Entries Tagged "crime"

Page 36 of 39

How to Not Fix the ID Problem

Several of the 9/11 terrorists had Virginia driver’s licenses in fake names. These were not forgeries; these were valid Virginia IDs that were illegally sold by Department of Motor Vehicle workers.

So what did Virginia do to correct the problem? They required more paperwork in order to get an ID.

But the problem wasn’t that it was too easy to get an ID. The problem was that insiders were selling them illegally. Which is why the Virginia “solution” didn’t help, and the problem remains:

The manager of the Virginia Department of Motor Vehicles office at Springfield Mall was charged yesterday with selling driver’s licenses to illegal immigrants and others for up to $3,500 apiece.

The arrest of Francisco J. Martinez marked the second time in two years that a Northern Virginia DMV employee was accused of fraudulently selling licenses for cash. A similar scheme two years ago at the DMV office in Tysons Corner led to the guilty pleas of two employees.

And after we spend billions on the REAL ID act, and require even more paperwork to get a state ID, the problem will still remain.

Posted on July 19, 2005 at 1:15 PMView Comments

Surveillance Cameras and Terrorism

I was going to write something about the foolishness of adding cameras to public spaces as a response to terrorism threats, but Scott Henson said it already:

Homeland Security Ubermeister Michael Chertoff just told NBC’s Tim Russert on Meet the Press this morning that the United States should invest in “cameras and dogs” to protect subway, rail and bus transit systems from terrorist attacks.

B.S.

Surveillance cameras didn’t deter the terrorist attacks in London. They didn’t stop the courthouse killing spree in Atlanta. But they’re prone to abuse. And at the end of they day they don’t reduce crime.

Posted on July 12, 2005 at 8:13 AMView Comments

Noticing Data Misuse

Everyone seems to be looking at their databases for personal information leakages.

Tax liens, mortgage papers, deeds, and other real estate-related documents are publicly available in on-line databases run by registries of deeds across the state. The Globe found documents in free databases of all but three Massachusetts counties containing the names and Social Security numbers of Massachusetts residents….

Although registers of deeds said that they are unaware of cases in which criminals used information from their databases maliciously, the information contained in the documents would be more than enough to steal an identity and open new lines of credit….

Isn’t that part of the problem, though? It’s easy to say “we haven’t seen any cases of fraud using our information,” because there’s rarely a way to tell where information comes from. The recent epidemic of public leaks comes from people noticing the leak process, not the effects of the leaks. So everyone thinks their data practices are good, because there have never been any documented abuses stemming from leaks of their data, and everyone is fooling themselves.

Posted on July 5, 2005 at 8:47 AMView Comments

Wired on Identity Theft

This is a good editorial from Wired on identity theft.

Following are the fixes we think Congress should make:

Require businesses to secure data and levy fines against those who don’t. Congress has mandated tough privacy and security standards for companies that handle health and financial data. But the rules for credit agencies are woefully inadequate. And they don’t cover other businesses and organizations that handle sensitive personal information, such as employers, academic institutions and data brokers. Congress should mandate strict privacy and security standards for anyone who handles sensitive information, and apply tough financial penalties against companies that fail to comply.

Require companies to encrypt all sensitive customer data. Any standard created to protect data should include technical requirements to scramble the data—both in storage and during transit when data is transferred from one place to another. Recent incidents involving unencrypted Bank of America and CitiFinancial data tapes that went missing while being transferred to backup centers make it clear that companies think encryption is necessary only in certain circumstances.

Keep the plan simple and provide authority and funds to the FTC to ensure legislation is enforced. Efforts to secure sensitive data in the health and financial industries led to laws so complicated and confusing that few have been able to follow them faithfully. And efforts to monitor compliance have been inadequate. Congress should develop simpler rules tailored to each specific industry segment, and give the FTC the necessary funding to enforce them.

Keep Social Security numbers for Social Security. Social Security numbers appear on medical and voter-registration forms as well as on public records that are available through a simple internet search. This makes it all too easy for a thief to obtain the single identifying number that can lead to financial ruin for victims. Americans need a different unique identifying number specifically for credit records, with guarantees that it will never be used for authentication purposes.

Force credit agencies to scrutinize credit-card applications and verify the identity of credit-card applicants. Giving Americans easy access to credit has superseded all other considerations in the cutthroat credit-card business, helping thieves open accounts in victims’ names. Congress needs to bring sane safeguards back into the process of approving credit—even if it means adding costs and inconveniencing powerful banking and financial interests.

Extend fraud alerts beyond 90 days. The Fair Credit Reporting Act allows anyone who suspects that their personal information has been stolen to place a fraud alert on their credit record. This currently requires a creditor to take “reasonable” steps to verify the identity of anyone who applies for credit in the individual’s name. It also requires the creditor to contact the individual who placed the fraud alert on the account if they’ve provided their phone number. Both conditions apply for 90 days. Of course, nothing prevents identity thieves from waiting until the short-lived alert period expires before taking advantage of stolen information. Congress should extend the default window for credit alerts to a minimum of one year.

