Through twitter, we connected with the good people at Broadband for America to bring you this article about three common online identity theft myths.

Thanks to identity theft awareness programs, many people are now exercising increased caution when online. Most folks understand the danger in revealing too much personal information on the Internet, or falling for phishing scams. However, there are still some persistent myths that may be keeping you from protecting yourself and your identity. Here we will look at just three of these myths, and the facts that lay behind them.

Myth 1: I know what those scams look like, bad spelling and terrible English- who falls for those things anyway?

Fact: Indeed, many people are familiar with the obvious signs of a scam. So many people are wise to these frauds that scammers have begun to outsource their products and develop corporate-like organizations to work…(continue reading)

I noticed today that the email address we have set up to take inquires and message regarding our twitter account has been hit with a few spam emails that clearly phishing emails. I thought I would share them here for your amusement and enjoyment. Please do NOT click on any links or visit these websites as they main contain harmful content. If you receive emails such as these do not click on any links or download, preview or click on any attachments. Mark them as junk or spam in your mail and delete. If you wish, you may report them to the FBI’s Internet Crime Complaint Center at ic3.gov

***

From: HSBC Support Holding plc [helpdesk@hsbc.co.uk]

Subject: YOUR ONLINE ACCOUNT HAS BEEN DEACTIVATED

Dear customer:

After the week verification of your online activity we have determined to suspend your online account.

Your online account has been deactivated (reason: suspicious activity on this account).

Even if your online services has been disabled, the data may still be available for up to 10 days, after which it will be deleted.

If you feel this deactivation is in error, please fill the active contact customer form as soon as possible at the next link: http://www.hsbc.co.uk.hsbc-deactivated.com/1/2/

Thank you,

HSBC Support Holding plc

http://www.hsbc.co.uk

helpdesk@hsbc.co.uk

Toll-Free: 08457 400 004

***

From: HM Revenue & Customs [help.desk@hmrc.notify-online.co.uk]

Subject: HM Revenue & Customs [help.desk@hmrc.notify-online.co.uk]

NOTE: There is an attachment called “attached_form.pdf.html” 24KB

TAX RETURN FOR THE YEAR 2009

RECALCULATION OF YOUR TAX REFUND

HMRC 2008-2009

LOCAL OFFICE No. 3819

TAX CREDIT OFFICER: David Craig

TAX REFUND ID NUMBER: 381716209

REFUND AMOUNT: 327.54 GBP

Dear Applicant,

I am sending this email to announce: After the last annual calculation of your fiscal activity we have determined that you are eligible to receive a tax refund of 327.54 GBP

You have attached the tax return form with the TAX REFUND NUMBER ID: 381716209, complete the tax return form attached to this message.

After completing the form, please submit the form by clicking the SUBMIT button on form and allow us 5-9 business days in order to process it.

Our head office address can be found on our web site at http://www.hmrc.co.uk/

Sincerely,

David Craig

HMRC Tax Credit Office

Preston

PR1 0SB

http://www.hmrc.co.uk/

ID Experts on KATU News:

A few news stories have been circulating about the looming identity theft threat to couples who have decided to tie the knot. Thieves prey on our deepest and strongest emotions, and two people madly in love and about to take the plunge are certainly full of emotions and stress. Stress makes us more apt to decide quickly, without thinking the situation through. The sense of relief we feel may encourage us to accept an offer that seems “too good to be true” when we might otherwise hesitate. Our families and friends may also be targeted, for much the same reasons. Think like a thief- on average weddings cost over $20,000 and guest gifts range between $50-150 each. That places a rather large bulls-eye on anyone involved. Here is just a small list of the kinds of scams that are lurking out there:

• Fake vendors- these are identity thieves or card frauders. They are online, at bridal shows, and call individuals out of the blue. You may be even approaching them for a genuine service advertised in the classifieds or a bridal magazine, or it may be a “sweepstakes”. As part of the “contract” or “application” you answer personal questions in great detail or provide a credit card number that is later used to defraud you.

