CTO Corner is BITS’s monthly publication covering emerging trends and technologies in the financial services industry.
CTO Corner: What Can We Do to Better Protect Sensitive Personal Information?
Dan Schutzer, Senior Technology Consultant, BITS
Highlights – 2015 was a banner year for data breaches, culminating in December 2015 when 191 million registered voters’ sensitive personal information (names, home addresses, voter IDs, phone numbers, dates of birth, political affiliations, and voting history) was revealed. With the accumulation of this large data base of sensitive personal information, it is likely that 2016 will be considered the “year of the exploit” as we see a shift to higher-impact, identity-impersonation cybercrime taking advantage of the sensitive data accumulated in 2015 (Evidence of this is already occurring1).
Opportunity – For years financial institutions have been taking actions to prevent identity fraud. These efforts have helped but the threat is growing and rapidly evolving. By adding increased focus on the identity theft threat, our industry will continue to be seen as trustworthy, safe, and secure environment to do business with while improving our ability to fight fraud; become even more customer-centric; and build the rails to better accommodate clients at all ends of the financial spectrum.
Opportunity – Now is the time for financial institutions to emphasize and expand efforts at coordinated, industry-wide identity theft early warning and prevention systems that modify and raise the bar on how a customer’s identity is verified. In coordination with the Government, we can improve capabilities to avoid identity theft and provide assistance to victims of identity theft.
2015 was a banner year for cyber-criminals who, using an evolving arsenal of cyber-attack techniques, successfully breached networks to gain unauthorized access to countless corporate and government databases, including (in ascending order):2
- Over 334,000 date of birth, Social Security information, and street address records from a federal tax agency;
- Over 2.3 million email addresses, passwords, and private messages from a crowdfunding site,
- 3.9 million members ages, email addresses, IP addresses, usernames, ZIP codes, and sexual preferences from an adult dating site,
- 4.4 million emails, password reminders, and other important details from a popular password manager,
- 4.8 parents’ and 6.3minor’s names, email addresses, passwords, street addresses, birth dates, genders, chat messages, and headshots from a popular tech toy company,
- 15 million mobile phone service applicant names, addresses, date of births, identification numbers (driver’s license or passport number), and Social Security numbers held by a credit reporting agency,
- 25.7 million records from a federal agency’s security clearance background check database, which potentially included Social Security numbers and fingerprint images,
- 32 million customers’ names, street and email addresses, encrypted passwords, phone numbers, and payment transactions from an infamous cheating web site;
- 115.7 million customer records from multiple major health insurers and healthcare processors.
On December 2015, 191 million registered voters’ names, home addresses, voter IDs, phone numbers and date of birth, as well as political affiliations and detailed voting history, were discovered on an unsecured publicly available database on the Internet.3 At this point, we have to assume almost everyone’s sensitive personal information is out there. This CTO Corner discusses how this came about, what’s next and what we can do about it.
How this came about?
Many of the early popular fraud targets such as debit and credit cards, have grown less lucrative and riskier. The price paid for compromised card information has dropped as the number for sale has grown. Other reasons include:
- The window of card information usefulness has shortened due to credit card companies and merchants acting faster to block and replace stolen card information,
- More aggressive pursuit and prosecution of criminals
- Introduction of more secure technology (e.g. EMV4 at POS, 3DSecure and other variants for CNP).
During 2015, cyber criminals amassed sensitive personal data used for identity verification and authentication, including greater focus on the capture of account passwords and other identity credentials, especially privileged accounts. Cyber criminals also began to look for other places to commit fraud. This includes ransomware (holding sensitive company and personal data for ransom) and various forms of identity theft (impersonating another individual and applying for credit, loans, health benefits, or even opening accounts under the stolen identity). 2015 saw a 113% increase in incidence of new account fraud, which now accounts for 20% of all fraud losses.5
2016 – “Year of the Exploit”
With the accumulation of this large data base of sensitive personal information, it is likely that 2016 will be considered the “year of the exploit,” as we see a shift to higher-impact cybercrime, taking advantage of the sensitive data accumulated in 2015.6 The sheer breadth of available data for sale is simply remarkable. We will see the stolen Personally Identifiable Information (PII) and Intellectual Property (IP) of organizations used to commit fraud, replicate identities, and compromise consumers and commercial organizations, not just stealing data but even affecting the functionality of systems by destroying or encrypting stolen data so a company can no longer access it.
Recent examples include medical IDs used to purchase narcotics and pharmaceuticals with a high street value, and the use of identities of deceased doctors to bill insurance companies for fake procedures against the identities of legitimate patients. Whereas changing a credit card account is as easy as calling your bank or filling out an online form, you can’t dial into a call center and ask them to change your identity.
As the use of new biometric technology continues to grow, 2016 will also be characterized by a rise in stolen fingerprints and other biometrics to commit fraud and identity theft. The need to accommodate customers’ desire to do more on-line further increases the risk factor.
