- Email: [email protected]
Identity fraud: the stealth threat to UK plc
id fraud
Identity fraud: The stealth threat to UK plc
enabler for subsequent fraudulent crime, which can encompass anything from credit card fraud and money laundering, to drug trafficking, illegal immigration or terrorism.
David Porter, Head of Security & Risk, Detica
Identity (ID) fraud is one of the fastest growing criminal trends in the UK and costs the British economy around £1.3 billion per year according to the Home Office. It is not just financial loss that victims suffer: it can take up to 300 hours of effort to regain their credibility with banks and credit reference agencies. According to fraud prevention service, CIFAS, the number of cases of identity fraud in the UK has increased dramatically since 1999, when 20 000 cases were reported. By 2001, this figure rose to 53 000 and in 2003 that number had almost doubled again. Like other forms of fraud, however, it is generally not perceived to be a high priority when tackling crime in general. In London, for instance, the police agenda priority is robbery -- such as car crime and mobile phone theft — and fraud hardly features at all. This is driven from the Home Secretary downwards and the remit of police on the beat is not the detection of ID fraud. However, the proposed introduction of ID cards - to tackle threats such as illegal immigration, global terrorism and benefit fraud — and the increased use of behavioural profiling have shown that awareness is now growing in this area.
The threat from within The latest report from the UK Department of Trade and Industry (DTI), Information Security Breaches Survey 2004, shows that UK companies are still very vulnerable to security breaches. What it does not perhaps highlight enough, however, is the large and often hidden threat from company employees which remains a large gap in most organizational security. The DTI survey, carried out in association with PricewaterhouseCoopers, shows that 80% of attacks are now being generated from external sources. Even if this figure is right, a significant proportion of 4
external attacks will be facilitated by an insider who gives away valuable information or material unwittingly (fraudsters are very good at duping people), or knowingly colludes with the criminals in return for money or other favours.
Over-reliance on biometrics? Of key importance to combating both external and internal fraud is better management of identity. The UK Government's national ID card scheme, when it begins to come into force in 2007, will be an additional tool to help companies establish identity more easily. Over-reliance on ID biometric cards would, however, be a major error. Like any security device, they will be just one part of the solution and organizations will still need other essential components such as good people, processes and detection systems in order to deploy robust preventative ID checks.
ID theft - the enabler for ID fraud ID theft has been around for hundreds of years. Simply put, it is impersonation taking over a name without consent, then using it to defraud. Today, of course, it covers more sophisticated methods which employ advanced technologies or encompass corporate ID theft, in addition to personal identities. It's also important to make a clear distinction between ID 'theft' and ID 'fraud'. Theft of an identity is simply the
Establishing and verifying identity The 'identity' of an individual can be established in a number of ways, such as: • Biometrics (the measurement of a physical attribute such as a fingerprint or iris scan to confirm identity). • Attributes (birth certificate, name given by parents). • Biography - details logged on Friends Reunited, for example. In the world of computers, a user can prove their log-on identity through something they know, have or are. Typically, organizational security processes will use a name, personnel or account number to establish the identity of an individual. A biometric is then engaged to verify this identity, compared against a master version held on a central database. For user convenience, all of this data may be held on a secure token, such as a smartcard. In practice, most solutions combine the biometric data with other 'factors' of authentication - something you have (such as a card), or something you know (such as a password). This overcomes one of the main problems with biometrics - reliability. A biometric is a relatively weak form of identification because the human body is infinitely variable. Security strategists can compensate for this, but how much variance is acceptable? Too much tolerance and a system may accept someone else's biometric. Too little tolerance and suddenly there is a wholesale rejection of genuine user biometrics. Finding the right balance is crucial to the success of any solution. Although there is a certain appeal in never having to remember another password, unreliable and unusable systems will lead to user frustration and ultimately, rejection.
id fraud
Identifying weak links in the system 'Keep it simple' is a good rule to engage. A simple solution offers less scope for fraud than a security system with complex business rules. Alongside this, it is also critical to educate users about the basic facts — security is a chain that is only as strong as its weakest link. The majority of security incidents are a consequence of human failings, in particular inadequately trained staff and competing business pressures resulting in 'tactical' shortcuts. In the long-term, these often prove to be the most costly.