Allow individuals to freeze their credit records so that no one can access the records without the individuals’ approval. The current credit system opens credit reports to almost anyone who requests them. Individuals should be able to “freeze” their records and have them opened to others only when the individual contacts a credit agency and requests that it release a report to a specific entity.

Require opt-in rather than opt-out permission before companies can share or sell data. Many businesses currently allow people to decline inclusion in marketing lists, but only if customers actively request it. This system, known as opt-out, inherently favors companies by making it more difficult for consumers to escape abusive data-sharing practices. In many cases, consumers need to wade through confusing instructions, and send a mail-in form in order to be removed from pre-established marketing lists. The United States should follow an opt-in model, where companies would be forced to collect permission from individuals before they can traffic in personal data.

Require companies to notify consumers of any privacy breaches, without preventing states from enacting even tougher local laws. Some 37 states have enacted or are considering legislation requiring businesses to notify consumers of data breaches that affect them. A similar federal measure has also been introduced in the Senate. These are steps in the right direction. But the federal bill has a major flaw: It gives companies an easy out in the case of massive data breaches, where the number of people affected exceeds 500,000, or the cost of notification would exceeds $250,000. In those cases, companies would not be required to notify individuals, but could comply simply by posting a notice on their websites. Congress should close these loopholes. In addition, any federal law should be written to ensure that it does not pre-empt state notification laws that take a tougher stance.

As I’ve written previously, this won’t solve identity theft. But it will make it harder and protect the privacy of everyone. These are good recommendations.

Posted on June 29, 2005 at 7:18 AMView Comments

Indian Call Center Sells Personal Information

There was yet another incident where call center staffer was selling personal data. The data consisted of banking details of British customers, and was sold by people at an outsourced call center in India.

I predict a spate of essays warning us of the security risks of offshore outsourcing. That’s stupid; this has almost nothing to do with offshoring. It’s no different than the Lembo case, and that happened in the safe and secure United States.

There are security risks to outsourcing, and there are security risks to offshore outsourcing. But the risk illustrated in this story is the risk of malicious insiders, and that is mostly independent of outsourcing. Lousy wages, lack of ownership, a poor work environment, and so on can all increase the risk of malicious insiders, but that’s true regardless of who owns the call center or in what currency the salary is paid in. Yes, it’s harder to prosecute across national boundaries, but the deterrence here is more contractual than criminal.

The problem here is people, not corporate or national boundaries.

Posted on June 24, 2005 at 9:35 AMView Comments

Organized Retail Theft

There are two distinct shoplifting threats: petty shoplifting and Organized Retail Theft.

Organized retail theft (ORT) is a growing problem throughout the United States, affecting a wide-range of retail establishments, including supermarkets, chain drug stores, independent pharmacies, mass merchandisers, convenience stores, and discount operations. It has become the most pressing security problem confronting retailers. ORT losses are estimated to run as high as $15 billion annually in the supermarket industry alone ­ and $34 billion across all retail. ORT crime is separate and distinct from petty shoplifting in that it involves professional theft rings that move quickly from community to community and across state lines to steal large amounts of merchandise that is then repackaged and sold back into the marketplace. Petty shoplifting, as defined, is limited to items stolen for personal use or consumption.

Their list of 50 most shoplifted items consists of small, expensive things with long shelf life: over-the-counter drugs, mostly.

#1 Advil tablet 50 ct

#2 Advil tablet 100 ct

#3 Aleve caplet 100 ct

#4 EPT Pregnancy Test single

#5 Gillette Sensor 10 ct

#6 Kodak 200 24 exp

#7 Similac w/iron powder – case

#8 Similac w/iron powder – single can

#9 Preparation H 12 ct

#10 Primatene tablet 24 ct

Found on BoingBoing.

Posted on June 22, 2005 at 1:06 PMView Comments

DNA Identification

Here’s an interesting application of DNA identification. Instead of searching for your DNA at the crime scene, they search for the crime-scene DNA on you.

The system, called Sentry, works by fitting a box containing a powder spray above a doorway which, once primed, goes into alert mode if the door is opened.

It then sprays the powder when there is movement in the doorway again.

The aim is to catch a burglar in the act as stolen items are being removed.

The intruder is covered in the bright red powder, which glows under ultraviolet (UV) light and can only be removed with heavy scrubbing.

However, the harmless synthetic DNA contained in the powder sinks into the skin and takes several days, depending on the person’s metabolism, to work its way out.