So what can we do?
The financial services industry recognizes the problem and is leading efforts on data and cyber security to better protect sensitive personal information. Specifically, our industry is relying less on static knowledge-based information and is introducing layered forms of authentication while moving to greater use of encryption and tokenization. We must continue to take a concerted industry-wide action to address this escalating threat.
One of my favorite movies is the 1998 movie The Parent Trap, starring Lindsay Lohan. In this movie, identical twins, separated at birth and each raised by one of their biological parents (one in London and the other in Napa Valley, California) discover each other for the first time at summer camp and switch places. Despite the twins’ efforts at impersonation (studying each other’s accents and coaching each other about all the details of their lives) they are discovered by two servants and a grandparent who observe little out-of-pattern behaviors.
Drawing lessons from this movie, attempts at identity impersonation can be discovered if the real person’s characteristics and behavior are known well enough. The challenge is to employ technology and industry-wide coordination to replicate the small town banker, personified by George Bailey (played by James Stewart) in It’s a Wonderful Life, who intimately knew all his customers.
To better protect sensitive personal information, the following actions are recommended:
1. Improve industry-wide vigilance and monitoring for attempts at identity impersonation – Financial institutions should continue to monitor activity looking for unusual actions and behavioral patterns that signal an exploit of this information is occurring or likely to occur, and immediately notify the customer. This includes monitoring, not just for suspicious and unusual activity on the customer’s existing accounts, but also looking for attempts to open new accounts in the customer’s name. It should include monitoring underground communications for signs of fraud attempts. Industry-wide coordination will help as these attempts will likely involve institutions with which the customer does not have a current relationship.
2. Modify and raise the bar industry-wide, across product silos, on how a customer’s identity is verified. Financial institutions have individually minimized their reliance on knowledge-based questions (name, address, social security number, mother’s maiden name, children and sibling’s names, even last mortgage payment7), and added stronger identity protections, including:
- Dynamic context-free secrets (tokens that generate random numbers in place of social security numbers);
- Biometrics (face, fingerprints8);
- Behavioral patterns (location history, web site transaction patterns);
- Proof of possession of identity devices and cards (made difficult to tamper or counterfeit, possibly requiring a biometric or secret code to activate and function properly)9;
- Identity verification attestations from friends, relatives, work associates, government entities, and other companies with whom the person has a relationship (much as a traveler is asked to provide an emergency contact to notify in the event of a mishap, a financial institution customer might be asked to specify an emergency contact for identity verification); and
- More thorough background checks and cross-references with other financial institution and government databases.
3. Coordinate across product silos and financial institutions. These efforts have mostly been on a product silo basis. Financial institutions should make it easy for their customers to change now, while they can, what is required to prove their identity, making it harder for a criminal to succeed in identity impersonation by using what they have already acquired. This is best achieved when the identity proofing and authentication is coordinated across product silos and institutions eliminating any weak links (as evidenced by the recent SWIFT breaches10) and forcing impersonators to find ways to fool all the institutions at once11.
4. Industry sponsorship of research. Because identity impersonation tactics and techniques are continuously adapting and improving, our industry should consider sponsoring joint research program(s) aimed at identity impersonation prevention, detection and mitigation. This should include supporting financial industry, federal, and municipal efforts already underway to improve identify verification and proofing processes and identity card programs, such as NSTIC12, Real ID;13 various municipal ID programs and pilots (many providing mobile authentication aimed at increasing efficiency, strengthening authentication and enhancing privacy)14 , BITS Fraud and Strong Authentication initiatives, including FI-VICS project follow-ons15, and, possibly, establishing an industry-wide shared-identity platform to limit exposure, ensure privacy, and strengthen verification (subject of a previous CTO Corner16).
When you have already been compromised?
If customers have already been compromised, financial service firms should be available to assist them in re-establishing their identity, differentiating the imposter from the victim, and once re-established, helping the victim add identity verification so that impersonation will be more difficult in the future.
It should also include making victims aware of the resources available to assist them, such as the work of the FTC17 and the revamped government website, IdentityTheft.gov, which offers consumers personalized, step-by-step guidance to reclaim their identities and untangle compromised accounts. The website helps consumers by automatically generating affidavits and pre-filling letters and forms to be sent to credit bureaus, businesses, police, debt collectors and the IRS,18 The Identity Theft Resource Center19, ITAC Sentinel20, and the various credit bureau assistance programs21.
If our industry, working in partnership with government and privacy advocates, continues to take the necessary actions to prevent an unchecked occurrence of identity fraud, we will remain a trustworthy, safe, and secure place to do business. By coordinating this activity and sponsoring research to enhance the quantity and quality of monitoring and alerting, our sector will:
- Improve its ability to detect and mitigate fraud;
- Improve the efficiency and effectiveness of regulatory compliance reporting;
- Overcome any regulatory privacy concerns;
- Become more customer centric by learning more about their customers’ behavioral traits, likes, and dislikes; and
- Build rails for better accommodating unbanked and underbanked, with the potential to accept municipal-issued identity cards, better tailoring products and services to their needs.
