Return to The Write Edge News Center Return to Newscenter Return to The Write Edge Lobby


May 2002   


THE CASE OF THE STOLEN IDENTITIES

by Dianne L. Beetler
 

Other Articles
-- This Month --

Battling Bugs -- Inoculate Your System Against Virus Attacks

- Article Archive -

Recent Articles

Affordable Web design, web hosting, and web content management systems

 
The busboy did it. And it must have been pretty embarrassing and costly for the companies he fooled and the celebrities he impersonated.

Abraham Abdallah, a 32-year-old New York City restaurant employee, has been charged with online impersonations of Steven Spielberg, Paul Allen, Warren Buffet, Oprah Winfrey, and others included on the Forbes list of "The Richest People in America." Law enforcement officials believe Abdallah may have swindled millions of dollars from many of the wealthiest residents of the United States.

He allegedly obtained personal information about well-known people by cyber-surfing at the library and then used that information to transfer funds to newly-created accounts and to place orders online. An elaborate ordering and delivery scheme made it difficult to trace his numerous transactions which were completed with stolen credit card numbers.

Although this is one of the highest profile cases of identity theft, it certainly is not unique. The U.S. Federal Trade Commission has reported that the number of identity theft complaints in 2000 tripled over the previous year. And unlike this case, more than half the victims knew the person who had stolen their identity.

Identity Theft -- A Problem of Major Proportions

Identity theft is a serious problem facing today's online business owner, because it smacks e-commerce firms with a double-whammy, loss of funds plus the equally damaging public relations nightmare that can result. In fact, some people think fear of identity theft is a major impediment to the progress of e-commerce. But in addition to identity theft, both your own plus that of your customers, you must be cautious about unauthorized access and use of your company's proprietary data.

One report indicates that many e-tailers have given security a low priority. Research by Datamonitor, which specializes in industry analysis, indicates that more than half the businesses surveyed spend five percent or less of their IT budget on security. The reasons are two fold, lack of knowledge about security and the inability to quantify security's financial benefits.

This is where risk assessment enters the picture. Yes, some security solutions can be costly, whether your company handles the security by itself or hires a managed-security provider. But compare the solution's price tag to the potential costs of a security violation on your site. As a savvy business owner you will see the importance of assessing the risks and implementing your solutions accordingly.

A general online search reveals that most advice and information available about identify theft is geared toward helping consumers protect their own identities. That's a good start, but online businesses also must take precautions so that their Web sites are not used as a source of information about someone's identity.

As an e-tailer, you are wielding a double-edged sword. You encourage visitors to your Web site, but at the same time, you must limit their access to confidential information on the site. You must protect consumers, not just because it's the right thing to do, but because it's the law. You are legally responsible for the information a site visitor entrusts to you. If you shirk this responsibility, you could end up with a huge legal liability. Fortunately, you can protect yourself by building a good security system.

First, the Bad News...

Of course, it's impossible to create a perfect security system. If someone can design a good system, someone else can design a way to crack it. Nevertheless, your business can take several steps to make its Web site more secure.

Start by doing a risk assessment. Don't be tempted to ignore the security issue and hope it will go away, because it won't. Then, because security solutions vary in capability and cost, research various security options, and try to determine the level of risk you are willing to accept. Then, implement the security system that best minimizes your risk at a price you can afford.

Second, realize that you probably won't be able to buy one simple security product to protect your Web site. The best solution may well be a combination of several options, containing any of the following:

  • Written security policy.
  • Access control.
  • Encryption.
  • User authentication.
  • Firewall.
  • Anti-virus software.
  • Intrusion detection system.

The strongest system probably will incorporate all of the above features.

Next, take a look at your hardware. Are your servers secure? It's important to keep them updated with the most recent security patches and fixes available.

Attacks from Within

Unfortunately, the greatest security risks come from within the company, not from without. Although outside attacks by hackers garner the most publicity, many companies have lost proprietary data to employees or other people with legal access to the Web site.

To minimize the loss from within, establish an internal security policy and document the procedures for putting this policy into effect. This could include requiring users to log on with a user ID and password, which can be used to limit users' access to certain data.

But simply requiring a password is not enough. Some users write down their password and leave it near the computer, accessible to any passerby. Others choose a personal name or word that is easily guessed. Establish criteria for secure passwords that include a certain number of characters, both letters and numerals, and make sure the password cannot be easily guessed by an unauthorized individual. For example, first and last names, children's names, and social security numbers are not among the best password choices from a security standpoint.

You may also want to encrypt your critical data. Encryption means that the information is scrambled, so that it makes no sense even if it is intercepted.

Your security will be even stronger if you combine encryption with authentication so that the message is in code and the user is authenticated. Authentication is a means of verifying that the user is the person he or she claims to be. This can be done by requiring users to log on with a user ID and password, and can also include Public Key Infrastructure (PKI).

Other Tips

  • Firewall and anti-virus software can help protect your system from outside attacks, but they also must be kept current to remain useful.
  • If your employees, customers, or business partners need wireless access to your site, you may want to develop a Virtual Private Network (VPN).
  • Another option is an intrusion detection system that monitors unauthorized attempts to gain access to material.

Remain Vigilant

Once you have implemented your security plan, don't relax. Monitoring and upgrading your software, hardware, policies, and procedures should be part of the plan. New threats and risks arise every day, and your security must be flexible enough to combat them.

Security issues promise to remain a major concern for e-businesses as well as their customers. But by addressing the issues and taking the appropriate steps, you can help minimize risks and maintain a barrier against some of the more unethical inhabitants of cyberspace.
Services to make your products and ideas soar

The Write Edge
TopTop of Page
  © 2000 The Write Edge, Ltd. All Rights Reserved.
  -- http://www.writeedge.com/articles/stolenidentities.asp