Gone phishing
Jinfo Blog

2nd December 2007

By Tim Buckley Owen

Item

Amid all the brouhaha about the lost government CDs containing personal details of UK child benefit recipients, we shouldn’t forget that the private sector has a less than squeaky clean reputation too. Nationwide Building Society, Halifax Bank, Marks & Spencer and – spectacularly – retailing empire TJX have all had customer data lost or stolen, in 2007 alone. So it’s hardly surprising that identity theft is increasingly in people’s minds. Seventy per cent of those polled by YouGov for IT management software company CA http://www.ca.com/gb/press/Release.aspx?CID=160416 said that the risk was changing their online behaviour – and 64% believed that the organisations they dealt with should be taking more steps to protect them. Phishing, where fraudsters attempt to trick people into parting with their personal details by masquerading as legitimate businesses such as banks, arouses particular suspicion. In fact, according to more YouGov research for the messaging security company Cloudmark http://www.cloudmark.com/serviceproviders/media/releases/?release=2007-11-26 it is the legitimate businesses that suffer, because people are less likely to trust a well known brand that has featured in a phishing scam. Writing on the IBM Internet Security Systems blog Frequency X, Gunter Ollmann even puts a value on stolen personal data http://blogs.iss.net/archive/PasswordValue.html calculating that 2,000 credit card details are worth about 40 standard identities (name, address, phone number, social security number, birth date) or around five complete banking identities. The small change, though, is the humble password; worth ‘about four cents’ on the black market, a password stolen from, say, a low value retailer can be matched with other stolen personal details and, as likely as not, will be the same password as the victim uses on a more valuable site such as a bank. So there are security discipline implications here that matter at least as much in the corporate context as they do for individual consumers. Further surveys identify two especial vulnerabilities: disgruntled staff (obviously) and temps. A survey of Irish companies by applications delivery specialist Citrix Systems http://www.citrix.com/English/NE/news/news.asp?newsID=684022 revealed 49% citing malicious employees as a threat to their business. And, as the number of temporary staff increases in the run up to Christmas, a small survey by security software company Websense suggested http://digbig.com/4wbnk that, while nearly 90% of temporary employees could access potentially confidential documents from their network drive, only 21% had signed any type of PC or web use policy. At its simplest level, such threats could result in abuses exemplified perhaps by the case of the unidentified Harvard Business School user who was barred from using Factiva recently http://www.thecrimson.com/article.aspx?ref=520781 after downloading an average of 55,000 records a day – quite likely using a banned automated script. At the criminal end of the scale, the consequences are unimaginable – but imagine them we must.

« Blog