever recorded by Experian. Experian’s data shows that the majority (62%) of current account fraud in 2011 was committed by first-party perpetrators, which typically involves an individual painting a knowingly false portrait of their personal circumstances to obtain services to which they are not entitled. 38% of current account frauds were due to individuals attempting to hide adverse credit histories when opening current accounts or applying for overdrafts.

A further 39% of current account fraud involved product or payment abuse, which included people knowingly attempting to make payments with insufficient funds in their accounts. Attempted insurance fraud increased by 37% quarter-on-quarter, to reach its highest point since late 2009. 13 in every 10,000 applications and claims were detected as being fraudulent during Q1, up from 10 in Q4 2011. 58% of insurance fraud involved some form of product abuse, most significantly the provision of false payment information.

A 56% increase in identity fraud attempts pushed credit card fraud up from 10 cases in every 10,000 applications in the final three months of 2011 to 14 in the first quarter of 2012. Attempted identity frauds on cards leapt from five to eight in every 10,000 applications over the same period.

Nick Mothershaw, UK director of identity & fraud services at Experian, comments: “Experian’s data shows further growth in current account fraud during the first quarter of 2012, mostly emanating from individuals providing false information attempting to open new accounts or obtain overdrafts or making payments they knowingly couldn’t afford. The threat of identity fraudsters seeking to open accounts in the names of unsuspecting third parties, for money laundering or as a springboard to attempt fraud on more lucrative credit products, also remains.  Credit cards have seen a resurgence in identity fraud, while a growing number of financially stressed individuals consider misrepresenting their personal or payment information when applying for insurance, contributing to a significant fraud upswing in the first quarter of 2012.” 

  • Automotive finance. Fraud attempts in the automotive finance sector have declined significantly, down 34% on the previous quarter. There were 18 attempted frauds in every 10,000 applications in the first quarter of 2012, the majority of which were individuals attempting to hide an adverse credit history when applying for automotive finance.
  • Loans. The number of fraudulent loan applications has continued to decrease, reaching the lowest point ever recorded by Experian. Four in every 10,000 applications were discovered to be fraudulent in Q1 2012, 38% lower than the previous quarter. Attempting to hide an adverse credit history continues to be the preferred modus operandi in more than half of attempted loan fraud.
  • Mortgages. Attempted mortgage fraud fell by 5% quarter-on-quarter, with 35 in every 10,000 applications uncovered as fraudulent during the first three months of 2012. Attempting to hide an adverse credit history, misrepresenting employment status and falsifying financial information were the most commonly used tactics employed by mortgage fraudsters during Q1.
  • Savings accounts. Savings account fraud rates were 18% lower in the first quarter of this year than the preceding three months. 12 in every 10,000 applications were found to be fraudulent, with identity fraudsters responsible for more than 80% of cases.

In July, it was reported that fraudsters had traded 12 million pieces of personal information online in 2012, representing a threefold increase on corresponding figures for 2010. Experian data indicated that consumers had an average of 26 separate online logins, but just five different passwords across them all.

Experian advised people to change their passwords on a regular basis and try to make them more complex to keep fraudsters from cracking them.

The full story can be found here.

In August, a special investigation revealed that fraudsters were stealing identities in order to take out multiple mobile phone contracts and walk away with valuable handsets. One man returned from a holiday to discover fraudsters had taken out nine contracts in his name.

Experian said around 200 victims were contacting the company each month for help to restore credit histories that had been damaged by the “mobile communications fraud”.

George Hopkin’s original posts can be found here, part one and part two.

.

Data Protection & Breach Readiness Guide

The Online Trust Alliance (OTA) has release it’s 2012 Data Protection & Breach Readiness Guide, a comprehensive guide outlining key questions and recommendations to help businesses in breach prevention and incident management.

This post is a summary of their results and guidance.

Craig Spiezle, Executive Director and President of the Online Trust Alliance said

Last year, more than 125 million people were affected by data loss incidents. Combined with the increased awareness of these high visibility incidents and aggressive data collection and sharing practices, consumers’ trust and online confidence is under attack. By following the recommendations in this guide we have an opportunity to enhance online trust and promote the vitality of the internet”

Rob McKenna, Washington State Attorney General and 2011-12 President of the National Association of Attorneys General said

“Today’s consumer is often aware of when their personal data is collected and wants to ensure that businesses protect it. The Online Trust Alliance’s resources are a valuable tool for businesses committed to ensuring customers’ privacy and security”

John Roberson, Executive Director, Small Business Development Resource Center, Chicagoland Chamber of Commerce said

