Showing papers on "Identity theft published in 2007"

A framework for detection and measurement of phishing attacks

Abstract: Phishing is form of identity theft that combines social engineering techniques and sophisticated attack vectors to harvest financial information from unsuspecting consumers Often a phisher tries to lure her victim into clicking a URL pointing to a rogue page In this paper, we focus on studying the structure of URLs employed in various phishing attacks We find that it is often possible to tell whether or not a URL belongs to a phishing attack without requiring any knowledge of the corresponding page data We describe several features that can be used to distinguish a phishing URL from a benign one These features are used to model a logistic regression filter that is efficient and has a high accuracy We use this filter to perform thorough measurements on several million URLs and quantify the prevalence of phishing on the Internet today

An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants

Abstract: This paper studies an active underground economy which specializes in the commoditization of activities such as credit car d fraud, identity theft, spamming, phishing, online credential the ft, and the sale of compromised hosts. Using a seven month trace of logs collected from an active underground market operating on public Internet chat networks, we measure how the shift from “hacking for fun” to “hacking for profit” has given birth to a societal subs trate mature enough to steal wealth into the millions of dollars in less than one year.

The psychology of security

Abstract: Security is both a feeling and a reality. And they’re not the same. The reality of security is mathematical, based on the probability of different risks and the effectiveness of different countermeasures. We can calculate how secure your home is from burglary, based on such factors as the crime rate in the neighborhood you live in and your door-locking habits. We can calculate how likely it is for you to be murdered, either on the streets by a stranger or in your home by a family member. Or how likely you are to be the victim of identity theft. Given a large enough set of statistics on criminal acts, it’s not even hard; insurance companies do it all the time. We can also calculate how much more secure a burglar alarm will make your home, or how well a credit freeze will protect you from identity theft. Again, given enough data, it’s easy. But security is also a feeling, based not on probabilities and mathematical calculations, but on your psychological reactions to both risks and countermeasures. You might feel terribly afraid of terrorism, or you might feel like it’s not something worth worrying about. You might feel safer when you see people taking their shoes off at airport metal detectors, or you might not. You might feel that you’re at high risk of burglary, medium risk of murder, and low risk of identity theft. And your neighbor, in the exact same situation, might feel that he’s at high risk of identity theft, medium risk of burglary, and low risk of murder. Or, more generally, you can be secure even though you don’t feel secure. And you can feel secure even though you’re not. The feeling and reality of security are certainly related to each other, but they’re just as certainly not the same as each other. We’d probably be better off if we had two different words for them. This essay is my initial attempt to explore the feeling of security: where it comes from, how it works, and why it diverges from the reality of security. Four fields of research—two very closely related—can help illuminate this issue. The first is behavioral economics, sometimes called behavioral finance. Behavioral economics looks at human biases—emotional, social, and cognitive— and how they affect economic decisions. The second is the psychology of decisionmaking, and more specifically bounded rationality, which examines how we make decisions. Neither is directly related to security, but both look at the concept of risk: behavioral economics more in relation to economic risk, and the psychology of decision-making more generally in terms of security risks. But both fields go a long way to explain the divergence between the feeling and the reality of security and, more importantly, where that divergence comes from.

Fraud analyst smart cookie

Abstract: A fraudulent business transaction application (FBTA) is provided in embodiments of the present invention for monitoring fraudulent transactions. When a consumer supplies account access information in order to carry out an Internet business transaction, the FBTA uses an online fraud mitigation engine to detect phishing intrusions and identity theft. Embodiments are also provided for calculating travel velocity and transaction frequency, which are useful for determining a fraudulent transaction. Further embodiments are provided for authenticating a transaction using a cookie stored on a client device and a behavior profile stored on a server.

Usability and privacy in identity management architectures

Abstract: Digital identities represent who we are when engaging in online activities and transactions. The rapid growth in the number of online services leads to in an increasing number of different identities that each user needs to manage. As a result, many people feel overloaded with identities and suffer from password fatigue. This is a serious problem and makes people unable properly control and protect their digital identities against identity theft. This paper discusses the usability and privacy in online identity management solutions, and proposed a general approach for making users better able to control and manage their digital identities, as well as for creating more secure identity management solutions. More specifically, we propose a user-centric approach based on hardware and software technology on the user-side with the aim of assisting users when accessing online services.

System, Method, and Apparatus for Preventing Identity Fraud Associated With Payment and Identity Cards

Abstract: The system, method, and apparatus of the present invention, address the problem of identity theft associated with the use of payment cards such as credit and debit cards, as well as identity theft associated with the use of identity cards such as driver's licenses and social security cards. An apparatus including a biometric input component that authenticates a system user is disclosed herein. Upon authentication, a proxy account number and a time varying security code are generated and displayed on the apparatus. The dynamically generated number and security code are then used to validate the user's identity within the system. Furthermore, the system, method, and apparatus of the present invention can be used to consolidate into one instrument, several payment and identity instruments.