Common backdoors used by fraudsters Fraudsters will generally take the path of least resistance in order to penetrate organizations and it is surprising what types of seemingly innocuous information people will give up if asked in the right way. Merchant IDs, cost centre numbers, graphical user interface (GUI) layouts, even passwords — all of which can give a criminal the gateway they need into a system. Notably, a survey on passwords carried out for the Infosecurity Europe trade show at Olympia in April, found that more than 70% of people would reveal their computer password in exchange for a bar of chocolate. The survey data was gathered by questioning commuters passing through Liverpool Street station in London and showed that many were happy to share login and password information with those carrying out the research. It may seem surprising in an apparently suspicious world, but the fact remains that the majority of people trust and don't challenge. This may be encouraging for society at large, but for an organization set on improving security, it means a change in cultural behaviour is required.
• Identifying potential threats and vulnerabilities. • Assessing the likelihood of a threat or vulnerability being realised. • Quantifying the impact on the business (financial, operational and legal). • Undertaking mitigating actions to reduce risk to an acceptable level by removing vulnerabilities, understanding and countering threats. • Putting contingency measures in place.
Detection - not just prevention No matter how much an organization invests, 100% preventative security is never going to be possible as criminals will invariably find their way around preventative security measures. Therefore, at some point, there has to be a considered trade-off between risk and cost benefits. In addition to preventative measures, detection systems and processes are required to identify proactively any security breaches as soon as possible after they occur. Detection focuses on the controls designed to alert the appropriate personnel to the fact that a fraud has been perpetrated. These include authorization, internal auditing and whistleblower hotlines. On the technical side, there are automated detection systems that take in large volumes of transaction data and, on the basis of an underlying model of potentially suspicious behaviour, look for tell-tale patterns in the data and so identify cases worthy of further investigation. They were pioneered in the mid 1980s to tackle rising credit card fraud losses and since then have been used in other fraud domains, and, most recently, anti-money laundering. But what about insider fraud - can a machine spot this?
Structured risk management
An automated Sherlock Holmes
Security, then, should ideally be governed by a structured and diverse risk management approach, namely:
The idea is compelling: why not get a machine to analyse the audit trails generated by the many different electronic sys-
tems that employees encounter and find the golden nuggets that indicate potential insider fraud activity? Log data is an abundant, freely available resource that is not generally utilised or exploited. Organizations are effectively sitting on a gold mine of data and ignoring it. 'Intelligent' analysis engines based on advanced data warehousing and analytics are now a commercial reality. Such technologies take in audit trails from key systems around the organization such as logs for application transactions, call centres, private automatic branch exchange (PABX) telephones, building entries, Web and print servers. These can be supplemented with personnel records from HR and financial systems. The wider the variety of data sources, the better. The incoming data is enriched with additional abstractions and inferences, and put into a consistent format. It is then stored in a data warehouse in a format that crucially retains the patterns of behaviour, and how these develop and change over a long period of time. This is subject to advanced analytical techniques to detect anomalous patterns worthy of further investigation. Such patterns might include: · Excessive hours worked by staff. · Lack of delegation of apparently mundane tasks. · Deviation in patterns of behaviour from other employees in similar roles. · Copying of large volumes of data assets · Attempts to subvert or override controls · Unusual transactions with related parties. · Inadequate documentation about a transaction.
Fraud analytics in action Analytical techniques available for detecting internal fraud include conventional statistics together with heuristic (or rulebased) reasoning and neural networks. A variety of software tool vendors support and promote each of these approaches. A key issue is the ease with which models of potentially suspicious behaviour can 5
insider attacks be specified. Often they can be specified quite adequately using conventional knowledge analysis techniques - in other words, determine what the latest scams are and build a rule-based or statistical model to reflect them. Key factors include the different kinds of high risk activities, their interrelationships and the volume, value and velocity (time) dimensions within the data. Complementary techniques such as supervised neural networks enable models to be automatically derived on the basis of past case studies. In other words, find a good set of known fraud case studies and get the computer to retro-engineer the underlying models from them. Unsupervised neural networks can be left to find interesting patterns by themselves. Each approach has its advantages and disadvantages and suitability will depend on a number of business and technical factors. The best design is most often one that uses a hybrid approach, i.e. the best tool for the task in hand.