“Businesses need to look holistically at data privacy and ask, ‘What is the compelling business reason to keep customer data?’ When you have a data incident, the more data you have stored – and compromised – the more damaging it can be for both the individual and the company. The OTA guide gives key insights into questions that companies need to ask themselves to protect their customers and delivers information for any business developing, implementing, or updating their privacy policies and notices”

“The Internet has become the land of opportunity for scams and, unfortunately, we see thousands of them every year,” notes Genie Barton, Vice President of the Council of Better Business Bureaus and director of its Online Behavioral Advertising Program. “Consumers need assurances that they can trust the companies they do business with to secure their data, and the OTA Data Protection & Breach Readiness Guide is a great tool to help businesses protect themselves and their customers. BBB is happy to recommend it to businesses large and small, and we are delighted to help build a safer Internet for all by supporting excellent initiatives such as this guide.”

The 2012 Guide recommends that businesses need to accept three fundamental truths about data:

  1. The data they collect includes some form of Personally Identifiable Information (PII) or “covered information”
  2. If a business collects data it will experience a data loss incident at some point
  3. Data stewardship is everyone’s responsibility

2011 incidents, the highlighted statistics:

  • 558 breaches
  • 126 million records
  • 76% server exploits
  • 92% avoidable
  • $318 cost per record – an increase of over $100 per user record from 2009
  • $7.2 million average cost of each breach
  • $6.5 billion impact to U.S. businesses

The 558 incidents were recorded by the Privacy Rights Clearinghouse (PRC) and the Open Security Foundation reported and were broken into specific sectors, details below:

  • Education (schools and colleges) 13%
  • Government agencies 15%
  • Health care providers 29%
  • Business 43%

Compared to 2010, the sectors with the highest percentage change were:

  • Healthcare with an 11% increase
  • Business incidents decreased by 13%

In Verizon’s 2011 Data Breach Notification report, 50% of all data breaches were through hacking (up 10% over 2010) and 49% incorporated malware (up 11% over 2010). Most alarming is that 96% were avoidable through simple steps and internal controls.

The implications of a breach to the organization can be grave, for example:

  • An employee of Massachusetts General Hospital left 192 patient records on a subway, the hospital was fined $1M by the US Health and Human Services
  • The Massachusetts eHealth Collaborative, a 35-person non-profit, experienced a single laptop theft that cost them over $300,000 in legal, private investigation, credit monitoring and media consultancy fees. Employees also spent over 600 hours dealing with the damage that the breach caused to their brand and reputation.

The report offers the following guidance:

Data Incident Plan Framework

An effective Data Incident Plan (DIP) includes a playbook that describes the fundamentals of a plan that can be deployed on a moment’s notice. Organizations need to be able to quickly determine the nature and scope of the incident, take immediate steps to contain it, ensure that forensics evidence is not accidentally ruined and immediately initiate steps to notify regulators, law enforcement officials and the impacted users of the loss.

Risk Assessment/Prevention

To help maximize business continuity, organizations are encouraged to self-audit their level of preparedness by surveying key management leaders the following questions:

  1. Do you know what sensitive information is maintained by your company, where it is stored and how it is kept secure?
  2. Do you have an accounting of all stored data including backups and archived data?
  3. Do you have a map of data workflows both within your organization and your vendors’ organizations to identify points of vulnerability?
  4. Do you have a 24/7 incident response team in place?
  5. Is management aware of the regulatory requirements related specifically to your business?
  6. Have you conducted an audit of your data flows across your company and vendors, including a privacy and security review of all data collection and management activities?
  7.  Are you prepared to communicate to customers, partners and stockholders during an incident?
  8. Do you have access credentials in the event key staff is not available?
  9. Do you have a employee contact list to contact in the event of a breach, and is updated with contact information on a quarterly basis?
  10. Are employees trained and prepared to notify management in the case of accidental data loss or a malicious attack? Are employees reluctant to report such incidents for fear of disciplinary action or termination?
  11. Have you coordinated with all necessary departments with respect to breach readiness? (For example information technology, corporate security, marketing, governance, fraud prevention, privacy compliance, HR and regulatory teams).
  12. Do you have a privacy review and audit system in place for all data collection activities including that of third-party/cloud service providers? Have you taken necessary or reasonable steps to protect users’ confidential data?
  13. Do you review the plan on a regular basis to reflect key changes? Do key staff members

The report identifies 19 steps that are required by an organisation if they are to be effectively prepared to handle a data breach:

  1. Data Classification
  2. Audit & Validate Data Access
  3. Forensics, Intrusion Analysis & Auditing
  4. Data Loss Prevention Technologies
  5. Data Minimization
  6. Data Destruction Policies
  7. Inventory System Access & Credentials
  8. Creating an Incident Response Team
  9. Establish Vendor and Law Enforcement Relationships
  10. Create a Project Plan
  11. Determine Notification Requirements
  12. Communicate & Draft Appropriate Responses
  13. Providing Assistance & Possible Remedies
  14. Employee Awareness & Readiness Training
  15. Analyse the Legal Implications
  16. Funding & Budgeting
  17. Critique & Post Mortem Analysis
  18. Implement Steps to Help Curb Misuse of Your Brand, Domain & Email
  19. International Considerations

The complete OTA  guide is available here.

.

Six Years of Data Breaches including the TOP 10 largest Breaches

Vault IV
Image by jaygoldman via Flickr

The Leaking Vault 2011 report from the Digital Forensics Association has gathered data from studying 3,765 publicly disclosed data breach incidents, and is the largest study of its kind to date. Information was gleaned from the organizations that track these events, as well as government sources. Data breaches from 33 countries were included, as well as those from the United States.

This study covers incidents from 2005 through 2010, and includes over 806.2 million known records disclosed. On average, these organizations lost over 388,000 records per day/15,000 records per hour every single day for the past six years.

The estimated cost for these breaches comes to more than $156 billion to the organizations experiencing these incidents. This figure does not include the costs that the organizations downstream or upstream may incur, nor that of the data subject victims. Further, it is a low estimate of the cost, due to the fact that 35% of the incidents did not name a figure for records lost.

The Hacking vector remains the records loss leader, responsible for 48% of the records disclosed in the study.

  • In 65% of the cases, the data disclosed included the data subject’s name, address and Social Security Number
  • 16% disclosed medical information
  • 15% of the incidents disclosed Credit Card Numbers

Medical disclosures saw a significant increase with the addition of the 2010 data. This is more likely due to the reporting requirement of existing regulations going into effect than any actual increase of incidents. The incidents where criminal use of the data was confirmed increased by 58% from the prior report.

Here is a small sampling of the incidents from the study to put a personal face on the statistics:

Three servers from a well-known chain restaurant were charged with using skimming devices to make more than $117,000 in fraudulent charges to customer credit card accounts.

  • A restaurant employee stole customer credit card information and used it to purchase $200,000 of Walmart gift cards.
  • In the span of six months, nine employees of a telecommunications company inappropriately accessed confidential customer account information and used it to make cloned cell phones. Over $15 million of unauthorized phone calls resulted from this scheme.
  • An executive turned himself into authorities after being accused of selling customer information to identity thieves in exchange for sports tickets and gift cards.
  • The owner of a medical equipment business used Medicare client information to obtain approximately $1.6 million worth of fraudulent claims.
  • The owner of a farm equipment store pled guilty to federal charges, admitting she stole the identities of customers to obtain more than 80 loans worth $1.7 million.

Breach  Vectors

There has been a rise in snooping and other inappropriate disclosure where the confidentiality of the data is breached, but the data may not have left the control of the organization; or the act was done with the approval of the organization, but found later to be an inappropriate breach of confidentiality. In a recent case, UCLA Medical Center agreed to pay $865,000 to settle instances where employees snooped on the medical records of celebrities being treated at the facility.

Another example is when the California Department of Health Care Services released confidential and identifying information about HIV positive MediCal recipients to a third party service provider. This was later deemed to be both illegal and unauthorized. To classify these types of cases, the new breach vector of Disclosure has been added to the study beginning with 2011.

The Laptop Vector

Laptops increasingly contain significant amounts of organizational data. They are frequently the sole computer employee’s use, and come with a hard drive that can contain very large datasets. It is not uncommon for companies to find out after a breach incident that the individual assigned the asset had spreadsheets, and even whole databases containing sensitive data. When a laptop is issued to an individual, it should be accompanied by a set of rules for the custodian of the device to follow. This should include direction for maintaining physical control offsite (i.e., not to leave it in a vehicle, etc.) and onsite (i.e., lock it to their work surface), as well as controls for when these rules either are insufficient to keep the asset safe, or when the individual does not follow them. Potential controls include encrypting the device, remote wiping capability, tracking/recovery software, etc. The organization has a responsibility to the data subjects to take appropriate steps to ensure their data will not be at risk of disclosure when the unexpected happens.

Of the 3,765 incidents in the study, 719 involved laptops being improperly disposed of, getting stolen, or being lost. In 96% of these incidents, the laptops were stolen. Overall, the laptop vector accounted for 45,500,147 records in the study.