• Fraud vendors- this category is not technically identity theft, but still leaves you stung. Often you are promised a “free” sample and hand over your credit card for shipping and handling, and then find yourself with outrageous charges. Vendors take a deposit for renting you an item as pictured on their site, and when the big day comes, nothing arrives or what arrives bears little resemblance to the model. Sweepstakes and Giveaways should be especially scrutinized if you get a call and you “won” – there may be strings attached.

• Crooks- these people take advantage of the fact you share so much about your event. They may rob your house while you’re exchanging rings, or wait until you’re away on honeymoon. While everyone at the reception is distracted, they snatch purses or sneak into hotel rooms. Honeymooners are easily targeted by pickpockets, camera snatchers, and hustlers.

• Disappearing act- this can be anything from a deposit you paid disappearing from the books to a company suddenly going bankrupt. Bankruptcies are up 47% from last year, so this is a big concern. While insurance can help protect you, it is important to purchase coverage carefully.

• Malware – There are tons of “free” applications out there to help out couples. Cost calculators, dress design software, websites, countdown clocks, reminders, calendars, the list goes on… Then there are the flash animations and videos of weddings, decorations, crafts, flowers and more. However, some of these may contain harmful code that could harvest your information and place you at risk for identity theft and fraud.

• Robocalls and junk mail – While shopping around online or in person, you’re often asked to leave your contact information. This can result in an increase in junk mail offers and robocalls. Some of these are likely phishing attempts, and are cleverly disguised. Another risk with increased junk mail is the possibility of mail theft going unnoticed for a longer period of time. Pre-approved credit card offers may inflate your mailbox, also increasing your risk of fraud.

• “In distress” scam- this is commonly used while a couple is on honeymoon, but can strike at any time. Fraudsters may call, email, or take over your email or social networking accounts to contact your friends and family claiming to need emergency money. Excuses range from medical emergencies, to being kidnapped. Often they have “been robbed” and need the money to get home. The rest is ALWAYS to wire money or send Western Union.

• YOU – of all the threats, YOU might be your own worst enemy. Many couples have wedding announcements; send emails, e-vites, wedding websites, social networking pages, online gift registries with their personal information, personal details, family details, and wedding, reception and honeymoon specifics available to the public at large. Brides and grooms alike tend to become excited and may share greater detail about themselves, their partners and the event with coworkers and friends… and florists, photographers, DJs (or anyone else who will listen).

With a few minor changes and some awareness, you can still have all the bells and whistles to your big day while keeping your friends, family and your identity safe.

• Assume the numbers and addresses you are using to contact vendors, get quotes, order catalogs are going to be stolen, traded and sold over and over. Set up a PO Box and a separate number to use for your contact information.

• Contact the Better Business Bureau in your area about any vendor, sweepstakes, or service you are going to fork over a large amount of money to, or that you are unfamiliar with. Do this before you provide them any personal or contact information.

• Always assume that calls you receive are compromised and never reveal any personal information. You may trust calls you initiate to a trusted business more, but still exercise caution.

• Read ALL fine print carefully. TWICE.

• Keep all receipts; require everything in writing and document, document, document. Go over all your credit card and bank statements monthly and notify your financial institution right away if you notice any unusual activity.

• Quarantine. Don’t use the same passwords or email account for your social networking sites, registry, and wedding webpage. You should never attach your “trusted” email account you have been using to communicate with your friends and family to another site. A compromise of a social networking site can easily lead to an email compromise, and makes it easier for fraudsters to contact your entire address book for money. If your quarantined email is hacked and messages sent to all your friends, they should be more cautious since it is a different email than they are used to communicating with you. This will buy you enough time that you can then use your “trusted” email account to notify them all of the fraud (or better yet- call them!).

• Never send money Western Union- this is one of the few ways you can send money and never get it back. Provide contact information to their nearest consulate if you are met with this scam online.

• Limit access to personal information- If you are going to list the details of your big day and honeymoon, look for websites that allow you to create a wedding website for friends only, or that is password protected so you can control who has access.

• Be careful of accidentally revealing personal information like your mother’s maiden name (which may be derived from guest lists or online friend list on social networking sites) and your date or place of birth. Also, you will be asked a lot of questions so people can “get to know you” before your big day- make sure none of these questions and answers correspond to the security questions of any account you have. Go through each online account and determine what questions are asked if you click “I forgot my password”. You may wish to change those answers.