Needles and haystacks Detecting insider fraud is rather like look-
ing for a hay-coloured needle in a haystack. This is because the perpetrators of systematic, long-term fraud need to preserve the secrecy of their activities. They know the controls and how to bypass them, and are often well-versed in the investigative process and know how to hide any incriminating evidence. A key benefit of the system described here is its efficient handling of the time dimension. This improves upon early attempts in this area that use simple rules for spotting single events and are poor at detecting subtle, longer-term patterns. Audit trail data can be viewed from any point in time and changes in data are more easily visible. By better defining the needles using the time dimension we can then go one step further and better define the hay. End result: cut away the hay and see a needlerich picture. The second benefit is that this kind of system gathers data in from all sources rather than adopting a 'silo-based' approach. It can, therefore, cross-reference and link across organizational, procedural and transactional boundaries, identifying cross-silo fraud and collusion between
Enemies within: the problem of insider attacks Steven Furnell, Network Research Group, School of Computing, Communications & Electronics, University of Plymouth, Plymouth,UK
This article considers the problem of insider attacks, beginning with some surveybased evidence to illustrate the existence of the problem, before proceeding to classify types of internal attacker. By far the most difficult problem to address is that of misuse of legitimate access, and the discussion proceeds to consider approaches to prevention and detection, concluding that a combination of technical and personnel measures represents the most feasible solution. A significant aspect of computer security will always involve protecting systems from attack. When confronting this reality, it is perhaps only natural that our
6
first thoughts will typically turn to protection against external attackers. There is, after all, a wealth of evidence to suggest that hostile forces are in operation
employees and external accomplices.
Bigger picture, lower risk Ultimately, it's dangerous to try to put different kinds of criminal behaviour and threats in neat little boxes, without thinking about the interplay between them. To return to the recent DTI survey, we see a slower growth in ID fraud indicated, compared with viruses, for instance. This kind of analysis gives the impression they are separate from each other but, in reality, they are not. Fraudsters and other criminals will make use of all kinds of tricks and techniques in their armoury, including viruses and fake IDs. Also, bear in mind that if ID fraud does not appear to be growing as quickly, then that's probably down to the old adage 'What we don't know, we don't know'. Only the bad fraudsters get caught - the really good ones carry on, mostly undetected. As a parting thought, consider that perhaps most organizations don't believe they have identity management problems … because they're completely unaware of them in the first place.
on the Internet, and organizations are now fairly attuned to the fact that they face threats from this source (particularly in relation to worm and virus problems). Indeed, the significance of the external threat is reinforced by many of the products and much of the literature in the security domain, and when computer crime has hit the headlines, it has typically done so as a result of hacker and malware incidents. However, it is important not to lose sight of the potential for problems much closer to home. Alongside the reports of external attacks, there is ample evidence to show that insiders are very often the cause of the most significant and costly security incidents, and a large proportion of what is commonly classed as cybercrime can consequently be attributed to them.
Identity fraud: The stealth threat to UK plc
enabler for subsequent fraudulent crime, which can encompass anything from credit card fraud and money laundering, to drug trafficking, illegal immigration or terrorism.
David Porter, Head of Security & Risk, Detica
Identity (ID) fraud is one of the fastest growing criminal trends in the UK and costs the British economy around £1.3 billion per year according to the Home Office. It is not just financial loss that victims suffer: it can take up to 300 hours of effort to regain their credibility with banks and credit reference agencies. According to fraud prevention service, CIFAS, the number of cases of identity fraud in the UK has increased dramatically since 1999, when 20 000 cases were reported. By 2001, this figure rose to 53 000 and in 2003 that number had almost doubled again. Like other forms of fraud, however, it is generally not perceived to be a high priority when tackling crime in general. In London, for instance, the police agenda priority is robbery -- such as car crime and mobile phone theft — and fraud hardly features at all. This is driven from the Home Secretary downwards and the remit of police on the beat is not the detection of ID fraud. However, the proposed introduction of ID cards - to tackle threats such as illegal immigration, global terrorism and benefit fraud — and the increased use of behavioural profiling have shown that awareness is now growing in this area.
The threat from within The latest report from the UK Department of Trade and Industry (DTI), Information Security Breaches Survey 2004, shows that UK companies are still very vulnerable to security breaches. What it does not perhaps highlight enough, however, is the large and often hidden threat from company employees which remains a large gap in most organizational security. The DTI survey, carried out in association with PricewaterhouseCoopers, shows that 80% of attacks are now being generated from external sources. Even if this figure is right, a significant proportion of 4
external attacks will be facilitated by an insider who gives away valuable information or material unwittingly (fraudsters are very good at duping people), or knowingly colludes with the criminals in return for money or other favours.
Over-reliance on biometrics? Of key importance to combating both external and internal fraud is better management of identity. The UK Government's national ID card scheme, when it begins to come into force in 2007, will be an additional tool to help companies establish identity more easily. Over-reliance on ID biometric cards would, however, be a major error. Like any security device, they will be just one part of the solution and organizations will still need other essential components such as good people, processes and detection systems in order to deploy robust preventative ID checks.
