From bob at bobpinheiro.com Mon Feb 4 16:39:29 2008 From: bob at bobpinheiro.com (Bob Pinheiro) Date: Mon, 04 Feb 2008 19:39:29 -0500 Subject: [SIG-IDtheft] REMINDER: Next ID Theft SIG Call Wednesday, February 6 Message-ID: <0JVQ005WPPRJXOX0@vms173003.mailsrvcs.net> We'll have our next ID Theft SIG call on Wednesday, February 6 at 12 Noon ET. Two events occurred last week that are of interest to the ID Theft SIG. The ANSI/BBB Identity Theft Prevention and Identity Management Standards Panel (IDSP) released its report, which can be obtained here. Second, the Liberty Identity Assurance SIG met in Washington DC. I was involved in both, and I'll briefly review the highlights. Wednesday, February 6, 2008 9:00 AM PT / 12 Noon ET / 1700 UTC US/Canada toll-free number: 866-469-3239 US toll number: 650-429-3300 Attendee Code: 00119954 # International numbers can be found at wiki.projectliberty.org/index.php/IntlDialInNum ------------------------- Bob Pinheiro Robert Pinheiro Consulting LLC (908) 654-1939 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20080204/e31522bf/attachment.html From britta at projectliberty.org Tue Feb 5 13:29:05 2008 From: britta at projectliberty.org (Britta Glade) Date: Tue, 5 Feb 2008 13:29:05 -0800 Subject: [SIG-IDtheft] eCommerce Times Article on Cost of IDTheft Message-ID: http://www.ecommercetimes.com/story/61515.html?welcome=1202226836&welcome=1202246775 Of potential interest as I know we regularly talk about tangible and intangible costs of IDTheft.... *The Cost of ID Theft, Part 1: Beyond Dollars and Cents* By Andrew K. Burger E-Commerce Times 02/05/08 4:00 AM PT The ultimate cost to ID theft victims varies across industries, Uriel Maimon, senior researcher for the software firm RSA, told the E-Commerce Times. "In the banking and electronic commerce industries, the end user is usually indemnified, and most of the damage is done to the business. The end users are usually affected by the trauma and paperwork of the experience but can usually recuperate most of their losses." Private, personally identifying information is everywhere, from portable computers and digital devices, to the Internet and private networks. This data can be obtained so easily -- either through technology or more mundane means -- and its theft is so often glamorized on film, that it is starting to attract a younger generation to criminal ranks. The scope of ID theft has grown so quickly that it now takes up a substantial -- and growing -- portion of law enforcement resources. Personal ID theft more than tripled in the U.S. in 2007, according to *USA Today*. Records containing personal data on more than 215 million U.S. residents have been exposed due to security [image: Webroot AntiSpyware 30-Day Free Trial. Click here.] breaches since January 2005, according to the Privacy Rights Clearinghouse. Those for whom a breach turns into something far worse -- actual ID theft -- the financial and emotional burdens can be tremendous. ID Theft in Dollars and Cents The average cost of an identity fraud case closed by the U.S. Secret Service was US$31,000 between 2000 and 2006, according to a study by the Center for Identity Management and Information Protection. Among more than 700 cases, dollar losses ranged from zero to $13 million. The ultimate cost to ID theft victims varies across industries, Uriel Maimon, senior researcher for the software firm RSA, told the E-Commerce Times. "In the banking and electronic commerce industries, the end user is usually indemnified, and most of the damage is done to the business," said Maimon. "The end users are usually affected by the trauma and paperwork of the experience but can usually recuperate most of their losses." The economic cost of remediation has been coming down. Thanks to recent changes in legislation and business practices, remediation efforts don't cost much money for people who are victims of a security breach and hence potential victims of ID theft. Fraud alerts, security freezes and credit reports for such cases are free or cheap and are relatively straightforward to set up, since organizations are required to provide them. For example, free annual credit reports are now obligatory under federal law. Losses can mount and become serious quickly, however, if a security breach turns into financial fraud or criminal ID theft. Cases of criminal identity theft, where the impostor uses the victim's identity when arrested or cited, are increasingly reported, according to the Identity Theft Resource Center. Criminals are also using victims' Social Security numbers to work, collect welfare or unemployment, and get medical benefits. Getting Your Money Back Though the costs of remediation have declined, victims have been recouping less of losses claimed. While there are concrete steps to fixing the causes and effects of ID theft, the process is usually drawn out by a variety of factors. The effort of recovering can have serious long-term consequences. "Headaches and the frustration of proving you are you and not an identity thief aside, identity