• Find gift registries that allow you to control privacy, and insist on revealing as little about yourself as possible. Gift registries often offer a disturbing amount of detail about you, and often are generally open to the public.

Check your credit reports regularly with www.annualcreditreport.com or by calling 1-877-322-8228.  If you do experiance fraud or a scam, report it to your Better Business Bureau and the FTC and place fraud alerts with the major credit bureaus.

ORAL TESTIMONY

OF

CATHERINE A. ALLEN

CHAIRMAN AND CEO, THE SANTA FE GROUP

BEFORE THE

UNITED STATES CONGRESS

committee on oversight and government reform

Subcommittee on information policy,
census and national archives

us house of representatives

HEARING ON

IDENTITY THEFT: A VICTIMS BILL OF RIGHTS

JUNE 17, 2009

Oral Testimony of Catherine A. Allen

Chairman and CEO, The Santa Fe Group

June 17, 2009

Introduction

Chairman Clay, Ranking Member McHenry, and members of the Subcommittee, thank you for your leadership in highlighting the issue of victims of identity crime and the often long and lonely road they walk toward restoration.

I have spent most of my career in the financial services industry, most recently as founding CEO of BITS a CEO-driven nonprofit financial services industry consortium and think tank, focused on fraud prevention, cybersecurity, and payments. I grew up in a small Missouri town where my family was in banking.

Today I am involved in efforts to examine the way the financial services industry is regulated and the impact of policy on consumers. In this area of identity theft, I believe we are just at the tip of the iceberg because of growing cybersecurity threats. We think a Victims’ Bill of Rights is necessary because the victims’ voice is seldom heard.

This testimony reflects the work of The Santa Fe Group Vendor Council, which was formed in 2006 to bring together thought leaders at service provider organizations to respond to the needs of industry and its customers. The Vendor Council promotes the development of secure, best-in-class technology solutions, standards, and business processes, as well as industry best practices related to fraud, payments, cybersecurity, data protection, and identity crime.

Last fall, the Vendor Council formed an Identity Management Working Group to develop an inventory of best practices for assisting victims of identity crime and suggesting improvements in law and corporate practice to make it easier for victims to dispute false records and reclaim their identity. From this work we have developed a framework that we refer to as an Identity Theft Bill of Rights. While my written testimony contains additional, helpful background material, I will focus my oral remarks on this framework.

An Identity Crime Victims Bill of Rights

Identity crime victims deserve the same rights as other crime victims. Identity crimes can have physical, emotional, and financial impacts comparable to other crimes. While much is being done in the private and public sectors to help victims, we still lack adequate provisions for restoration, reparation, or even prosecution. Today, most identity crimes will be treated as misdemeanors or very low-level felonies, and the majority of prosecutions will be civil as opposed to criminal actions for both individuals and organized crime thefts. We need better coordination, awareness of the victim experience, and concrete steps for correcting identity records.

For the benefit of individuals, business, and society, I propose the following rights for identity crime victims:

· The right to assessment

· The right to restoration

· The right to freedom from harassment

· The right to potential prosecution of the offender(s)

· The right to restitution

Right to Assessment

Consumers who suspect they have become a victim of identity crime should have the right to assess the nature and extent of damage to their identity. FACTA already grants many of these rights, but consumers face procedural Catch-22s. Businesses and government agencies should be required to provide notice to consumers when they suffer a data breach involving loss of sensitive personal information. The present patchwork of state laws and government policy needs to be replaced with a uniform federal statute spelling out notification requirements. Clear guidelines would help businesses contain costs and limit legal liability through compliance and enhance consumer protection.

Right to Restoration

Ideally, victims should be able to restore their identities to their pre-theft state. However this is not always possible because of the complexity of the crime, especially in cases of financial identity theft. Whether or not they can fully recover, it is imperative that victims be able to establish correct records. Relevant privacy laws need to be reviewed and amended, giving victims the power to access and correct their own record in cases of identity crime.