Conclusion – It is likely that 2016 will be considered the ”year of the exploit” as we see a shift to higher-impact identity-impersonation cybercrime that takes advantage of the large amount of sensitive data accumulated in 2015.
The time is now to:
- Take an industry-wide approach, across product silos, to modify and raise the bar on how a customer’s identity is verified including;
– Cross-verifying customer’s identity assertions (name, address, accounts) both through confidential queries directly with each other and through a trusted intermediary like Early Warning. The value of this sort of sharing was demonstrated in the FI-VICS pilot and validated by follow-on work with Early Warning. The value of similar information-sharing efforts has been demonstrated in fighting credit card fraud, and cyber incident response.
– Support common approaches to improve identity verification, aimed at making it easier for both customers and regulators to understand and use. Recent surveys indicate that customers want these improvements but their use in the marketplace will grow faster through coordinated education, marketing and standardization of procedures aimed at overcoming user concerns and barriers to acceptance.
Expand our industry’s partnership with Government to improve effectiveness in countering attempts at identity impersonation, and to assist those who are already victims of identity theft.
4. As of 4th quarter 33% of all global transactions are EMV and that number is growing, https://www.emvco.com/about_emvco.aspx?id=202
7. Reliance on knowledge based questions are increasingly vulnerable to attack, such as the attack on the IRS IP Protection PINs, http://krebsonsecurity.com/2016/03/irs-suspends-insecure-get-ip-pin-feature/, http://fortune.com/2016/02/10/irs-hack-refunds/
8. http://scienceline.ucsb.edu/getkey.php?key=244, one interesting fact – although identical twins have the same DNA, they have similar but not identical fingerprints and can be distinguished by their fingerprints
9. http://www.secureidnews.com/news-item/authenticating-driver-licenses-with-the-mobile/?tag=email&utm_source=MailerMailer&utm_medium=email&utm_content=Authenticating+driver+licenses+with+the+mobile&utm_campaign=Facial+recognition+gaining+momentum%2C+Authenticating+driver+licenses, https://gcn.com/articles/2016/02/29/id-card-technology.aspx?s=gcntech_010316
10. http://www.itworld.com/article/3075853/up-to-a-dozen-banks-are-reportedly-investigating-potential-swift-breaches.html?token=%23tk.ITWNLE_nlt_itworld_today_2016-05-27&idg_eid=97dacbc39a0f56781e83bfae921a4a47&utm_source=Sailthru&utm_medium=email&utm_campaign=ITworld%20Today%202016-05-27&utm_term=itworld_today, http://www.reuters.com/article/us-cyber-banks-swift-idUSKCN0YE2S6
14. http://www.secureidnews.com/news-item/cities-start-issuing-municipal-id-cards/?tag=email&utm_source=MailerMailer&utm_medium=email&utm_content=Cities+start+issuing+municipal+ID+cards&utm_campaign=Cities+issuing+ID+cards%2C+U.S.+agencies+must+deploy+trusted+ID+platform, http://www.nytimes.com/2015/12/29/opinion/new-yorks-id-card-deserves-respect.html, http://www.nytimes.com/2015/01/12/nyregion/new-york-city-to-formally-start-its-municipal-id-card-program.html, http://www.secureidnews.com/news-item/are-states-speeding-toward-mobile-driver-licenses/?tag=email&utm_source=MailerMailer&utm_medium=email&utm_content=Are+states+speeding+toward+mobile+driver+licenses%3F&utm_campaign=Examining+mobile+driver+licenses%2C+Digital+IDs+in+Canada#sthash.skpWo2ci.dpuf, Electronic ID Pilot Aims to Bolster Authentication, Save Governments Millions During Tax Season, http://www.govtech.com/pcio/articles/Electronic-ID-Pilot-Aims-to-Bolster-Authentication-Save-Governments-Millions-During-Tax-Season.html?utm_medium=email&utm_source=Act-On+Software&utm_content=email&utm_campaign=Electronic%20ID%20Pilot%20Aims%20to%20Save%20Govs%20Millions%20During%20Tax%20Season%2C%205%20Tips%20to%20Help%20Governments%20Combat%20Cyberthreats&utm_term=Electronic%20ID%20Pilot%20Aims%20to%20Bolster%20Authentication%2C%20Save%20Governments%20Millions%20During%20Tax%20Season
Tags: biometrics, BIT Fraud, BITS, CTO Corner, Cyber Security, Dan Schutzer, EMV, FI-VICS, Financial Institutions, Financial Institutions-Verifying Identity Credentials Service (FI-VICS), FTC, identity theft, IdentityTheft.gov, ITAC, NSTIC, Real ID, secret code, SWIFT