Identity Theft Study Fingers Certain Banks
I read with interest a news item based on a study performed by the University of California at Berkeley’s Center for Law and Technology. This study’s findings show which US financial institutions, retail merchants, and utilities have the most complaints concerning identity theft incidents. Bank of American was first, AT&T was second, Sprint/Nextel was third, JPMorgan Chase came in fourth, and Capital One was fifth.
Virtually no research is conducted perfectly, and, not surprisingly, critics were quick to point out several significant limitations of this study. The data were more than two years old, and the primary statistic was perceived identity theft incidents (i.e., cases in which customers complained that they had experienced identity theft), not necessarily confirmed incidents. Still, this research not only provides some empirical data concerning the prevalence of identity theft complaints among various well-known commercial entities, but also constitutes a giant step forward in promoting accountability among these institutions. From a public relations viewpoint, appearing in the “top five” list, as Bank of America, AT&T, and other institutions did, is anything but good. These (as well as other) institutions are now likely to be highly motivated to “clean up their act” with respect to reducing the number of complaints about identity theft.
What can these institutions do? The answer is that they need to adopt the “usual” measures (e.g., strong authentication, data encryption, strong access control measures, and more) designed to reduce data security breach incidents as well as improve their notification procedures should a data security breach occur. No security control measure is perfect, however, and despite the best intentions and the use of strong security controls, data security breaches are still likely to occur (even though they may be less likely). This is where rapid detection of data security breaches comes in. Audit logs can provide the data needed to detect such breaches, as can intrusion detection data, but many if not most attacks designed to gain unauthorized access to personal and financial information are “beneath the radar” attacks designed to escape the notice of system administrators combing through audit logs and intrusion detection analysts inspecting the output of intrusion detection and intrusion prevention systems. An excellent technology solution exists—Security Information and Event Monitoring (SIEM) tools. These tools collect information from a large variety of sources—individual systems, firewalls, routers, switches, intrusion detection and intrusion prevention systems, Web servers, and more—and then apply event correlation algorithms to determine whether or not a security breach has occurred. Because these tools can “see” far more than one system (especially a compromised system) can “see,” they can and do detect subtle indications of attacks and alert operators in near-real time. It would thus be fascinating to find out whether the most complained out institutions use SIEM technology, and if they do, whether they use products that yield nearly perfect correct detection rates and extremely low false alarm rates. I’m not a betting person, but if I were, I would bet that none of these institutions do.
The University of California at Berkeley deserves much credit for pioneering research that is likely to in the long run be of great benefit to consumers. Let’s hope that this is only the first of a long line of studies of this nature.