Right to Freedom from Harassment

Identity crime victims should be protected from harassment by collection agencies and others during and after the identity restoration process. Harassment often continues unabated because business and law enforcement have no way to distinguish victims from debtors and thieves. To combat this some states are issuing identity theft “passports” to verify that the carrier has been a victim of identity theft and help the person prove his or her identity. How effective these documents are remains to be seen, but a system that actually verifies victims is needed

Right to Potential Prosecution of Offenders

One of the great frustrations to identity crime victims is the lack of business and law enforcement resources to prosecute identity thieves. Of course, law enforcement needs to balance priorities and budgets, and business must weigh the costs and benefits of prosecution. However, these organizations need to also take the long view on the impact of identity crimes:

· First, identity crime continues precisely because it pays. Second, the FBI and Secret Service have found that where there is one victim, there are more. So instead of writing off the costs of an individual case, organizations should consider that for every instance of identity crime, there may be many others as yet undiscovered or yet to be committed by the same crime ring or individual.

· Third, not all the costs of identity crime are immediately visible or measurable.

Right to Restitution

Identity crime victims can spend hundreds of dollars and dozens of hours, and can experience untold misery during the process of restoration. They deserve restitution, the same as victims of other crimes, yet a study by the Center for Identity Management and Information Protection shows that defendants were ordered to pay restitution in only about a third of the cases studied. Restitution will help make victims whole, sends a message that identity crime is real crime, and helps ensure that when perpetrators are caught, identity crime does not pay.

Recommendations for Protecting Victims’ Rights

In summary, my testimony today advocates for the following legislative actions to help victims:

· Enact a uniform scheme across industry and government to assist identity theft victims that includes the Identity Theft Victims’ Bill of Rights

· Create a national standard of identification — one that cannot be forged by identity thieves — that victims can use to distinguish themselves from thieves and identify themselves to businesses, law enforcement and others.

· Expand the definition of “compensable crime” under federal and state law to include identity crime.

Additionally, there are some steps that could be taken right now to strengthen victims’ rights and help stem the tide of identity theft:

1. Invest in independent research on the effects of identity crime. To make fully informed decisions, we need a thorough understanding of the costs of identity crime. There are too many unanswered questions about what’s happening in policy, industry, and law enforcement. Public funding should be made available. We need to get beyond the anecdotes to understand the connection between data breaches and identity theft.

2. Create standard dispute procedures in industry and law enforcement. Upon resolution, victims would receive standardized, verifiable letters proving that issues had been resolved.

3. Empower the FTC to oversee victims’ rights. The FTC should be charged with oversight of proposed policies for cohesion across national laws for effectiveness, and to anticipate and prevent unexpected consequences. This should include ensuring that law enforcement is investigating identity crime cases consistently and effectively.

4. Include identity theft victims’ rights in any dialogue about a Consumer Financial Protection Agency. If a proposed agency focused on financial products and services emerges, financial identity theft policies and education might be considered under its jurisdiction and should be included in the dialogue.

Conclusion

Thank you for this opportunity to present on the plight of victims and the Victims Bill of Rights, and thank you, again, for your leadership. I would be happy to answer any questions.

Identity theft can be difficult to correct as an adult. Anyone who has gone through the process on their own will explain the frustrating experience of trying to prove who you are to credit bureaus and merchants who are verifying against a credit report, which contains mostly incorrect fraudulent information. Victims are often asked to verify addresses they never lived at, phone number they never had or accounts they never opened.

As frustrating as this experience can be, it is nothing compared to a victim turning 18 and finding out that their entire credit file is fraudulent. Proving your identity when all records available to the credit bureaus and merchants are full of fraudulent information can be the most difficult process that an identity theft victim can go through. Most people are unaware that credit issuers may not have any method available to verify the age of an applicant, and that credit bureaus record the “official” age of an applicant with the first credit application. If the application indicates that your 3 your old son is actually 24, the record remains at age 24 until it is disputed and proven otherwise. This can also be difficult since it is common to take the information of a minor to get a driver’s license. As a result of this kind of identity theft, victims are sometimes turned down for college loans, denied welfare or other benefits, denied a driver’s license and occasionally arrested because of the fraud.