Forensic Accounting and Fraud Examination

Abstract: Part One: Introduction to Forensic Accounting and Fraud Examination 1. Introduction to Forensic Accounting and Fraud Examination 2. The Forensic Accounting Legal Environment 3. Fundamentals 1: Accounting Information Systems 4. Fundamentals 2: The Auditing Environment Part Two: Fraud Examination Theory, Practice, and Methods 5. Fraud Prevention and Risk Management 6. Fraud Detection 7. The Fraud Investigation and Engagement Processes 8. The Evidence Collection Process 9. Fraud Examination Evidence I: Physical, Documentary, and Observational Evidence 10. Fraud Examination Evidence II: Interview and Interrogation Methods 11. Fraud Examination III: Forensic Science and Computer Forensics 12. The Fraud Report, Litigation, and the Recovery Process Part Three: Occupational and Organizational Fraud 13. Employee, Vendor, and Other Frauds against the Organization 14. Financial Statement Fraud 15. Fraud and SOX Compliance Part Four: Specialized Fraud Areas 16. Tax Fraud 17. Bankruptcy, Divorce, Identity Theft, and Loan and Insurance Fraud 18. Organized Crime, Counterterrorism, and Antimoney-Laundering Part Five: Other Forensic Accounting Services 19. Business Valuation 20. Dispute Resolution Services

Punishment and ethics deterrents: A study of insider security contravention

Abstract: Information security is a growing concern among the general population. For instance, it has been estimated by the U.S. Department of Justice (2004) that one in three people will become victims of identity theft at some point in their lifetime. The bulk of the research into information security has gone into the investigation of technological aspects of security, and there are gaps in the literature relative to contravention of security measures. Drawing from deterrence theory and using the theory of planned behavior as a general framework, this empirical field study investigated the effects of punishment and ethics training on behaviors related to contravention of information security measures among information professionals to fill an important gap in the literature. We found that both punishment and ethics training can be effective in mitigating the threat of software and information security, but that these depend on certain underlying motivational factors of individuals. The results of this study suggest a need to develop and refine the theoretical models, and we offer suggestions for getting at the root of behavioral issues surrounding information security. © 2007 Wiley Periodicals, Inc.

System and method of obtaining and using anonymous data

Abstract: A system and method that anonymously collects and uses consumer purchase data, including radio frequency metrics, linked to individual characteristics, including demographic and attitudinal profiles of each user, while protecting individual user's identities. Uniquely identifying information about the user is not requested or recorded, keeping individual users anonymous and protected from unrequested solicitations, identity theft, and disclosure of individually identifying information to any third party. This data can then be used for a variety of purposes, including mass marketing, individually targeted marketing, and market research.

Method and System for Preventing and Detecting Identity Theft

Abstract: A system, method and computer program product for receiving information relating to a financial account of an individual from at least one first data provider; receiving information relating to at least one of an identity theft expense reimbursement insurance policy of the individual, a public information relating to the individual, an identity theft risk score of the individual, a credit card registry of the individual, a backup data relating to the individual, a background information of the individual, and a business report relating to the individual, from at least one second data provider; and preparing a report relating to the individual's identity theft based on the information.

Identity Theft: Making the Known Unknowns Known

Abstract: TABLE OF CONTENTS I. INTRODUCTION II. THE KNOWN KNOWNS: IDENTITY THEFT A. New Account Fraud B. Account Takeover III. THE KNOWN UNKNOWNS A. Missing Data and Other Limitations of Identity Theft Surveys B. Law Enforcement Statistics Do Not Capture the Problem IV. MAKING THE KNOWN UNKNOWNS KNOWN A. Mandated Public Reporting of Identity Theft Incidence and Severity B. Who Should Report and to Whom V. THE CHALLENGES OF THE REPORTING APPROACH A. Institutions Themselves Are Not Always Aware of Identity Theft B. Reporting Could Enable Fraud C. Reporting Will Pit Financial Institutions Against Victims D. The Market Will Solve the Identity Theft Problem VI. THE BENEFITS OF THE REPORTING APPROACH A. Reporting Will Identify the Most Vulnerable Practices B. Reporting Will Provide Metrics for Interventions C. Reporting Will Focus Public Attention on the Real Problem D. A More Competitive Market for Protecting Consumers Will Arise VII. CONCLUSION I. INTRODUCTION REPORTS THAT SAY THAT SOMETHING HASN'T HAPPENED ARE ALWAYS INTERESTING TO ME, BECAUSE AS WE KNOW, THERE ARE KNOWN KNOWNS; THERE ARE THINGS WE KNOW WE KNOW. WE ALSO KNOW THERE ARE KNOWN UNKNOWNS; THAT IS TO SAY WE KNOW THERE ARE SOME THINGS WE DO NOT KNOW. BUT THERE ARE ALSO UNKNOWN UNKNOWNS--THE ONES WE DON'T KNOW WE DON'T KNOW. (1) There is widespread agreement that identity theft causes financial damage to consumers, creditors, retail establishments, and the economy as a whole. (2) The Federal Trade Commission ("FTC") has identified it as the fastest growing white collar crime; (3) federal and state governments have enacted numerous laws to curb its incidence and severity. (4) The contours of the identity theft problem, however, are known unknowns: no one knows the prevalence of identity theft, the relative rates of "new account fraud" and "account takeover," (5) or the effect this crime has on the economy. What is more, the advent of "synthetic" identity theft (6) has exacerbated these measurement difficulties. These known unknowns present serious problems. They hamper attempts to evaluate the scope of the crime and to allocate law enforcement resources more efficiently. They also prevent us from determining whether various consumer protection interventions have been effective. Because of these unknowns, we cannot tell whether consumers, regulators, and businesses are over- or under-reacting to the crime. They prevent us from evaluating how the costs of the crime are distributed in society. These unknowns even foreclose the basic determination of whether the prevalence or severity of identity theft has changed over time. Why, despite increases in identity theft, are law enforcement, the public, industry, or policymakers unable to measure the crime accurately? This Article argues that the answer lies in the methods used to measure the problem. What we do know has been learned through telephone and Internet surveys; however, few in-depth studies have been done. (7) While well-intentioned and valuable for some purposes in the identity theft policy debate, these surveys cannot completely document the contours of the crime. More fundamentally, however, we are asking the wrong people about the crime. The surveys seek to obtain information about identity theft from its victims--individuals who have the most limited view of the problem. Victims often do not know how their personal data were stolen or who stole the information. Financial institutions are in a better position to report information on identity theft. If lenders and organizations that control access to accounts (including payment companies such as PayPal and Western Union) were required to provide statistics about identity theft, a more complete and detailed picture would emerge. However, these data have significant potential to cause embarrassment and attract unwanted regulatory attention, which may explain why these institutions have not made these data publicly available. …

A Qualitative Analysis of Advance Fee Fraud E-mail Schemes

Abstract: Criminals utilize the Internet to perpetrate all manner of fraud, with the largest dollar losses attributed to advance fee fraud e-mail messages. These messages come from individuals who claim to need assistance moving a large sum of money out of their country. Individuals who respond to the messages often become victims of fraud and identity theft. Few criminologists have examined this type of fraud, thus this study explores the mechanisms employed by scammers through a qualitative analysis of 412 fraudulent e-mail messages. The findings demonstrate that multiple writing techniques are used to generate responses and information from victims. Half of all the messages also request that the recipient forward their personal information to the sender, thereby enabling identity theft. The implications of this study for law enforcement and computer security are also discussed.

Phishing, pharming and identity theft

Abstract: Identity theft is the fastest growing crime in America, occurring when the criminal obtains confidential information from an individual or business and uses it to access private financial accounts. In today’s world of information technology, many thieves prey on their victims via the Internet. The level of disclosure of personal information in many of today’s information age transactions is what leaves so many individuals and businesses open to identity theft. Two of the most common ways that thieves acquire personal information to aid them in identity theft are phishing and pharming. Phishing utilizes bulk e-mail messages to entice recipients into revealing personal information. Pharmers, on the other hand, cast a wide net for the unwary. There is a huge potential reward for criminals who succeed in these malicious acts. In addition, now that organized crime has become involved, the money available to help thieves carry out the crimes is immense.

Compartmented Security for Browsers - Or How to Thwart a Phisher with Trusted Computing

Abstract: Identity theft through phishing attacks has become a major concern for Internet users. Typically, phishing attacks aim at luring the user to a faked Web site to disclose personal information. Existing solutions proposed against this kind of attack can, however, hardly counter the new generation of sophisticated malware phishing attacks, e.g., pharming Trojans, designed to target certain services. This paper aims at making the first steps towards the design and implementation of a security architecture that prevents both classical and malware phishing attacks. Our approach is based on the ideas of compartmentalization for isolating applications of different trust level, and a trusted wallet for storing credentials and authenticating sensitive services. Once the wallet has been setup in an initial step, our solution requires no special care from users for identifying the right Web sites while the disclosure of credentials is strictly controlled. Moreover, a prototype of the basic platform exists and we briefly describe its implementation

Unveiling the mask of phishing: threats, preventive measures, and responsibilities

Abstract: Phishing, a new-rise identity fraud of this century has already caused huge financial loss and social disorder. This paper provides an overview of the evolution and forecasted trend of phishing activities with detailed analysis on common phishing features, proliferation channels, relevant anti-phishing measures, related legislation, and an anti-phishing framework from the perspective of social responsibility. The objective of the research is to enhance public awareness of phishing and to inform end users and owners of e-commerce sites proper measures to detect and prevent this criminal activity.

Privacy in the Semantic Web: What Policy Languages Have to Offer

Abstract: Uncontrolled disclosure of sensitive information during electronic transactions may expose users to threats like loss of privacy and identity theft. The means envisioned for addressing protection of security and privacy in the context of the Semantic Web are policy languages for trust establishment and management. Although a number of policy languages have been proposed, it is unclear how well each language can address users' privacy concerns. The contribution of this work is an independent, scenario-based comparison of six prominent policy languages, namely Protune, Rei, Ponder, Trust-X, KeyNote and P3P-APPEL, with respect to the needs that users have in protecting their personal, sensitive data. We present how each language addresses access control for objects, such as user credentials and sensitive policies. We evaluate how each language defines or imports hierarchies of resources, whether the language supports protection of user information after it has been released, whether the language supports the principle of least privilege and more. The evaluation is not only an analytical literature study but also rich in actual implementations in all six languages.

Identity Theft: Making the Known Unknowns Known

Abstract: There is widespread agreement that identity theft causes financial damage to consumers, lending institutions, retail establishments, and the economy as a whole. Surprisingly, there is little good public information available about the scope of the crime and the actual damages it inflicts. The publicly available data on identity theft come mainly from survey research. Methodologically, these survey polls of the public suffer from being both under and over-inclusive in measuring the problem. As a result, low estimates attribute tens of billions of dollars in costs to the economy and consumers, the highest estimates place losses in the hundreds of billions. To identify proper interventions and appropriately allocate resources we need comprehensive, hard data on the scope and effect of identity theft. One way to provide concrete data is to require lending institutions to publicly report figures on identity theft. Such public reporting will help identify the relative need for intervention and the likely efficacy of interventions. These disclosures are necessary to provide a sound baseline for investment by businesses and action by regulators. They are also warranted because the public pays the price of identity theft directly when they are the victim, and indirectly through higher fees, interest rates, and because the losses are tax subsidized. The author hypothesizes that if lending institutions reported limited information about identity theft, it would reveal that identity theft is both more prevalent and economically damaging than currently acknowledged, in part because of the rise of synthetic identity theft, a form that cannot be measured by victim surveys because they are unaware of the crime. Furthermore, the disclosure requirement would birth an anti-identity theft market, and the prevalence and severity of the crime would decrease dramatically as institutions compete to offer the safest financial products to consumers.

A framework of anti‐phishing measures aimed at protecting the online consumer's identity

Abstract: Purpose – The purpose of this paper is to aim to educate the internet consumer, who may be a potential phishing victim, and to suggest a framework of anti‐phishing measures, following the staggering increase in the number of recent phishing attacks. Phishing describes a method of online identity theft, in which phishers typically pose as legitimate organisations when sending deceptive e‐mail messages to internet users. When they respond to such e‐mails, victims are lured to malicious web sites, where they are duped into disclosing their personal details. In this way, phishers are able to commit identity theft, with possibly devastating consequences for the victim.Design/methodology/approach – After a literature review of the available sources, the phishing threat is investigated by analysing the modus operandi of phishers and the basic components of a typical phishing scheme. A possible solution for the phishing problem is examined.Findings – Phishers continually target the weakest link in the security ch...

Risks of Identity Theft: Can the Market Protect the Payment System?

Abstract: Imagine sitting at a computer and with a few keystrokes having the personal information of person after person appear on the monitor: names, addresses, Social Security numbers, debit card account numbers and PINs, bank account numbers and passwords, mother's maiden name, and more. This happens every day, and the information is for sale in electronic markets. Buyers can use the information to commit fraud on existing financial accounts or on accounts opened with the information. This is the face of identity theft.Identity theft has been a feature of financial markets for as long as alternatives have existed to cash transactions. Until recently, it occurred on a small scale, involving, for example, the theft of personal checks and the forging of the account holder's signature to cash them. That type of identity theft posed a risk to the individual consumer, and the risk was relatively small: Access to the consumer's personal checks did not offer access to all of the consumer's financial accounts.Such individualized acts of identity theft still occur, but more often identity theft occurs on a larger scale. Data breaches typically involve the apparent loss or acknowledged theft of the personal identifying information of thousands-or millions-of people. This poses a risk to the individual but also to the integrity and efficiency of the payment system-the policies, procedures, and technology that transfer information for authenticating and settling payments among participants. Identity theft can cause a loss of confidence in the security of certain payment methods and an unwillingness to use them. Markets can cease operating or switch to less efficient payment methods. Either represents a loss of efficiency for the economy.This article looks at the nature of identity theft today and the factors driving its growth and explores whether markets are able to limit its risk to the payment system. section I explains what identity theft is. Section II discusses the magnitude of the problem. Section III describes the factors behind the recent growth in identity theft. Section IV considers the risks identity theft poses to the payment system because markets provide too little protection for personal identifying information.I. WHAT IS IDENTITY THEFT?There is disagreement about how to define "identity theft." Commonly used definitions differ in the range of acts that constitute the crime. Some definitions are more inclusive; some, less so. The definition matters because it affects how identity theft is measured and how it can be combated."Identity" refers to the distinguishing character or personality of an individual. A person's true or inner identity-his or her thoughts, feelings, and preferences-is not directly observable. The outer identity is that by which others recognize the person. Imagine a list of all of a person's characteristics: birth date, eye color, address, parents' names, favorite color, bank account number, frequency of shopping at the local grocery store, etc. The list includes unchanging features (birth date, parents' names), behavioral patterns (frequency of shopping at the local grocery store), and identifiers assigned by others to recognize the individual (bank account number, Social Security number, driver's license number). Each item in the list is a piece of personal identifying information (PII), and the complete list is a representation of the person's identity. Others recognize the person by matching him or her against the parts of the list of which they have knowledge.1 Friends, relatives, and co-workers tend to rely on physical features-the way the person looks and the sound of his or her voice, for example-to identify the person. Parties with whom the person transacts rely on identifiers that work well remotely, such as name, address, phone number, and Social Security number. The subsets of PII that are used in transacting can be thought of as transactional identities.Identity theft involves the theft of elements of a persons identifying characteristics (items in the list such as name, address, credit card number). …

Shopping for Privacy on the Internet

Abstract: Privacy is a concern for all major stakeholders in modern society, and technology to erode privacy continually emerges. Studies show that individuals are concerned about database privacy; yet, they seldom make privacy a salient attribute when deciding among competing alternatives. Although privacy policies are present on many Web sites, Web users rarely bother to read them. Professor Nehf explores why this is so, identifying rational reasons why Web users do not shop for privacy and discussing the implications for the expanding market for consumer information. Unless privacy becomes a salient attribute influencing consumer choice, Web site operators will continue to obtain and use more personal information than Web users would choose to provide in a more transparent exchange. In a responding commentary, Professors Pitt and Watson use an ecosystem approach that explores the multiple dimensions of privacy. Investigating the interactions between the three major players--citizen/consumer/investor, government, and corporation--they identify reasons for the failure of market mechanisms to arise to protect privacy. ********** Protecting consumer privacy in the United States is largely the responsibility of individuals who are expected to guard their personal information and take steps to minimize the risk that it will be used in an unauthorized way. Although federal (and a few state) laws restrict sharing some kinds of personal information--in health-related fields (Health Insurance Portability and Accountability Act (1996 (1)), the financial services industry (Gramm-Leach-Bliley Act (2)), and a handful of other economic sectors such as video rentals, children's Web sites, and telecom industries (3)--the restrictions are riddled with exceptions. In most aspects of daily life, individuals are expected to take steps to protect their own privacy interests (Solove 2001). This is particularly true for consumer transactions on the Internet, most of which are not subject to state or federal privacy laws. The self-policing model would be more effective if a market for information privacy were conducive to individuals shopping their privacy preferences online. This paper summarizes many of the reasons privacy shopping seldom occurs. On the surface, market incentives seem to be present. Many online businesses purport to collect only a minimum of customer data and to keep it secure. On the consumer side, many individuals are concerned about identity theft or the embarrassing release of private facts about them (Hoar 2001; Norberg, Home, and Home 2007; Saunders and Zucker 1999) and they give as little personal information as possible in online transactions (Sheehan and Hoy 1999). For most consumers and businesses, however, privacy-enhancing market incentives are weak, and the conditions for market failure are strong. Consumers do not shop for privacy, and there are several reasons why. AGGREGATION AND EASY TRANSFER OF DATA A system that relies on individuals to police their privacy rights presumes that individuals can value privacy rights meaningfully. If people do not know what information is being collected, how it could be used, and what harm might result from its collection and use, they have no way to judge how much it is worth to them (in time, money, or other trade-offs). To make an informed choice about whether and how to share personal information, and whether to make an effort to protect it, people need to know what is at stake. Most people have no idea what information a Web site collects and how it will be used. In rare instances, a user will take time to read a Web site's privacy policy, but even then the information is only marginally helpful. Most privacy policies are obtuse and noncommittal (LaRose and Rifon 2007; Milne, Culnan, and Greene 2006), but even a straightforward policy can be deceiving. For example, many privacy policies state that the site uses cookies and other means to obtain customer information and that it shares customer data only with affiliated companies and firms that have entered into joint marketing agreements with the site host. …

Public Sector Auditing: Is it Value for Money?

Abstract: Preface. Acknowledgements. 1 Introduction. 1.1 Modern Public Administration. 1.2 The Traditions of State Audit. 1.3 The Contents and Argument of this Book. 2 Why Bureaucracy Will Never Work. 2.1 Public Programmes are Often Late, Cost More than Planned and do not Work as Intended. 2.2 The Causes of Public Programme Failure. 2.3 Bureaucracy's Fundamental Flaw. 2.4 Literary Insights. 2.5 Wider Problems with Bureaucracy. 2.6 The Flaws of Bureaucracy have been Reinforced by Traditional Audit. 2.7 Summary. 3 The Failure to Analyse Outcomes. 3.1 How is Value for Money to be Secured? 3.2 Traditional Outputs are Valuable but Cannot Demonstrate Value for Money. 3.3 Public Choice. 3.4 Cost Benefit Analysis and Cost Effectiveness Analysis. 3.5 Value for Money Auditing. 3.6 Greater Focus on Outcomes. 3.7 More Sophisticated Diagnostic and Analytical Techniques. 3.8 Summary. 4 How Effective Audit can be Secured - the Auditor as Soach and Mentor Rather than Critic and Nark. 4.1 How can Progress be Made? 4.2 Separate Methodologies for Separate Subjects. 4.3 The Meanings which Participants give to their Roles. 4.4 Understanding 'Accountability'. 4.5 The Relevance of Social Anthropology. 4.6 The Auditor as Coach and Mentor. 4.7 Conclusion. 4.8 Summary. 5 Privatisation - The Alternative to Bureaucracy? 5.1 Private and Public Sector Approaches Compared. 5.2 Getting the Best from Privatisation. 5.3 The Privatisation Process - the General Issues. 5.4 Getting the Best from Privatisation. 5.5 The Importance of having the Right Pre-conditions in Place to Maximise the Success of Privatisation. 5.6 Conclusion. 5.7 Summary. 6 Public Private Partnerships-Another Option. 6.1 Getting the Best from PFI/PPP Deals. 6.2 Selecting the Best Project. 6.3 Applying the Proper Processes to PPP/PFI. 6.4 Selecting the Best Bid. 6.5 Checking the Deal Makes Sense. 6.6 Delivering Long Term Value for Money. 6.7 Good Practice for the Future. 6.8 Questions for the Future. 6.9 Summary. 7 Regulations-Bureaucracy's Tentacles. 7.1 Bureaucracies Cause Regulations to Grow - for Commendable and Less Commendable Reasons. 7.2 The Costs of these Regulations are Hidden, and Quite Pernicious. 7.3 The Auditor can Help to Some Extent... 7.4 ... But Society's Addiction to Rules and Regulations Make it Hard to do. 7.5 Summary. 8 Meeting Citizens' Needs - Quality of Public Services. 8.1 Barriers to High Quality Services. 8.2 Improving the Quality of Public Services. 8.3 The Implications for Audit. 8.4 Conclusions. 8.5 Summary. 9 Risk Averse or Risk Ignorant? 9.1 Risk Ignorance and Bureaucracy. 9.2 The Application of Technology. 9.3 Human Behaviour. 9.4 Asymmetry of Information. 9.5 Agency Interdependence. 9.6 The Impact of the Media. 9.7 'The Risk Management of Everything'. 9.8 The Requirements for Effective Risk Management - General. 9.9 Effective Risk Management - Top Level Commitment. 9.10 Effective Risk Management - Synergy through the Delivery Chain. 9.11 Effective Risk Management - Understanding and Managing Common Risks Together. 9.12 Effective Risk Management - Reliable, Timely and up to Date Information. 9.13 Effective Risk Management - Scrutiny and Challenge. 9.14 Conclusion. 9.15 Summary. 10 Vulnerability to Fraud, Theft and Corruption. 10.1 Varieties of Fraud, Theft and Corruption. 10.2 What are Fraud, Corruption and Theft? 10.3 Definition of Terms. 10.4 Crime and Punishment. 10.5 Problems Faced by the UK: Diagnosis and Cure. 10.6 Macro Weaknesses: Social Security Benefits and Tax Credits. 10.7 Micro Weaknesses: Abuse of Trust. 10.8 A Failure to Pilot: Fraud and Abandonment. 10.9 Fraud versus Corruption. 10.10 The Changing Nature of Fraud: Identity Theft, Information Technology and Organised Crime. 10.11 Conclusions. 10.12 Summary. 11 Programme and Project Management - Bureaucracies' Weakest Link? 11.1 Bureaucracies' Failures. 11.2 Transcending Failure. 11.3 Examining Broader Delivery Issues. 11.4 Conclusion. 11.5 Summary. 12 Performance Measurement - Clarity or Confusion? 12.1 Management by Objectives and Performance Measurements. 12.2 Performance Measurement Methodologies. 12.3 International Experience. 12.4 Experience in the United Kingdom. 12.5 The Difficulties of Determining what Interventions Secure the Desired Outcomes. 12.6 Outcome Measuring - the Influence of External Factors. 12.7 Outcome Measures: Links Between the Public, Staff and Delivery Agents. 12.8 Outcome Measures: Specification, Incentives and Accountabilities. 12.9 Outcomes Measures: Accountability. 12.10 Outcome Measures: Data Quality and Reporting. 12.11 Conclusions. 12.12 Summary. 13 Organising the Audit. 13.1 What Results do We Achieve? 13.2 Conclusion and Summary. 14 Concluding Thoughts. 14.1 Traps. 14.2 The future. Appendix: Value for Money Methodology. A1 The Choice of Subject. A2 The Team. A3 Study Process and Methodology. Bibliography. Index.

Protecting the Inner Environment: What Privacy Regulation Can Learn from Environmental Law

Abstract: The Information Economy produces a host of new injuries to personal privacy. These include damage from data mining, data spills, identity theft, the tracking of online activity, and spam. Policymakers are currently searching for a framework with which to think about the governance of these pressing problems. This article argues that environmental law can serve as a useful model. Environmental law is promising for two reasons. First, privacy injuries and environmental damage share a common conceptual structure. Both are negative externalities. Moreover, in the absence of regulation, both will produce a tragedy of the commons - privacy injuries will create such a tragedy in the online environment, while environmental damage will produce one in the natural world. These structural similarities suggest that environmental policy has been dealing with problems that are comparable to those that privacy regulation now faces, and so may be an appropriate model for it. Second, environmental law and policy has been the focal point of a decades-long, highly productive discussion about governance. The intensity of this debate, and the regulatory innovations that it has produced, have made environmental policy the hub of creative thinking about regulation. The article identifies four contemporary regulatory strategies, pioneered in the environmental field, that could serve as particularly good models for privacy regulation. They are: emission fees, pollution transfer and release registries, regulatory covenants, and government support for environmental management systems. The article describes each of these environmental policies in some detail. It then explains how policymakers might productively adapt them for use in protecting privacy. The author initially discussed these ideas in a brief book chapter that he posted on SSRN. This article explores the topic in far greater depth than that earlier publication.

System for preventing fraudulent purchases and identity theft

Abstract: An anti-fraud/anti-identity theft system verifies the authenticity of genuine identification devices, including credit cards, cellular telephones, and the like. Likewise the system detects counterfeit credit cards or lines of credit. The system comprises a modified retailer machine that verifies the cards and/or person at the time of buying or selling with a wide variety of security measures. The system further utilizes cellular telephones or electronic devices as a credit card-holding device, which device has a microprocessor computer embedded within the cellular telephone or device, which microprocessor computer can be operated to selectively turn on or turn off availability of credit card funds without closing the credit card account itself.

Phishing Phishers - Observing and Tracing Organized Cybercrime

Abstract: We investigate the paradigm shift from the real- world organized crime to the organized cyber crime, in particular with regard to identity theft through phishing and the methods deployed for the purpose of money laundering. Our work is based on our collaboration with banks and lawyers within the working group identity protection on the Internet (a-i3') as well as phishing victims in Germany. We report on case studies and analyze strategies used by phishers. We propose a forensic framework concept for identifying and tracing financial agents involved in the associated criminal network. Finally, we shortly discuss some open problems.

Comment: Virtual neighborhood watch: Open source software and community policing against cybercrime

Abstract: Cybercrime-crime committed through the use of a computer-is a real and growing problem that costs governments, businesses, and individual computer users millions of dollars annually and that facilitates many of the same crimes committed in realspace, such as identity theft and the trafficking of child pornography, only on a larger scale. However, the current strategies deployed by law enforcement to combat cybercrime have proven ineffective. Borne out of traditional notions of criminal behavior, these strategies and tactics are often ill-suited to prevent or punish cybercrime, which often defies the traditional notions of criminal behavior bounded by the corporeal world such as scale and proximity. This Comment argues that a more effective methodology in the fight against cybercrime is to develop a model of community policing, in which the power to deter and prevent cybercrime is divested into the hands of individual computer users. One such strategy for achieving effective community policing against cybercrime is through the increased use of open-source software, software in which users are given access to the underlying source code and may make modifications to that source code in order to ameliorate vulnerabilities that may enable cybercrime. This Comment looks at the development of traditional community policing strategies and argues that the increased use of open source softwarespurned by greater involvement by government and corporations-may be a more effective technique in the fight against cybercrime.

The Need for a Paradigm Shift in Addressing Privacy Risks in Social Networking Applications

Abstract: New developments on the Internet in the past years have brought up a number of online social networking applications within the so-called Web 20 world that experienced phenomenal growth and a tremendous attention in the public Online social networking services build their business model on the myriad of sensitive personal data provided freely by their users, a fact that is increasingly getting the attention of privacy advocates After explaining the economic meaning and importance of online social networks to eCommerce in general and reiterating the basic principles of Web 20 environments and their enterprise mechanisms in particular, this paper addresses the main informational privacy risks of Web 20 business models with a focus on online social networking sites From literature review and current expert discussions, new privacy research questions are proposed for the future development of privacyenhancing technologies used within Web 20 environments The resulting paradigm shift needed in addressing privacy risks in social networking applications is likely to focus less on access protection, anonymity and unlinkability type of PET-solutions and more on privacy safeguarding measures that enable greater transparency and that directly attach context and purpose limitation to the personally identifiable data itself The FIDIS/IFIP workshop discussion has resulted in the idea to combine existing privacy-enhancing technologies and protection methods with new safeguarding measures to accommodate the Web 20 dynamics and to enhance the informational privacy of Web 20 users

Enabling User Control with Personal Identity Management

Abstract: Being proactive and vigilant is the best defense against identity theft and the invasion of privacy. This recurrent advice from the public broadcasting attests that security breaches can happen and no identity management system can provide full-proof security. The challenge is even greater in service-oriented architectures where each user has their identities scattered across many services and has no control over management of those identities. Recent research in the area of the user-centric identity management makes user control and consent the key concept for identity management, but there is no consensus on the level of user-centricity. This paper proposes a service-oriented architecture framework called personal identity management that truly puts users in control over the management of their identities. The advantages of this proposal can be demonstrated through a comparison analysis of relevant identity management systems against a set of criteria required for today's identity management.

An analysis of security and privacy issues relating to RFID enabled ePassports

Abstract: The European Union sees the introduction of the ePassport as a step towards rendering passports more secure against forgery while facilitating more reliable border controls. In this paper we take an interdisciplinary approach to the key security and privacy issues arising from the use of ePassports. We further analyse how European data protection legislation must be respected and what additional security measures must be integrated in order to safeguard the privacy of the EU ePassport holder.

Federated Identity Management

Abstract: The more real business and interaction with public authorities is performed in digital form, the more important the handling of identities over open networks becomes. The rise in identity theft as a result of the misuse of global but unprotected identifiers like credit card numbers is one strong indicator of this. Setting up individual passwords between a person and every organization he or she interacts with also offers very limited security in practice. Federated identity management addresses this critical issue. Classic proposals like Kerberos and PKIs never gained wide acceptance because of two problems: actual deployment to end users and privacy. We describe modern approaches that solve these problems. The first approach is browser-based protocols, where the user only needs a standard browser without special settings. We discuss the specific protocol types and security challenges of this protocol class, as well as what level of privacy can and cannot be achieved within this class. The second approach, private credentials, solves the problems that none of the prior solutions could solve, but requires the user to install some local software. Private credentials allow the user to reveal only the minimum information necessary to conduct transactions. In particular, it enables unlinkable transactions even for certified attributes. We sketch the cryptographic solutions and describe how optional properties such as revocability can be achieved, in particular in the idemix system.

A Forensic Framework for Tracing Phishers

Abstract: Identity theft — in particular through phishing — has become a major threat to privacy and a valuable means for (organized) cybercrime. In this paper, we propose a forensic framework that allows for profiling and tracing of the agents involved in phishing networks. The key idea is to apply phishing methods against phishing agents. In order to profile and trace phishers, their databases are filled with fingerprinted credentials (indistinguishable from real ones) whose deployment lures phishers to a fake system that simulates the original service.