theft is costly," maintained John Livingston, CEO of Absolute Software, which has been working with computer manufacturers to install the company's Computrace LoJack security and tracking system on computers before they reach store shelves. "In 2004, consumers could expect to recover 80 percent of the money they lost due to identity theft. By 2006, that had dropped to 54 percent. Businesses can expect to pay an average of $197 per customer record should they lose a laptop containing the sensitive information of their customers," Livingston told the E-Commerce Times. A Waste of Time and Energy Victims in 2004 spent an average of 330 hours, often stretching out over a period of years, recovering from ID theft and crime, compared to 600 hours in 2003, according to ITRC studies. ITRC attributes the range in 2004's reported hours -- from three hours to 5,840 -- to the severity of the identity theft. A lost credit card typically takes fewer hours to solve than the use of your Social Security number by a would-be evil twin. In both years, about a third of respondents said that they spent a period of four to six months recovering from ID theft. In 2004, only 11 percent of people said they had been dealing with their ID fraud case for seven months two a year. In 2003, 23 percent had wrestled with a case for nearly a year. However, in 70 percent of cases studied in 2004, people noted that they continued to find negative ID information on their records after more than a year, up from 66 percent in 2003. Problems associated with ID theft don't stop when the crooks are caught or remediation efforts end. After-effects include increased insurance and credit card fees, difficulties finding a job, higher interest rates and fighting collection agencies and credit card issuers who refuse to clear their records despite substantiating evidence. "This 'tail' may continue for more than 10 years after the crime was first discovered," according to the ITRC. The Aftershocks Disturbingly, ID theft is often committed by family members and friends. Forty-three percent of victims in the ITRC's 2004 study believed they knew their impostor; 14 percent said that it was an employee of a business that had their information. "There continues to be a lack of understanding by friends, family and the general public regarding the emotional impact of this crime on the victims, both short term and long term," writes the ITRC's Linda Foley in its ID Theft 2007-2008 review and predictions report. The emotional impact of ID theft on victims is akin to that felt by victims of more violent crime, according to the ITRC. "Some victims feel dirty, defiled, ashamed and embarrassed, and undeserving of assistance. Others report a split with a significant other or spouse and of being unsupported by family members," according to the study. More than 40 percent of respondents in both years' samples reported "stressed family life," perhaps due to their displaced anger. Nine percent and 16 percent in the respective surveys responded that their relationships were "on the rocks" or ended as a result of their victimization. Digital ID Theft Much attention has been devoted to Internet and computer ID theft, but it turns out that the majority of ID fraud cases are the result of more traditional methods. "The most frequent type of employment from which personal identifying information or documents were stolen was retail, including stores, car dealerships, gas stations, casinos, restaurants, hotels, hospitals, and doctors' offices," reported the ITRC authors, among which included professors at Utica College's economic crime and investigations programs. "Identity theft is not an invention of the computer age. Mailbox and dumpster diving still account for a significant amount of the information used to affect identity theft, however computers are an enabling technology," noted Randy Abrams, security softwarefirm ESET's director of technical education. "While the Internet is not the culprit, it has become a tool that identity thieves have embraced and abuse to find victims and commit fraudulent activities. Scamsters continue to exploit Web sites that promote online auctions and want ads, job hunting, dating and social networking to find victims," the ITRC's Linda Foley writes. Scams appear in predictable phony form letters for everything from lotteries, jury duty, IRS audits and Nigerian businesses to fake requests for financial account verification, money laundering and check cashing. The longer the security breach and potential ID theft goes unrecognized, or remediation is postponed, the greater risk you run of serious criminal ID theft. In 2004, 37.5 percent of those surveyed in the ITRC's study reported that they found out about their ID theft within three months, down from 48 percent in 2003. Eighteen percent of respondents in 2004 said that it took them four years or more to discover that their identities had been misused, a 100 percent increase from 2003. *Next Article in ID Security: Tape With Info on 650,000 J.C. Penney Customers