As a parent, you can help your children avoid this grim future. Your child may or may not have a legitimate credit history. Some banks and credit card companies allow parents to add children to the accounts as an authorized user, which could create credit history. Please be aware that receiving a pre-approved credit card offer in the mail for your child can be alarming, but does not necessarily mean that they have a credit history or that there is identity theft occurring. You can opt out of these offers for yourself or your children by calling 888-5OPTOUT or going to www.optoutprescreen.com

Experts recommend that if you inquire about your child’s credit history, that you do so no more than once a year. For security and privacy reasons, only parents or guardians may request a credit report on behalf of a child under the age of 13. For this reason, you may be requested to fax or mail documents providing that you are the parent or legal guardian before they will send the credit file. Be aware that it is also possible that an inquiry into a child’s credit history could be answered with a letter indicating a file cannot be found. TransUnion recommends that parents do not just request a copy of the credit report just to check and see. To that end, TransUnion has set up a special email address for parents and guardians to use to obtain a “yes/no” answer regarding if a file exists: childidtheft@transunion.com. They suggest that if the answer is “yes”, to weigh the risks and probability that there is use of your child’s identity and decide to order a copy report based on your assessment.You can find a sample form letter to request these reports here and a list of required documents by credit bureau here.

The Identity Theft Resource Center provides the following tips for parents to help prevent the identity theft of minor children:

• Parents: Parents are often asked to show a copy of a birth certificate and/or Social Security card in order for their children to participate in after school sports. Coaches often ask for photocopies of these papers. ITRC does not believe that this is a good security measure and that safer information handling practices should become policy. We recommend the following:
• Ask if the coach has had a criminal and financial background check done by an independent or hiring source. If not, will one be done? This should be an automatic practice due to the amount of child molestation and child information theft.
• Show the papers to the coach and then put them in a sealed envelope. Write your name across the sealed flap in colored ink so that you can tell if it has been opened.
• Initial the back of each page in colored ink that you place in the envelope. At the end of the season you will know if you got the original back.
• Ask where the papers will be stored during the season. Parents need to make sure that the envelopes will be stored in a locked box and returned unopened after the season has ended, unless you have been notified that there is a need to show them to other people.
• Shred all papers that you throw out that contain account or Social Security Number.
• Do not carry your or your child’s Social Security Number in your wallet, including Social Security cards. If necessary (i.e. health insurance cards) make a photocopy of the card, cut off the last 4 numbers of the Social Security Number and carry that photocopy with you on a daily basis. Only carry original cards on days you know you will need them. Then if your wallet is lost or stolen, this information will not be stolen.
• Students- when possible, ask your college not to use your Social Security Number as your college ID number. If they insist on doing so, only carry your original card on the days you need it. Ask to not include the number on rosters that others may see and insist that it not be posted in public display areas.
• Lock your information away. Roommates may seem friendly and end up as good friends, but too many victims have found out that an unscrupulous roommate or friend has stolen their information.
• Watch your backpacks, briefcases, or anything you carry your wallets or important papers at all times (this includes in class, at lunch and in the library).
• Use a locked mailbox to send and receive all mail. Do not leave mail unattended for pickup in an “out” box.
• Resist giving out your driver’s license number or Social Security Number (or child’s Social Security Number) unless they have a good reason for needing it. A doctor’s office is a great place for a child profiler to collect information. Make sure that the physician is aware of that and that his or her staff is taking proper precautions with your child’s information. Watch for people who may try to eavesdrop and overhear the information you give out orally.
• Scams- Teach children not to give out personal information over the phone and do not give out any of your or your child’s information on the Internet unless you are absolutely sure that you are dealing with a legitimate company. When in doubt, don’t. You can check out companies with the Better Business Bureau, the FBI or your State Attorney General if you have any concerns. Think first- don’t give out information and then later regret it.

Scammers and identity thieves often take advantage of fears, hopes and dreams. This is what makes some of their crimes so emotionally devastating to victims. Often the fraud or scam they are running appears to be the only hope in the victim’s life, until the true intentions are revealed.

Current events are always a draw for scam artists, and exploiting consumers by playing on their most vulnerable emotions remains the most lucrative sources of income. Before you hand over information or money, stop and think about how emotional you are at that moment. If your emotions are running high, maybe it is time to cool it. Ask if you can come back tomorrow, or call them back at another time. If they insist that it must be done right away, or otherwise hurry you- it is probably a good sign that this is a scam. Scammers don’t want you to take the time to check with the Better Business Bureau or your local police- they want your money now, and they will tell you whatever you need to hear to believe that “time is running out” or it is a “limited offer”.

