June marked the latest in a series of massive breaches of identity security, when a shipment of unencrypted tapes of information on 3.9 million Citigroup customers was lost while en route to a credit-reporting agency.But the loss of the Citigroup client records was just one in a slew of identity and customer information security implosions over the last few months at large-scale businesses, including Time Warner, Ameritrade Inc. and Bank of America.
With terms such as "phishing" and "pharming" becoming a permanent part of the IT lexicon, identity and customer data theft have moved to the forefront of the public consciousness and media headlines.
A recent survey showed that more than 45 percent of all online consumers reported having malicious software on their desktops, and more than 83 percent discovered the presence of spyware on their PCs.
Last month, security strategies and remedies topped the agenda at the American Institute of CPAs annual Information Technology Conference, held in Las Vegas.
"So many times in security we go and say, 'Oops!' and say we got to go fix that. We have to stop fixing things after hackers have come into the network," said Susan Bradley, CPA, CITP, during the technology confab. "Benchmarking really helps prevents things."
A June report by Gartner Research - a Connecticut-based research and analysis group - stated that e-commerce is at an all-time high, and so are cyber-attacks on the 148 million domestic Internet users.
"There has been a real shift in the last year from thrill-seeking teams or college kids with extra time on their hands, to real criminals, attempts and attacks," said Doug Brown, engineering director at online business applications provider NetSuite. "They have networks where they post exploits and vulnerabilities to their community. An unpatched computer [one that hasn't downloaded any code to fix program bugs] on the Internet will be compromised right away."
Accountants using their e-mail accounts to receive client information like addresses and Social Security and bank account numbers are at high risk of compromising their clients' data, said Paul Rosenfeld, general manager for Intuit's QuickBooks Online Edition.
The data sent in an e-mail is not encrypted, and therefore "anyone can look at it," warned Rosenfeld. "What accountants sell every day is reputation. They are basing their reputation these days on creaky practices like file sharing."
Those accountants who have their clients' data dropped off or picked up are at serious risk of losing that unencrypted content and having it fall into the wrong hands, added Rosenfeld.
Easy access
Hackers or crackers - those with extensive computer knowledge who use their abilities to break into other peoples' computer files and systems for malicious purposes - frequently gain access to or spread malware (malicious software) into a business or personal computer system via e-mail, much of the time without the user even knowing it. Some of the most damaging schemes and malware being downloaded by e-mail users today include phishing, pharming, spyware, Trojan Horse software, viruses and assorted worms.
"E-mail is really one business tool that I think that everyone agrees we can't live without," said David Cieslak, CPA, CITP and principal in the Calif.-based computer consulting firm Information Technology Group Inc. "We have to deal with the issue, not just do away with e-mail, even when it looks like the only way out."
According to Gartner Research vice president and research director Avivah Litan, phishing - an e-mail from a false user claiming to be a legitimate enterprise to gain private information for the purpose of identity theft - has grown exponentially in the last year.
Her June report, "Increased Phishing and Online Attacks Cause Dip in Consumer Confidence," is based on a 5,000-person survey of online consumers that found a 28 percent growth rate in phishing attacks from May 2004 to May 2005.
An estimated 46 million online consumers reported that they had received a phishing attack in the last year, and 95 percent of the respondents to the survey said that their most recent phishing attack occurred over the last six months.
"They have graphics and literally everything you need to fully believe this is the real deal," said Cieslak. "Phishing is particularly vile because it's masquerading as someone legit like PayPal, eBay or EarthLink."
The danger for a business when an employee receives a phishing attack is amplified when the employee opens an e-mail that is disguised as one from the company's IT helpdesk or system administrator, and fills out their password and user name for their business applications.
"During January 2005, 2,500 sites were hijacked," noted Randy Johnston, executive vice president of the Hutchinson, Kan.-based business and technology consulting group K2 Enterprises. "If fairly high-profile sites are being hijacked, your brand and your site are likely to get hijacked too. It's almost impossible to tell if a change has been made."
Just as the Greeks snuck into Troy inside their wooden horse, so too do hackers sneak into unsuspecting users' computer systems using Trojan Horse programs - slashing away computer files and compromising user security.
Trojan Horses are programs with which a hacker can view anything that a user's computer is connected to or contains, as well as their keystrokes. What's worse, hackers can create a backdoor to allow other malicious users access to the system. The hacker sends a user an e-mail that lists an Internet address - with some even using the ploy of having anti-virus software at the site - and the unsuspecting user goes to the Web site. But instead of downloading anti-virus software, the user downloads a Trojan Horse, and more than likely doesn't even realize it, said Cieslak.
Once a hacker is inside an employee's or user's desktop, they can access numerous files and applications containing client information, financial data on the company and bank account numbers. The hacker usually either uses the information to extort money out of the company, which has happened to many in the last year, according to Cieslak, or the hacker can use the information to delete files, steal money or copy Social Security numbers.
Personal touch
Stolen data doesn't have to be tricked from a user, however - some information is innocently lost and some is stolen.
"The unspoken tragedy is something like a bookkeeper who leaves on bad terms and takes files with him, or an employee who commits fraud," said Rosenfeld. "There is a lot of trust within a small business, and some unscrupulously take advantage of that."
A security breach can happen from an unsuspecting employee as well. With all the laptop computers being carried from airport to hotel and back again, many are lost, stolen or forgotten, and many of those do not have the level of security that a desktop PC does.
Unfortunately, many home laptops and notebooks are also connected to their company network as well. At the AICPA conference, Cieslak said that about 80 percent of all home computers were infected with spyware, creating an even greater possibility that an unsuspecting employee will lead a hacker into his company's system.
"How do you know it's not a rat's nest?" Cieslak asked. "Home computers are one of the biggest threats. You do not have the same capabilities as in the office, the patches aren't up to code, and virus subscriptions aren't up to snuff."
Some remedies
From businesses to personal PCs, everyone needs to have their anti-virus and anti-spyware defenses kept up to date and have updating programs from more than one software provider, advised Cieslak. But the security measures must go beyond the basic anti-spam, anti-spyware and anti-virus software solutions before a company or firm can relax.
"There can be no one fix for everything," said Nadine Joli-Coeur, product marketing manager for business desktops at Hewlett-Packard. "There are overwhelming things you can get hit up with today."
Hewlett-Packard has integrated biometrics into their security tools by installing a fingerprint scanner on the motherboard of their notebooks. The fingerprint scanner ensures that the user is who he says he is before allowing access to Windows or the operating system and all the files within. Another tool they have, patent pending, is a pre-boot password so that the computer does not even boot up the operating system enough to ask for a password or fingerprint scan without first securing a password or smart card ID number from the user.
"It's just a step earlier, before the screen even comes up and asks you for your Windows password," explained Joli-Coeur. "The earlier you protect, the better your chances of not having someone gain access to your data."
But computers and software are not the only elements needing to be upgraded when it comes to security - it's the users as well.
"It's the human element that's biting us," said Cieslak.
Employees, accountants and all computer users need to be trained in proper and secure Internet practices, said Cieslak, like never opening an e-mail from an unknown user, never entering personal information into a link provided in an e-mail, and never double-clicking on files that look like zipped files but in reality are usually Trojan Horses.
Cieslak also warns against wireless or Wi-Fi hotspots such as those found in quick-service units like Starbucks and in airports that allow computer users with wireless cards to connect to the Internet. Using them is fine, he said, provided that your data is protected. But the user has to go into his Windows set-up to make sure that he is not sharing his files, and subsequently his bank account information, with everyone who is ordering a latté.
"It is simply a matter of setting up the right security," said Cieslak, "but many users don't realize they're vulnerable."
Many users do not realize that their Windows operating systems come with a list of security options that are not turned on by default. Therefore, someone has to manually go in and turn them on, explained Bradley.
For a firm looking to save money and time but still secure their clients' data, Cieslak and Johnston recommended using e-mail management companies like MessageLabs or Electric Mail, which specialize in comprehensive e-mail security for small and midsized companies and firms.
"This is getting extremely complex and has serious impacts if you are not doing it right, and it puts serious pressure on IT professionals," said Ian McDonald, general manager and vice president of sales at Electric Mail.
What MessageLabs and Electric Mail do is monitor traffic patterns, so that if someone inside the company is sending out an uncharacteristically large amount of e-mail, they can see if that user has been infected with a virus or has unwittingly become a spam "zombie" - a spam hacker using an innocent user's machine to send out hundreds of thousands of spam e-mails. They also are on the job around the clock, so hackers trying to break in after hours can also be caught. The cost is relatively cheap when you think of the alternative consequences, noted Cieslak.
"Because this is a constantly escalating battle, you don't want to put any more resources into this," advised Cieslak. "Outsourcing makes sense, and for many of us, outsourcing is the most cost-effective approach."