Posted on June 22, 2005 at 8:39 AMView Comments

Defining "Access" in Cyberspace

I’ve been reading a lot of law journal articles. It’s interesting to read legal analyses of some of the computer security problems I’ve been wrestling with.

This is a fascinating paper on the concepts of “access” and “authorized access” in cyberspace. The abstract:

In the last twenty-five years, the federal government and all fifty states have enacted new criminal laws that prohibit unauthorized access to computers. These new laws attempt to draw a line between criminality and free conduct in cyberspace. No one knows what it means to access a computer, however, nor when access becomes unauthorized. The few courts that have construed these terms have offered divergent interpretations, and no scholars have yet addressed the problem. Recent decisions interpreting the federal statute in civil cases suggest that any breach of contract with a computer owner renders use of that computer an unauthorized access. If applied to criminal cases, this approach would broadly criminalize contract law on the Internet, potentially making millions of Americans criminals for the way they write e-mail and surf the Web.

This Article presents a comprehensive inquiry into the meaning of unauthorized access statutes. It begins by explaining why legislatures enacted unauthorized access statutes, and why early beliefs that such statutes solved the problem of computer misuse have proved remarkably naïve. Next, the Article explains how the courts have construed these statutes in an overly broad way that threatens to criminalize a surprising range of innocuous conduct involving computers. In the final section, the Article offers a normative proposal for interpreting access and authorization. This section argues that courts should reject a contract theory of authorization, and should narrow the scope of unauthorized access statutes to circumvention of code-based restrictions on computer privileges. The section justifies this proposal on several grounds. First, the proposal will best mediate the line between securing privacy and protecting the liberty of Internet users. Second, the proposal mirrors criminal law’s traditional treatment of crimes that contain a consent element. Third, the proposed approach is consistent with the basic theories of punishment. Fourth, the proposed interpretation avoids possible constitutional difficulties that may arise under the broader constructions that courts recently have favored.

It’s a long paper, but I recommend reading it if you’re interested in the legal concepts.

Posted on June 14, 2005 at 7:16 AMView Comments

Torah Security

According to Jewish law, Torahs must be identical. When you make a copy, you cannot change or add a single character. That means you can’t write “Property of….” You can’t add a serial number. You can’t make any kind of identifying marks.

This turns out to be a problem when Torahs are stolen; it’s impossible to identify that they’re stolen goods.

Now there’s a method of identifying Torahs without violating Jewish law:

Called the Universal Torah Registry, the system works like this: A synagogue mails in a form with their contact information and the number of Torahs they want to place in the system, and the registry sends back a computer-coded template for each scroll. The 3.5- by 8-inch template resembles an IBM punch card, with eight holes arranged so their position relative to one another describes a unique identification number in a proprietary code.

A rabbi uses the template to perforate the coded pattern into the margins of the scroll with a tiny needle. To keep an enterprising thief from swapping the perforated segment with a section from another stolen scroll in some kind of twisted Torah chop shop, the registry recommends applying the code to 10 different segments of the scroll. Pollack says the code contains self-authentication features that keep a thief from invalidating it by just adding an extra hole in an arbitrary location.

Posted on June 13, 2005 at 1:28 PMView Comments

Public Disclosure of Personal Data Loss

Citigroup announced that it lost personal data on 3.9 million people. The data was on a set of backup tapes that were sent by UPS (a package delivery service) from point A and never arrived at point B.

This is a huge data loss, and even though it is unlikely that any bad guys got their hands on the data, it will have profound effects on the security of all our personal data.

It might seem that there has been an epidemic of personal-data losses recently, but that’s an illusion. What we’re seeing are the effects of a California law that requires companies to disclose losses of thefts of personal data. It’s always been happening, only now companies have to go public with it.

As a security expert, I like the California law for three reasons. One, data on actual intrusions is useful for research. Two, alerting individuals whose data is lost or stolen is a good idea. And three, increased public scrutiny leads companies to spend more effort protecting personal data.

Think of it as public shaming. Companies will spend money to avoid the PR cost of public shaming. Hence, security improves.

This works, but there’s an attenuation effect going on. As more of these events occur, the press is less likely to report them. When there’s less noise in the press, there’s less public shaming. And when there’s less public shaming, the amount of money companies are willing to spend to avoid it goes down.

This data loss has set a new bar for reporters. Data thefts affecting 50,000 individuals will no longer be news. They won’t be reported.

The notification of individuals also has an attenuation effect. I know people in California who have a dozen notices about the loss of their personal data. When no identity theft follows, people start believing that it isn’t really a problem. (In the large, they’re right. Most data losses don’t result in identity theft. But that doesn’t mean that it’s not a problem.)

Public disclosure is good. But it’s not enough.

Posted on June 8, 2005 at 4:45 PMView Comments

1 34 35 36 37 38 39

Sidebar photo of Bruce Schneier by Joe MacInnis.