Particularly during this tough economic state, people are turning to others for help and are often taken in by crooks. When you combine this fear with a confusion about where to access legitimate resources, you are asking for trouble. Many Attorney General’s offices, privacy bloggers, and security professionals have made an effort to bring exposure to the real assistance available to those who are experiencing woes during this recession. Thanks to their efforts, I have compiled a Guide to Identity Theft and the Recession which can be found here.

Do you know of additional resources or scams I did not mention? Please comment below, or follow us on Twitter @idexperts

In the first part of Model Employee = Insider Threat? I touched on different red flags that “model” employees exhibit, that may actually indicate an insider threat. Focusing on the new survey by CareerBuilder that indicated the number of employees who are not taking vacation time this year is increasing, I tried to highlight the security problems associated with that trend.

In this installment, I would like to focus on the study that indicates 60 percent of employees who quit a job or are asked to leave steal company data, and talk a little more about high risk “model” behavior, and what companies can do to protect themselves. This risky behavior is just as likely to be exhibited just prior to a departure as during normal daily business.

One of the most common phrases a incident response team will hear in regards to a data breach is, “He was a star performer, so he was above suspicion and became irate when questioned.” Star performers should never be above suspicion, and anger or quick temper can indicate deeper stress and strain which should be examined as a potential red flag. Here are some additional indicators of employee stress or strain that may lead to an insider compromise:

• Long hours and lack of vacation could indicate financial troubles. Change in lifestyle such as car and clothes may indicate these difficulties. This may be evidence of a gambling or debt problem, or a reflection of the funds they are stealing.
• Suddenly working from home, working strange hours, or working remotely. These can all be indicators that an employee is trying to shield their activities from coworkers and managers, or that they are under some sort of strain. An example: an employee set up a VPN for legitimate employees which the IT department was unaware of until it was used during an exploit three months after the employee was terminated.
• Volunteering for work. I talked about this briefly in the first part of this discussion, but there is further considerations. Volunteering to finish other employee’s projects or work can lead to username, password and access sharing- violating least privileged, separation of duties and account controls in such a manner that IT would most likely not be alerted. Additionally, budget cuts may mean chronic under-staffing, which can add undue stress and corner-cutting in this area.
• Cultural differences can make it difficult to recognize behavior indicators. More and more IT functions are outsourced, and our workforce in America becomes increasingly culturally diverse. Differences in behavior patterns, concepts of ownership and compensation may all create unique problems in identifying and addressing insider threat.

It is important to realize that insider threats are not just a people problem, but a technical problem as well. There are certain controls and best practices that you can follow to help identify and address threats and minimize your organizations risk.

• Exercise extra caution with system administrators, technical or privileges users. The actions by these users must be examined using a checks and balances procedure and separations of duties policies.
• Use append only controls to track changes
• Establish baseline system configurations
• Enforce account management policies and review systems periodically to confirm appropriate configurations
• Update and review roles, accounts and permissions regularly and when roles or positions change
• Periodic security awareness training for the whole staff
• Log, monitor and audit employee online accounts
• Investigate repeated attempts to access blocked applications, websites or privileges
• Back up data regularly
• Develop an insider incident response plan

Again, this is both a people and a technical problem. Many companies are introducing new policies or benefits to help relieve the stress and strain during this difficult economic time. Offering employee assistance benefits that include debt relief counselors, flexible payday borrowing, carpool and mass transit benefits, addiction support group access and legal aid are all methods that have become popular among large companies. Even acknowledging stress in a meeting and restating an open door policy may be enough to encourage a distressed employee to ask for help, instead of helping themselves to your company’s profits.

Learn more about insider threats from U.S. Security Awareness.

Today, I read a survey by CareerBuilder detailing the new statistics regarding employees and vacation time. A quick run down:

• 35% of workers are not taking a vacation this year
• 71% of those say they can’t afford it
• One in five workers said they are either afraid of losing their jobs if they go on vacation or feel guilty being away from the office
• Half (50%) of employers say they expect employees to check in with the office while they are away

Several blogs and articles have discussed the increasing reluctance of employees to take vacation time, even if it is mandatory. While reading these articles, I can’t help but notice a lack of discussion about the security implications of this.