  • The largest quantity of laptops were stolen from the office of the organization suffering the loss. This illustrates the need for locking mechanisms for the laptops when unattended at work.
  • The second largest number of laptops were stolen from inside a vehicle. This is the most preventable, and represents 191 incidents over 4 million records.

The Hacking Vector

The 2010 data increasingly showed the prevalence of skimmer use. Skimmers are credit card readers that are typically hand held or installed in ATMs and point of sale devices to read the credit card track data and steal it. This was most commonly seen in retail establishments, and especially in restaurants. Anywhere the credit card is taken away from the customer’s control; there is a higher risk that a skimmer might be used by the dishonest. However, this is not to say that the card data is safe when in the control of the customer. Another increasingly common incident is the skimmer installed inside the gas pump. In this case, there is either a skimmer on the outside of the pump (these are becoming very clever and difficult to spot), or there is a device inside the pump where the customer has no hope of detecting it, and it can be wirelessly unloaded by the criminals, posing minimal risk of being caught.

The Large Incidents (Involving over 1 Million Records)

Only 66 of 3765 incidents involved over 1 million records. However, those 2% of incidents made up 91% of the records disclosed over the study. The top vector for large incidents was the Hack vector, claiming 29% of the incidents. The Drive/Media vector took 22% of the incidents, with the Fraud – SE vector accounting for 17%.

Breach Vectors of the Ten Largest Incidents   (2005 – 2010)
Organization Record Vector
Heartland Payment Systems 130,000,000 Hack
TJX Companies 94,000,000 Hack
Facebook 80,000,000 Web
National Archives 76,000,000 Drive/Media
Card Systems 40,000,000 Hack
RockYou, Inc. 32,000,000 Hack
U.S. Dept. of Veterans Affairs 28,600,000 Laptop
H.M. Revenue and Customs 25,000,000 Drive/Media
iBill 17,781,462 Fraud-SE
TMobile 17,000,000 Drive/Media

Criminal Use

Criminal or malicious motivation in attacks makes for more expensive breaches. This is true both for the organizations who suffer them, and the people whose data is compromised. Between 2005 and 2010, in 396 cases were confirmed to have been used for criminal activity. This is a difficult metric to track; since the criminal activity associated with breach activity shows that the data is commonly sold and resold.

The crime where the perpetrator has a direct connection to the victim is most frequently where the arrest is reported with the event. To that end, the Fraud-SE category is represented by a much higher margin than some of the vectors that have generated these large scale data disclosures.

Credit Cards

There were 558 incidents where CCN data was involved. They accounted for almost 330 million records. The median records disclosed was 1,000; and 45% of the incidents did not list how many records were disclosed. These records should fall under the Payment Card Industry’s Data Security Standard (PCI-DSS), and the organizations that have experienced these incidents will have to undergo further scrutiny to prove they are compliant with this standard.

The ID Theft Critical Data Elements

The Identity Theft critical data elements are those that, in combination with the Name and Address, facilitate the commission of identity theft and financial fraud—namely the SSN and date of birth. In TLV, we looked at the incidents with these three data items all lost in the same event. At the time of that study, there were only 262 incidents that contained all three items. In contrast, there are now a total of 1,084.

As you can see in the figure below, the Business sector shows a substantial increase. It has gone from 168 incidents in the prior study to 850. However, in only 13% of these cases where the combination of data puts the subject victim into the worst position possible, are these organizations confirmed to have offered credit monitoring. Now, there are a large number of unknowns in this area as well—in the majority of the cases, the reports simply do not say one way or the other whether this service is offered. This is a metric primarily gleaned from the original data breach notification letters obtained through either FOIA requests or from those government entities that are directly posting the original documents as part of the event report. For instance, in the Business sector, 38 cases are confirmed that the service definitely is not offered. In the remaining 701 records, the credit monitoring status is not provided.

Estimated Cost of Data Breaches/Year

Year Records Disclosed Cost Per Record Total Breach Records
2005 68,555,563 $138.00 $9,460,667,694.00
2006 80,377,865 $182.00 $14,628,771,430.00
2007 164,813,878 $197.00 $32,468,333,966.00
2008 182,707,769 $202.00 $36,906,969,338.00
2009 261,759,494 $204.00 $53,398,936,776.00
2010 48,080,863 $204.00* $9,808,496,052.00
Total 806,295,432 $156,672,175,256.00
*Cost figure from 2009.

The full The Leaking Vault 2011 report can be found here.

.

Blog at WordPress.com.

Up ↑

%d bloggers like this: