Identity theft

About: Identity theft is a research topic. Over the lifetime, 2284 publications have been published within this topic receiving 31700 citations.

Anatomy of a Data Breach

Abstract: In the wake of undiscovered data breaches and subsequent public exposure, regulatory compliance and security audit standards are becoming more important to protecting critical assets Despite the increase in the number of data breaches via illicit means, internal controls seem to fail when it comes to the assurance that critical assets remain uncompromised According to the Identity Theft Resource Center, 336 breaches have been reported in 2008 alone, 69% greater than this time last year1 This is a concern for security teams, especially since a lack of dedicated resources exists to combat and revert this trend This is significantly important to take into consideration when going through the formal audit process to certify adherence to Sarbanes-Oxley (SOX), Graham Leach Bliley (GLBA), Payment Card Industry (PCI), or the Health Insurance and Portability and Accountability Act (HIPAA) With the significant increase in data exposure corporations cannot afford to take shortcuts when it comes to information assurance Otherwise it is almost certain that one will become a victim of a serious exposure of sensitive information This paper will explore the several disconnects between established and accepted security audit framework and the variable of hidden infections

Divided We Fall: Fighting Payments Fraud Together

Abstract: It is a great pleasure to be addressing this august group. As some of you know, I began my career at the Federal Reserve back in 1982. So speaking to you is like a homecoming for me. I have been fortunate in my career to participate in the U.S. banking economy from three perspectives: at the Fed, obviously a policymaking central bank; at Citibank, a lender; and at two financial technology providers, including 12 years at IBM (International Business Machines) and the last year at Fair Isaac, a leader in decision management technology. From these three perspectives, I have seen the tremendous collaboration that exists in the banking industry on the issue of fraud. However, from my current vantage point, I am also able to see a disturbing trend: More companies are declining to participate in some of these collaborative, consortium-based best practices. The reason is simple: They see a competitive advantage to keeping their information and experience to themselves. This raises some key issues for the financial services industry. Do we want to fight fraud or move it around? That is, do we want to reduce the amount of fraudulent activity overall, or are we content to just have the most advanced banks move it to the less advanced banks, and to shift it from well-protected channels to less protected channels? Does a failure to maximize our effectiveness at fraud prevention have even deeper consequences? Which people, which groups, and which activities might we be funding if we allow fraud to persist? And are private industry initiatives enough, or is there a role in fraud prevention for public sector initiatives, mandates, or intervention? I won't leave you guessing as to where I'm going with this. My experience has taught me the following. * Fraud is too important to the economic and social well-being of our country to let it persist and grow. * Individual gains must be balanced by the collective good. * It is better to stop a fraudster than send him to the bank next door. Now, my company is in the business of giving banks a competitive advantage. We have used consortium approaches to defeat fraud. We believe these collaborative approaches, along with ubiquity in protection, are essential ingredients in the fraud-fighting formula. They are necessary to reduce the "balloon effect" in fraud prevention, where progress in fighting a segment of fraud succeeds primarily in moving fraud from one place to another. We win when fraud loses--and fraud loses when we fight it together. Types of payments fraud Let me start by simply defining the key areas of payments fraud I'm discussing here. Fundamentally, we can divide fraud into two categories. There is first-party fraud, which is the abuse of account privileges by the account holders themselves, or the acquisition or expansion of those privileges by deceitful means. There is also third-party fraud, which is often identity fraud, or the abuse of one person's account by another. For the purposes of this talk, I am not discussing insider fraud, which is the misuse of a customer account by bank employees or others involved in the provision and distribution of financial services products. First-party fraud typically involves your customer opening an account with you, with the intention of violating the terms of the account agreement. It can also involve a borrower selling his information to criminals or constructing a fraudulent identity or deceitful credentials for gaining credit. This type of fraud very often shows up in the collections queue as bad debt. But it is not traditional bad debt--when it is intentional, it is fraud. [FIGURE 1 OMITTED] Third-party fraud is what we usually think of when we consider fraud. This is stolen identities, the use of lost or stolen cards, and the counterfeiting of cards or other means of account access. It encompasses a wide range of techniques. …

Secure Data Linkage and Information Sharing with GRHANITE

Abstract: Objectives: To address and simplify the operational, ethics, consent and governance processes during the secure collection of individual identifiers and the accurate, reliable and confidential identification and re-identification of individuals to facilitate safety and quality of health care as well as accurate and rigorous evaluation research. Background: Linking accurate personal information to decision support systems can improve professional services e.g. health care or financial management. Linking professions will promote integrated services, avoiding costly duplication of infrastructure and services. However, where person-specific information is held, there are risks of identity theft or confidentiality breaches. The ethics and governance processes involved in routinely collecting data for service provision, research, evaluation, quality assurance, policy development and governance reporting need to be integrated yet simplified. Methods: Functional specifications for ethical, secure and accurate information sharing and management were established. A flexible decentralised design methodology was adopted to develop GRHANITE [TM] to manage informed consent, encrypt, extract, link and manipulate personal clinical data without collecting or exposing personal identifiers. Results: GRHANITE [TM] reduces risks of confidentiality breaches and identity theft by dispensing with the need to collect and store recognisable person identifiers and by forcing informed consent processes. GRHANITE [TM] has interfaced with disparate technologies in a generic manner to: (1) demonstrate the secure, de-identified linkage processes enable accurate and reliable identification; (2) de-identification mechanisms with security protocols can effectively guarantee privacy in the collection, linkage, aggregation and analysis system; and (3) Secure re-identification of individuals is still possible in source systems. Large-scale de-identified data repositories which hold no identifiable person-identifiers BUT are able to perform automated data linkage and acquisition can be developed and maintained in a viable manner. Implications: The GRHANITE [TM] research and development program will provide the knowledge to underpin the next generation of encrypted data repositories and their implementation in service organisations, delivering innovations in personal identification, information protection and integrity of national security systems.

PIAnalyzer: A Precise Approach for PendingIntent Vulnerability Analysis

Abstract: PendingIntents are a powerful and universal feature of Android for inter-component communication. A PendingIntent holds a base intent to be executed by another application with the creator’s permissions and identity without the creator necessarily residing in memory. While PendingIntents are useful for many scenarios, e.g., for setting an alarm or getting notified at some point in the future, insecure usage of PendingIntents causes severe security threats in the form of denial-of-service, identity theft, and privilege escalation attacks. An attacker may gain up to SYSTEM privileges to perform the most sensitive operations, e.g., deleting user’s data on the device. However, so far no tool can detect these PendingIntent vulnerabilities.