Internal investigators will tell you that a employee refusing to take vacation time, or refusing to take a large amount of time at once can be a red flag. Why? An employee committing embezzlement, fraud, stealing data or otherwise manipulating books or records needs to have continuous control over those systems to maintain the theft and avoid being caught.

In fact, many aspects of what we consider to be “model” employee behavior can actually be a red flag:

• Volunteers often for new projects and duties; particularly in security, finance, or record keeping duties. Often these duties, like processing receipts for reimbursement, are the least desirable duties. After a few volunteer projects, a manager might find that least privilege and separation of duties policies may be being circumvented.
• Early in, late out. First in and last out employees have access to files, computers and offices with little or no security or monitoring measures. The employee offering to make coffee in the morning maybe up to something more than making sure the office is perky.
• Constantly remaining in touch while on vacation, doing work while on vacation, and working overtime before and after vacation. These may all be attempts at communicating with someone in collusion with the fraud, or at maintaining control over the work product. If your employee insists that he or she completes all work before going on vacation instead of handing over the materials to another employee, this could be cause for concern.

You can see that many people would exhibit this behavior normally during a time of economic crisis when they are particularly concerned about job security. This is why it is important to have a good vacation policy, regular internal audits and reviews, and strict separation of duties and least privilege policies. Managers and executives can set a good example by taking their vacation time in large chunks, and remaining truly on vacation. Encourage employee work-life balance and well being, and insist that they really “leave the office behind” while on holiday. Not only will you have happier and more productive workers, but you can avoid a simple security pitfall in the process.

I would like to say a special thanks to Mark Warner, who spoke on these issues at the Oregon Chapter of the Association of Certified Fraud Examiners lunch meeting in Portland, OR March 2009.

Today, in a report by Wired Magazine, it was revealed that Savvis Inc- the company which performed audits for CardSystems during 2004 when they experienced one of the largest credit card data breaches for it’s time- is being “pulled into court in a novel suit that legal experts say could force increased scrutiny on largely self-regulated credit card security practices.”

Savvis is accused of certifying that payment systems were compliant with security standards, when they were not. Due to the recent rash of breaches by companies that were supposedly compliant with payment industry security standards, PCI Council said last year that it was tightening its oversight of auditors.

These auditors are in charge of ensuring that a company’s methods of processing payments and transmitting information are up to industry standards. However- Heartland Payment Systems and RBS WorldPay, two processors that recently experienced large breaches, were certified compliant before they were breached. I see many problems associated with this audit system as it stands today, highlighted in part by the article:

• Listing standards to become complaint is poor security practice. Good information security comes from adapting, expecting and meeting new threats. By the time new standards are drafted and approved as part of compliance, the threats may have already done damage.
• 3 people on full time staff are in charge of the auditor certification program. How much are these auditors scrutinized?
• Difficulty understanding complex standards creates difficulties for organizations desiring to install or update components to their systems
• 80 percent of the audits in the payment industry are conducted by a dozen major vendors. As the article pointed out, “the rules and requirements for auditors reveal a number of potential conflicts of interest (.pdf) that could arise between an auditor and the entity it’s assessing. For example, many security auditors also make security products. The rules state that a security company will not use its status as auditor to market its products to companies it audits, but if the auditor should happen to find that the client would benefit from its product, it must also tell the client about competing products.”
• A recent study reveals that 20% of IT security managers and technical staff from enterprises and government departments admit to cheating on security audits or knowing of a colleague that did. An even larger percentage “cut corners” resulting in potential holes in audits or security compromises
• Problems are getting worse as companies slash budgets. Staffing issues, substandard or used equipment which may or may not be infected with viruses, and time constraints are all symptomatic of the economic pressure on this industry

It is important to realize that standards and procedures are wonderful tools, necessary to implement any security process or program. However, a chain is only as strong as the weakest link. In this case, the links are made of people, and it only takes one lie or misrepresentation to create millions of dollars in loss.