Identity Theft

Submitted By: Taylor, Smriti, Jason, Caitlyn, Sulo, Usman Team Sonata Submitted To: Professor Maheshwari Date: March 27th, 2011

Table Of Contents Introduction Passwords Security Certification TLS/SSL SAS 70 & ISO/IEC 17799 The Gramm- Leach Bliley Act Conclusion References Appendix A Appendix B Appendix C 1 2 3 4 5 6 7 9 16 18 20

security of certification. They all have a different approach. The Gramm-Leach Bliley Act is a federal law enacted by the government that deals with the protection of personal information of individuals this is an act that should be followed by all businesses. due to the accumulation of information over the computer based information systems the rate of identity thefts have accelerated. a business should practice due diligence. that is either created by them or the system.Executive Summary Businesses and individuals have been battling the recent emergence of a criminal activity known as identity theft. SAS 70 & ISO/IEC 17799 are auditing standards that are adopted by a company in order to protect and maintain information. When protecting. customers and other stakeholders. TLS/SSL. in which they try to the best of their ability to protect whoever is at risk. Passwords are used to protect a user. TLS/SSL this deals with encrypting the information processed online and can be very effective. employees. Identity theft occurs without the knowledge of the victims. A business can follow some basic but stringent procedures in order to deter identity theft. using knowledge the user knows. Security of certification is various methods used by businesses to protect the online databases as well as personal information. but they are all effective if used properly to help companies deter identity theft. SAS 70 & ISO/IEC 17799 and The Gramm-Leach Bliley Act. Identity theft is the unauthorized collection and use of personal information for fraudulent purposes (Privacy Gov't of Canada). It is a business’s responsibility to protect its employees and consumers and other stakeholders from criminal activities such as identity theft. The five strategies we have taken into consideration are: passwords. .

and taxes made by the criminal with your identity. “The absolute foundations of a firm's customer relations are confidence and trust” (Marshall. . However. The victims of identity theft are sometimes expected to pay back the amount charged fraudulently to their accounts in full (Tomlinson. n. These laws consist of the “shredding” law. Technology is an integral part of everyday life. you could be left with bills.d. a lot of personal information is online. “which is sometimes too late for legal boundaries” (Tomlinson.). Between e-mailing. With your personal information. companies should not just obey by the laws to protect their customer's they should provide a sufficient duty of care to further ensure the protection of personal information. Identity theft frustrates the justice system.Introduction Identity theft is the unauthorized collection and use of personal information for fraudulent purposes (Service Canada. There are many laws in place to protect your customer's confidential information. (Tomlinson. n. Once a customer's personal information has been compromised. These laws are enforced to dispose documents in a proper manner and providing regular credit reports. paying bills and e-commerce.). the company has lost the trust of the customer.d. and the Federal Red Flag Law (Reuscher. You are unaware that you have become a target until you are made a victim of identity theft. The damage to an organization of identity thieves stealing information is likely to be tremendously damaging to the organizations reputation. notification of unauthorized access to computerized personal information. n. 2009). charges. the damage is already done.).d. 2009). Identity theft can be committed towards an individual or through a company to victimize their clients. After that. 2009).

information in now more vulnerable than it has ever been. Over the years the use of internet and information systems on a global scale has sky rocketed (wikipedia. The password should be kept secret from those not allowed access. accounting standards and privacy standards.). Deterrence can be defined as the inhibition of criminal activity (dictionary. 1999. Due to these recent changes in technology. Passwords A password is a secret word or string of characters that is used for authentication.). n. SSL and TSL. and Gramm-Leach-Bliley Act ( n. something they know is something they create (user selected) or something given to them (system assigned) (Zviran and Haga.d. The easiest way for a person to authenticate and protect themselves is to use something they know.Because there is little that can be done after identity theft occurs.d. n. 162) . deterrence is important. p.).164). p. the need for users to protect themselves has increased too. to prove identity or gain access to a resource (example: an access code is a type of password). SAS 70. This report will go into detail about these protection techniques which include encryption.d. Zviran and Haga stated that: “the use of passwords has always been one of the most common control mechanisms for authenticating users of computerized information systems” (1999. security certificates. A result of this has been an accumulation of information over the web. The focus of the report will be: How can organization store all their customer information in a way to deter identity theft? There are several different ways in which a company can secure their client's confidential information: passwords.

190) legitimate users have the passwords. illegitimate users don’t.Johnson and Post stated that “Cyberspace challenges the law's traditional reliance on territorial borders. 2008. it is a "space" bounded by screens and passwords rather than physical markers. information will be jeopardized. this involves authenticating a person based on a physical characteristic (Anderson. The form of authentication can be “tokenbased” something owned by a person or the leading form of bio-metrics. since it has the power to damage relationships between key customers and employees. should this information get into the wrong hands. p.”(2008. The problem arises when the illegitimate user obtains a legitimate users password through hacking or other forms of criminal activity.190). Or the worst possible mistake people make is writing down the password they created. easy to remember means easy to hack into. p. Security Certification Out of all the security issues businesses face. Preventing identity theft through passwords is known as “knowledge authentication”. a second form of authentication is recommended (See Appendix A for strong and weak passwords). Durbin and Salinger stated that “personal information has legitimate and illegitimate uses. Anderson. To begin with people tend to use easy to remember passwords. The most important thing users must know and understand is that a password alone will not protect them against people’s malicious intent. p. identity theft is one of the scariest. . numbers and symbols. which consists of letters (capital and small).” (1996. Along with having a strong password. Durbin and Salinger. however this alone is not enough. 1376) The use of passwords as the only protection of privacy has its problems.

There are various security certifications that businesses use to protect themselves both regarding online databases and other personal information. This security certification number allows the Privacy Commission to track down each business to make sure that all patents are trademarked and protected. employees and the business itself. Security certification is a very important matter in today’s world especially with all the hackers and criminals lurking around on the web looking for easy prey and vulnerable institutions with large revenues.Global Information Assurance Certification. For instance the International Information Systems Security Certification Consortium (ISC) and GIAC . Even the Federal Department of Defense in the United States uses a variety of different coding and decoding methods that are never even heard of before. The security certification is a mechanism that Canadian government agencies is to protect businesses and it in turn. both of their customers.Companies nowadays are under heavy fire being vulnerable to identity theft. . It's also borderless and international. “Fraud is becoming a high tech business. reduces the chances of fraudulent activity within and outside of businesses. is just to name a few. As Allan Bachman education manager of the Association of Certified Fraud Examiners says. the business is registered under the Privacy Commission of Canada which in turn gives each company a security certification number. You can commit a fraud against an organization that's not even in your mother country” Every business in Canada has its own specific business number. If a business is incorporated.

Customer privacy is essential to a business’ survival. and thus. the end connection that the user is trying to establish.TLS/SSL A security protocol is a code of ethics that uses a cryptographic approach to carry out security affairs for an organization. and what the security features will be like. and makes sure that the only person that receives the message. SSL is most commonly used by websites to protect any online encounters and transactions that may happen with their many customers. and TLS (Transport Layer Security). Two of these protocols that are frequently used to protect and encrypt important data are SSL (Secure Sockets Layer). This procedure is called the “Handshaking” procedure. If it does work. will not be produced. The TLS protocol has a step by step procedure to ensure that the data has not been tapped into. and if one of the steps does not work. and both the users and the server consent upon the ways in which the connection will be made. the user will now have a secured connection which . Organizations use these systems because they authenticate all users on the system. this protects against unwanted infringement to possibly highly sensitive information. most organizations take all of the necessary procedures in order to protect it. This process is fairly in-depth. or altered in any way. is the one that it was aimed at. In turn.

ISO/IEC 17799 attempts to address security compliance at managerial. So how do you choose a company that will best protect your information? ISO/IEC 17799 and SAS 70 are auditing standards designed to help you make this decision. Mozilla Firefox does not support recent versions of TLS as of December 2010. Not all internet browsers support this kind of encryption software. SAS 70 as a standard faces three fundamental problems that security professionals believe make it neither worth its cost or a meaningful security metric (Gossels. p. 2001. SAS 70 is widely recognized for evaluating the control objectives and activities. organizational. For example. and decrypting it at the receivers end. ISO 17799 is a more comprehensive and structured evaluation that does not suffer from all the drawbacks of SAS 70.he/she will send the sensitive information by encrypting it at the users end. 1). Part of protecting your information is controlling who you provide it to. SAS 70 & ISO/IEC 17799 Information security is a major concern of both business and the public at large. the process is designed to drive billable hours and it has no objective standard for evaluation whether a company receives a “pass” (Gossels. so choosing the browser in which the connection is to be implemented is very important. 2001. p. legal. which include controls over information technology and related activities for service companies (“SAS 70 Overview. SAS 70 audits can only be performed by CPA firms not technology experts.” 2011). 1). operational and technical levels through the use of ten security .

Organizations can take various steps to safeguard customer information and reduce the risk of loss from identity theft and with this Act it is necessary for them to do so (Spillenkothen. which regulates the collection and disclosure of private financial information. . Organizations implement these controls to mitigate the risks they have identified (p. 2011). Businesses and the public can feel safe giving their information to companies that have an ISO/IEC 17799 certification. the Safeguards Rule. This structure gives ISO/IEC 17799 the ability to provide a better audit of their customer’s security systems and procedures. 61). p. and the Pretexting provisions. (Saint-Germain. The Gramm. which stipulates that financial institutions must implement security programs to protect such information. which prohibit the practice of pretexting (accessing private information using false pretenses). Saint-Germain (2005) describes that ISO 17799: includes 36 control objectives. The standard also includes 127 controls that identify specific means for meeting the control objectives. 2011). consisting of general statements of security goals for each of the 10 domains. 61). The Act also requires financial institutions to give customers written privacy notices that explain their information-sharing practices (Searchcio. The Act consists of three sections: The Financial Privacy Rule.Leach Bliley Act The Gramm-Leach-Bliley Act (GLB Act) of 1999 is a federal law enacted in the United States to control the ways that financial institutions deal with the private information of individuals (See Appendix B for summary).

check to ensure that information provided on an application has not previously been associated with fraudulent activity. Also To prevent fraudulent address changes. Conclusion Deterrence of identity theft is important for organizations to retain the trust of their clients and keep a positive reputation. and encrypting important data to authenticate the recipient of information. More over. security certificates. something the user does. Organizations can store their customer information in ways to deter identity theft by adhering to specific restraints and standards. via Gramm-Leach-Bliley Act and TSL/SSL. . one way companies can secure private information is to use verification procedures for new customers by ensuring the accuracy and veracity of application information. and passwords (See Appendix C for article). Organizations can protect confidential information and restrict access by using verification procedures for new customers. other measures that may reduce the incidence of pretext calling include limiting the circumstances under which customer information may be disclosed by telephone (Spillenkothen. organizations should. organizations should verify customer information before executing an address change and send a confirmation of the address change to both the new address and the address of record. 86). 2011). SSL and TSL. SAS 70. when helping new customers. Lastly. These objectives include Gramm-Leach-Bliley Act. something the user has. and something the user knows (Rainer & Turban. Authentication and authorization include methods of something the user is.In compliance with the GLB act. p.

). Retrieved March 17. The Journal of Economic Perspectives.ssl.d. the free encyclopedia.Other modes of protection are the audition standards of SAS 70 and ISO/IEC 17799.. 2011. as well as security certification numbers with various coding and decoding methods. These five examples are ways for business to protect themselves and their clients. is the password. K. The most commonly known however. 171-192. ( Identity Theft.aspx?id=10241 . Retrieved March 20. When used effectively and efficiently. References Knowledge Base. What is SSL?. from http://en. SSL. E. from http://info. identity theft can be deterred. 2011.wikipedia. t. and Salinger. M. Durbin. Transport Layer Security . A. . the free encyclopedia. +0. Used for authentication to prove identity or gain access to a resource. Wikipedia.Wikipedia. 2005). (Spring 2008). 22 (2). (June 7.

Legal Requirements to Protect a Client’s Personal Information. Retrieved March (2001). Network Security Articles for Windows Server 2003.). (n. D. from http://www. Retrieved March 16. 2011. the free encyclopedia.pdf Johnson. Retrieved March 15.Wikipedia. Dictionary. 2011. (n. Retreived March Wikipedia. 2011 from http://www. (May. Law and Borders: The Rise of Law in Cyberspace. G.). Retrieved March 16.windowsecurity. System Experts. from ezinearticles. M.asreb. Secure Socket Layer. 2011. K.6 dictionary results .org/wiki/Cryptographic_protocol Deterrence . 48 (5) 1367-1402.). 2011. R. Arizona Stanford Law Review. T.wikipedia. and Post. from www. (February Gossels J. 1996). SAS 70: The Emperor Has No Clothes.Cryptographic protocol .com. K. 2010.reference.html .).d. 2011. T. Ezine Articles . from http://en. Retrieved March 15. D.d. from dictionary. Lind. Secure Your Clients' Confidential Data With Your Accounting Website Onyszko. (n. 2004). 2008 & Vista. the free encyclopedia.aspx?elid=66&aid=48 Marshall. (July 22.systemexperts.

gov/boarddocs/srletters/2001/ (2011).org/wiki/Passwords Reuscher. The Information Management Journal. Retrieved March Saint-Germain. from http://www.FRB: Supervisory Letter SR 01-11 (SUP) on identity theft and pretext calling.htm Staff.wikipedia.d. Retrieved March 17.html Service Canada (n.federalreserve. 2001). Retrieved March 20. 2010 from http://sas70. Office of the Privacy Commissioner of Canada / Commissariat à la protection de la vie privée du Canada. 2011 fromhttp://www. I.d.Password. How to Prevent Identity Theft in Your Business. Technical Certification . Retrieved March 18. Information Security Management Best Practice Based on ISO/IEC (March 30. Retreived March 12.gc. 2011. R. Small Business and Small Business Information for the Entrepreneur. from http://www.about.). 2011. (July/August. Retrieved March 20.pdf SAS70. Security Certification Essentials.Tech Certification.arma. 2010). SAS 70 Overview. (n. D.html . from http://certification. R. from http://en. (April 26. Fact Sheet: Identity Theft: What it is and what you can do about it. 2005).priv.).d.cfm Spillenkothen. 2011. 2008. In retrieved June. Board of Governors of the Federal Reserve System. from (n.

Definition from A Report on Safe Use of the Internet: Some of the Most Common Risks. 2011.d. .techtarget.d.cbc. 408-411 Zviran. Retrieved March 17. CIO information. 2009). 2008). news and tips . Defense Security Service (DSS) Internet Homepage .SearchCIO. 91 (2). (Spring. (n. Hughes (May. 15 (4). Defense Security Service (DSS) Internet Homepage . Moshe. CBC news. identity theft victims say they can't get justice. Hispania.).com/definition/Gramm-Leach-Bliley-Act WikiLeaks. (September 28. Journal of Management Information Systems. William J. from www. American Association of Teachers of Spanish and Portuguese. K. B. Retrieved March 20. from http://searchcio.Flash Version. 161-185. from http://www. Password Security: An Empirical Study.C. 2011.Todd F.html What is Gramm-Leach-Bliley Act (GLBA)? . Retrieved March 18. 2011.Flash Version. 1999). (n.


J3lly22Fish $m3llycat. A11B1ack$! jA(kBauer .Doct0rH0use. #adamS@ndler ILov3MyPi@no 1Hat3liver@Onions! .Susan53.MyPuppyLikesCh33s3 Jul1eLovesK3v1n I34tcarr0ts: .kitty susan jellyfish smellycat allblacks jackbauer doctorhouse adamsandler ilovemypiano ihateliverandonions mypuppylikescheese julieloveskevin ieatcarrots 1Kitty Susan53 jelly22fish sm3llycat AllBlacks! jAckBauer Doct0rH0use adamSandler ILoveMyPiano 1Hateliver@ndonions MyPuppyLikesCh33s3 JulieLovesKevin IeatCarrots 1Ki77y .

Such frauds .Appendix B With the proliferation of internet based banking practices. it is expected that the fraudsters will also look into the prospect of gaining monetary value by causing a loss to others.

Therefore. Thus. investment banks. stored. this Act established certain necessities or laws that need to be abided by such institutes when engaging in business transactions. • Develop. such as ‘security threat of personal information’. the GLBA imposes mandatory requirement for such institutions to device a policy to govern the collection. As described earlier. Financial privacy rule: The act ensures the consumer’s right to know the information collected about the consumer. As such. following areas were defined as key addressable areas in devising such policies. several acts have taken precedence in bringing the culprits to justice and Gramm–Leach–Bliley Act (GLBA). the threat of fraudulent use of personal information is a major issue in internet related banking fraud. Safeguards rule: In this statement. disclosure. • Denoting at least one employee to manage the safeguards. and test a program to secure the information. 1999) Pretexting protection: As described earlier. Federal Trade Commission. and how that information is protected…etc. gaining unauthorized access to non public information by impersonating and acting as an account holder is considered to be ‘pretexting’. where that information is shared. 15 USC 6801 and 6805(b) is another stalwart in the process of ensuring legal framework to reduce the vulnerability of internet banking and its main focus was to allow US institutions such as commercial banks. insurance companies as well as securities firms to consolidate and thus act as a conglomerate involving in multiple financial activities. (Source : Financial Privacy: The Gramm-Leach Bliley Act. the institutions are bound to issue a privacy statement annually to disclose these details to the consumer. Some of these requirements facilitated taking precautions and enhanced action with regard to certain vulnerabilities faced by internet banking. monitor. 15 USC 6801 and 6805(b) is considered one of the main legislative enactments in relation to online banking practices. how that information is used. Such persons who does so will make . While allowing such institutions to merge. and • Change the safeguards as needed with the changes in how information is collected. and used. the institution needs to elaborate and devise a plan to protect the non public information of a consumer and it should include the following. lack of proper legal framework exposed the inability to handle such frauds through the existing legal system. • Constructing a thorough [risk management] on each department handling the nonpublic information. Gramm–Leach–Bliley Act (GLBA). and protection of consumers’ nonpublic personal information.have already taken place and in certain instances. In the American legal system.