ID theft - the enabler for ID fraud ID theft has been around for hundreds of years. Simply put, it is impersonation taking over a name without consent, then using it to defraud. Today, of course, it covers more sophisticated methods which employ advanced technologies or encompass corporate ID theft, in addition to personal identities. It's also important to make a clear distinction between ID 'theft' and ID 'fraud'. Theft of an identity is simply the
Establishing and verifying identity The 'identity' of an individual can be established in a number of ways, such as: • Biometrics (the measurement of a physical attribute such as a fingerprint or iris scan to confirm identity). • Attributes (birth certificate, name given by parents). • Biography - details logged on Friends Reunited, for example. In the world of computers, a user can prove their log-on identity through something they know, have or are. Typically, organizational security processes will use a name, personnel or account number to establish the identity of an individual. A biometric is then engaged to verify this identity, compared against a master version held on a central database. For user convenience, all of this data may be held on a secure token, such as a smartcard. In practice, most solutions combine the biometric data with other 'factors' of authentication - something you have (such as a card), or something you know (such as a password). This overcomes one of the main problems with biometrics - reliability. A biometric is a relatively weak form of identification because the human body is infinitely variable. Security strategists can compensate for this, but how much variance is acceptable? Too much tolerance and a system may accept someone else's biometric. Too little tolerance and suddenly there is a wholesale rejection of genuine user biometrics. Finding the right balance is crucial to the success of any solution. Although there is a certain appeal in never having to remember another password, unreliable and unusable systems will lead to user frustration and ultimately, rejection.
id fraud
Identifying weak links in the system 'Keep it simple' is a good rule to engage. A simple solution offers less scope for fraud than a security system with complex business rules. Alongside this, it is also critical to educate users about the basic facts — security is a chain that is only as strong as its weakest link. The majority of security incidents are a consequence of human failings, in particular inadequately trained staff and competing business pressures resulting in 'tactical' shortcuts. In the long-term, these often prove to be the most costly.
Common backdoors used by fraudsters Fraudsters will generally take the path of least resistance in order to penetrate organizations and it is surprising what types of seemingly innocuous information people will give up if asked in the right way. Merchant IDs, cost centre numbers, graphical user interface (GUI) layouts, even passwords — all of which can give a criminal the gateway they need into a system. Notably, a survey on passwords carried out for the Infosecurity Europe trade show at Olympia in April, found that more than 70% of people would reveal their computer password in exchange for a bar of chocolate. The survey data was gathered by questioning commuters passing through Liverpool Street station in London and showed that many were happy to share login and password information with those carrying out the research. It may seem surprising in an apparently suspicious world, but the fact remains that the majority of people trust and don't challenge. This may be encouraging for society at large, but for an organization set on improving security, it means a change in cultural behaviour is required.
• Identifying potential threats and vulnerabilities. • Assessing the likelihood of a threat or vulnerability being realised. • Quantifying the impact on the business (financial, operational and legal). • Undertaking mitigating actions to reduce risk to an acceptable level by removing vulnerabilities, understanding and countering threats. • Putting contingency measures in place.
Detection - not just prevention No matter how much an organization invests, 100% preventative security is never going to be possible as criminals will invariably find their way around preventative security measures. Therefore, at some point, there has to be a considered trade-off between risk and cost benefits. In addition to preventative measures, detection systems and processes are required to identify proactively any security breaches as soon as possible after they occur. Detection focuses on the controls designed to alert the appropriate personnel to the fact that a fraud has been perpetrated. These include authorization, internal auditing and whistleblower hotlines. On the technical side, there are automated detection systems that take in large volumes of transaction data and, on the basis of an underlying model of potentially suspicious behaviour, look for tell-tale patterns in the data and so identify cases worthy of further investigation. They were pioneered in the mid 1980s to tackle rising credit card fraud losses and since then have been used in other fraud domains, and, most recently, anti-money laundering. But what about insider fraud - can a machine spot this?