Goes Missing * -- Britta Glade Liberty Alliance 925-254-4233 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20080205/99ea8895/attachment.html From bob at bobpinheiro.com Tue Feb 26 07:13:09 2008 From: bob at bobpinheiro.com (Bob Pinheiro) Date: Tue, 26 Feb 2008 10:13:09 -0500 Subject: [SIG-IDtheft] Next ID Theft SIG Call Wednesday, February 27 Message-ID: <0JWU00L0ZQAFIA63@vms173003.mailsrvcs.net> One of the potential activities of this SIG is to generate suggestions or recommendations for other Liberty activities that reflect identity theft considerations. A current Liberty activity that might benefit from such suggestions is the ongoing work of the Identity Assurance SIG and Identity Assurance EG to "finalize" the Liberty Identity Assurance Framework (IAF). The IAF represents a major effort of the Liberty Alliance to create an identity assurance standard to foster adoption of identity trust services. In a nutshell, the Identity Assurance Framework consists of "detailed discussions of Assurance Level criteria, Service and Credential Assessment Criteria, an Accreditation and Certification Model, and the associated business rules." The basic idea is to provide a framework for defining a trust model between Relying Parties and Identity Providers, so that Relying Parties can trust identity assertions from Identity Providers. A series of webcasts on the IAF is underway to provide interested parties with more information on what this is all about. What is the relationship between identity theft and the Liberty IAF? One scenario might be described as follows: An individual obtains an identity credential and authentication token from some Identity Provider, after the individual's identity has first been established by the Identity Provider to a sufficient degree of certainty. For instance, an Identity Provider might be a bank, motor vehicle bureau, or other entity. The individual then approaches some Service Provider and requests an identity-related service. For instance, the Service Provider might be a telecommunications provider offering cell phone service. The individual claims an identity, and it is assumed that the Service Provider will seek to verify the individual's identity claim before granting the service. The Service Provider then becomes a Relying Party if it now chooses to rely on an identity assertion issued by the very same Identity Provider that issued the credentials and tokens associated with the claimed identity. In other words, based on the identity claim of the person seeking the service, the Relying Party locates the proper Identity Provider and requests the Identity Provider to authenticate the identity claim. If the Identity Provider can do so, based on some multifactor authentication protocol involving the token bound to the claimed identity, the Identity Provider issues an assertion to the Relying Party, which would effectively serve to authenticate the identity of the person seeking the service. If, on the other hand, the Identity Provider cannot verify the identity claim on the basis of the same authentication protocol, it informs the Relying Party of such, and a case of (potential) identity theft has been prevented. Let's have a call tomorrow to discuss whether the SIG may want to provide any suggestions or recommendations in support of the Liberty IAF. The above scenario represents one possibility for identity theft prevention that involves interactions between Relying Parties and Identity Providers based on assumptions of trust, and the SIG may want to suggest others. In any case, if there is interest, this topic could serve as the basis for future SIG calls. If you can't attend the call but have comments on this topic, please post them to the SIG mailing list. Thanks ------------------------- Bob Pinheiro Robert Pinheiro Consulting LLC (908) 654-1939 Wednesday, February 27, 2008 9:00 AM PT / 12 Noon ET / 1700 UTC US/Canada toll-free number: 866-469-3239 US toll number: 650-429-3300 Attendee Code: 00119954 # International numbers can be found at wiki.projectliberty.org/index.php/IntlDialInNum -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20080226/918deb34/attachment-0001.html From shin at adachi.us Thu Feb 28 09:24:50 2008 From: shin at adachi.us (Shin_ADACHI) Date: Thu, 28 Feb 2008 09:24:50 -0800 Subject: [SIG-IDtheft] of your possible interest:Measuring Identity Theft at Top Banks (Version 1.0) In-Reply-To: <0JWU00L0ZQAFIA63@vms173003.mailsrvcs.net> References: <0JWU00L0ZQAFIA63@vms173003.mailsrvcs.net> Message-ID: <47C6EE62.3030401@adachi.us> Of your possible interest, while the content is very US centric. <> -- Shin_ADACHI, CISSP, PMP PGP_Key_ID:0xF9EAD9DF +1-650-331-0604 From shin at adachi.us Fri Feb 29 18:15:55 2008 From: shin at adachi.us (Shin_ADACHI) Date: Fri, 29 Feb 2008 18:15:55 -0800 Subject: [SIG-IDtheft] Call for paper for IWSEC 2008 Message-ID: <47C8BC5B.3080400@adachi.us> Of your possible interest. The due of the paper submission will be on April 18, 2008 <> -- Shin_ADACHI, CISSP, PMP PGP_Key_ID:0xF9EAD9DF +1-650-331-0604