Appendix C . emails. pretexting protection ensures that the institutions develop and implement a plan to prevent such events from taking place and training of their staff to recognize such pretexting and to negate or prevent such activities from taking place is one aspect looked at by the legislators.use of mail. phone calls and even techniques described earlier as ‘phishing’ in order to obtain these information. Thus.

Messages are routed through an vast network of mail servers. and your office is protected by a good alarm system. There are no . Many of your clients are not especially internet savvy. This feature allows your ISP server to connect directly to your web server and transfer the data. Identity thieves harvest huge amounts of information in this way.The absolute foundations of a firm's customer relations are confidence and trust. and for which there is little or no accountability. this can easily become a problem if your clients perceive you as uncertain about how online security works. but nothing could be further from the truth. Let's just assume you have that covered. This means your network access is restricted to your own dedicated IP (your IT guy can tell you what that means). It's fairly easy to secure your physical location. and the data they routinely send you is very sensitive. Passwords and encryption can slow a hacker down. Your CPA website is a main constituent of your online security strategy. If even one of these servers has been compromised by a hacker's virus or trojan. Given time there's no password that can't be broken and every time computers become faster and more powerful encryption becomes easier and faster to hack. Let me put this plainly. you keep your doors locked at night. your computers require password protected logins. When you send an email you send it "out there". ground security is important. Of course. so has your email. but once you start transferring data holes in your security become trickier to fill. Don't allow your clients and staff to email confidential information. but it's ease of use has lured many accounting firms up the garden path. Design your accounting website to compensate for these risks. but it won't necessarily stop one. There are ways to make it harder to open the file. When you design your website include a Secure File Transfer feature. There is a common misconception that when you send an email it goes straight to the recipient. and with the net becoming progressively more complex and vulnerable to internet crime. Email is a wonderful medium for routine communications. Much of the process occurs on servers over which you have no control. The weakest of weak links in any accounting firm is email. This makes information security and confidentiality one of the most significant duties you agree to when you choose to be a CPA. With office productivity becoming more and more dependent on online communications. By the time it reaches it's destination it's likely passed through a dozen or so third party servers. To protect them you're going to want a perfunctory familiarity with your website and it's security features.

Human beings are the most common cause of compromised passwords.third party servers relaying the information. Hackers call this "social engineering". There is a third type called PCT. The absolute minimum safe password length is eight characters. The adoption of "Transport Layer Security" has been slow because many offices use older equipment or unsupported applications that are incompatible with it. so that only you and they can access it. Every client should have his or her own password protected directory on the server. They store the keys used to decrypt online data. Both work pretty much the same way. SAS 70 This is an accounting industry standard managed by the AICPA. The second commonly found encryption protocol is much newer. rather like an online safe-deposit box. The longer your password is the more secure it is. Publicly traded accounting firms must be SAS 70 certified by law. There are a few security standards you should know about. SSL and TSL These are encryption protocols. It's a simple auditing statement. The best of these systems will even let you store the data on the web server in an encrypted format making the system suitable for long-term document storage. A SAS 70 certification indicates that the security has . or "Private Communications Transport" that is relatively unused. SSL. This will prevent automated programs from hacking the password by simply trying all the available permutations. You'd be shocked how many hackers get people's passwords by simply asking for them. Never tell anyone your password. Encrypting the transfer adds another layer of protection that will protect your data from an "insider attack". It's not just industry self-policing. or "Secure Socket Layer" is an older protocol that is still seeing widespread use. though. and avoid leaving them written down anywhere that your staff and clients can find them. TLS has made some technical improvements. but the details are too technical to explain here. Security Certificates Security certificates are central to online encryption. Passwords Passwords need to be protected from "brute-force" attacks by forcing a time-out if a login attempt fails more than a few times in a row. Make sure you get your security certificate from a trusted source and you keep it up to date or your users will receive warnings from their browsers when they try to use it. and passwords should be alphanumeric (containing a mix of letters and numbers).

this legislation includes rules that govern the privacy standards of all financial institutions which by definition includes any firm that prepares taxes. appoint an individual to manage security.been accepted by the auditor. and keep these procedures current with changing . Article Source: http://EzineArticles. including in regards to information security. scrutinize the security standards of every division working with customer info. Gramm-Leach-Bliley Act Also called the "Financial Services Modernization Act". All accounting firms and other financial institutions to produce a written information security scheme. This rule has very particular requirements that has to be adhered to by all accounting firms. establish a continuing program to monitor information protection.