Structured risk management
An automated Sherlock Holmes
Security, then, should ideally be governed by a structured and diverse risk management approach, namely:
The idea is compelling: why not get a machine to analyse the audit trails generated by the many different electronic sys-
tems that employees encounter and find the golden nuggets that indicate potential insider fraud activity? Log data is an abundant, freely available resource that is not generally utilised or exploited. Organizations are effectively sitting on a gold mine of data and ignoring it. 'Intelligent' analysis engines based on advanced data warehousing and analytics are now a commercial reality. Such technologies take in audit trails from key systems around the organization such as logs for application transactions, call centres, private automatic branch exchange (PABX) telephones, building entries, Web and print servers. These can be supplemented with personnel records from HR and financial systems. The wider the variety of data sources, the better. The incoming data is enriched with additional abstractions and inferences, and put into a consistent format. It is then stored in a data warehouse in a format that crucially retains the patterns of behaviour, and how these develop and change over a long period of time. This is subject to advanced analytical techniques to detect anomalous patterns worthy of further investigation. Such patterns might include: · Excessive hours worked by staff. · Lack of delegation of apparently mundane tasks. · Deviation in patterns of behaviour from other employees in similar roles. · Copying of large volumes of data assets · Attempts to subvert or override controls · Unusual transactions with related parties. · Inadequate documentation about a transaction.
Fraud analytics in action Analytical techniques available for detecting internal fraud include conventional statistics together with heuristic (or rulebased) reasoning and neural networks. A variety of software tool vendors support and promote each of these approaches. A key issue is the ease with which models of potentially suspicious behaviour can 5
insider attacks be specified. Often they can be specified quite adequately using conventional knowledge analysis techniques - in other words, determine what the latest scams are and build a rule-based or statistical model to reflect them. Key factors include the different kinds of high risk activities, their interrelationships and the volume, value and velocity (time) dimensions within the data. Complementary techniques such as supervised neural networks enable models to be automatically derived on the basis of past case studies. In other words, find a good set of known fraud case studies and get the computer to retro-engineer the underlying models from them. Unsupervised neural networks can be left to find interesting patterns by themselves. Each approach has its advantages and disadvantages and suitability will depend on a number of business and technical factors. The best design is most often one that uses a hybrid approach, i.e. the best tool for the task in hand.
Needles and haystacks Detecting insider fraud is rather like look-
ing for a hay-coloured needle in a haystack. This is because the perpetrators of systematic, long-term fraud need to preserve the secrecy of their activities. They know the controls and how to bypass them, and are often well-versed in the investigative process and know how to hide any incriminating evidence. A key benefit of the system described here is its efficient handling of the time dimension. This improves upon early attempts in this area that use simple rules for spotting single events and are poor at detecting subtle, longer-term patterns. Audit trail data can be viewed from any point in time and changes in data are more easily visible. By better defining the needles using the time dimension we can then go one step further and better define the hay. End result: cut away the hay and see a needlerich picture. The second benefit is that this kind of system gathers data in from all sources rather than adopting a 'silo-based' approach. It can, therefore, cross-reference and link across organizational, procedural and transactional boundaries, identifying cross-silo fraud and collusion between
Enemies within: the problem of insider attacks Steven Furnell, Network Research Group, School of Computing, Communications & Electronics, University of Plymouth, Plymouth,UK
This article considers the problem of insider attacks, beginning with some surveybased evidence to illustrate the existence of the problem, before proceeding to classify types of internal attacker. By far the most difficult problem to address is that of misuse of legitimate access, and the discussion proceeds to consider approaches to prevention and detection, concluding that a combination of technical and personnel measures represents the most feasible solution. A significant aspect of computer security will always involve protecting systems from attack. When confronting this reality, it is perhaps only natural that our
6
first thoughts will typically turn to protection against external attackers. There is, after all, a wealth of evidence to suggest that hostile forces are in operation
employees and external accomplices.
Bigger picture, lower risk Ultimately, it's dangerous to try to put different kinds of criminal behaviour and threats in neat little boxes, without thinking about the interplay between them. To return to the recent DTI survey, we see a slower growth in ID fraud indicated, compared with viruses, for instance. This kind of analysis gives the impression they are separate from each other but, in reality, they are not. Fraudsters and other criminals will make use of all kinds of tricks and techniques in their armoury, including viruses and fake IDs. Also, bear in mind that if ID fraud does not appear to be growing as quickly, then that's probably down to the old adage 'What we don't know, we don't know'. Only the bad fraudsters get caught - the really good ones carry on, mostly undetected. As a parting thought, consider that perhaps most organizations don't believe they have identity management problems … because they're completely unaware of them in the first place.
on the Internet, and organizations are now fairly attuned to the fact that they face threats from this source (particularly in relation to worm and virus problems). Indeed, the significance of the external threat is reinforced by many of the products and much of the literature in the security domain, and when computer crime has hit the headlines, it has typically done so as a result of hacker and malware incidents. However, it is important not to lose sight of the potential for problems much closer to home. Alongside the reports of external attacks, there is ample evidence to show that insiders are very often the cause of the most significant and costly security incidents, and a large proportion of what is commonly classed as cybercrime can consequently be attributed to them.